ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
22 February 2017

Identity: The new security perimeter?

Profile shot of David Guest.
Written by David Guest

CISOs focus on their network perimeter in an effort to prevent exploits.

Often they fail.

Why? Because no one can control criminal exploits. And with the advent of enterprise mobility and the widespread adoption of cloud, the enterprise has lost control of endpoints, networks and even applications. That’s why headlines and industry publications are full of dire warnings about the latest phishing scam or malevolent machinations by cyber criminals.

Are security professionals trying to solve the wrong problem?

All is not lost. It’s time to let go of what we can’t control and start focusing on what we can: identities.

We’ve lost control

Imagine the scenario: an employee uses their personal iPhone to access a work file from Dropbox over their provider’s network while they’re on their commute.

It’s a pretty common picture. And it’s one where you have no control over the application, hosted in someone else’s data centre; no control over the third-party network the employee is using to access the data; and no control over the endpoint the data ends up on.

The combination of enterprise mobility, the always-on culture and the increasingly easy access to the cloud means that the old idea of an organisation’s security perimeter surrounding the office walls no longer applies.

Currently trending

Whereas once the hardware was the criminals’ target – the servers, the laptops, the office blocks – the intended target has shifted to the users. The humans who use the hardware are fallible. They are susceptible to the scams and the cons. It’s their actions, purposefully or not, which often pose the security threat.

The traditional security paradigm has disappeared, and this is why.

Mobility means that people are accessing sensitive data, from inside and outside the corporate network, on a range of devices, some provided by the company, others owned by the individual.

This is a problem. This year, 28% of respondents to PwC’s Global State of Information Security Survey reported security compromises of mobile devices. And as such, securing smartphones and tablets is now a priority.

Always-on culture means that employees expect instant, easy access to whatever they need to do their job, whenever and wherever they are. This leads to two problems:

  1. Employees circumnavigate the IT department and set up accounts with cloud providers to make their lives easier. This can range from a marketing bod signing up to a SaaS app (for example, a file-sharing service) through to R&D teams setting up Hadoop on an AWS account to rapidly test new analytics. Considering legitimate user credentials were used in most data breaches last year, with some 63% of them using weak, default, or stolen passwords, this unchecked proliferation puts the enterprise at real risk.
  2. Authentication has therefore become increasingly important at the same time that employee and customer expectations of a seamless experience with technology have grown. As PwC’s Global State of Information Security Survey 2017 says: “Above all, authentication must be frictionless and intuitive for end users. You need only consider the IAM and authentication techniques employed by ‘sharing economy’ services to understand the potential impact of frictionless access on business growth.” This leaves security teams stuck between a rock and a hard place.

Finally, the adoption of cloud services not only means that data no longer flows through the corporate network, it also creates new administrators who have access to your data but who aren’t part of your organisation. As Forrester says:

“Adoption of infrastructure-as-a-service (IaaS) (from providers like AWS, Azure, and Rackspace) and software-as-a-service (SaaS) (like Salesforce and Office 365), public cloud applications, private cloud, and outsourcing creates a new kind of administrator (or privileged user): one who is an employee of the public or private cloud provider (AWS, Azure, SoftLayer, etc.) and interacts with your workloads on their behalf.”

Data matters

All of this would sound pretty dire if there wasn’t an alternative to the old security perimeter. Thankfully security professionals can do something to keep the enterprise safe: focus on the robust management of data and user identity.

After all, it’s data that’s of value to cyber criminals and it’s data you ultimately want to protect. If you embed security controls in the data itself, then if criminals do get hold of it or if there is a non-malicious breach, the data offers no value and poses no risk to your organisation.

The problem is, thanks to the distribution of data that secular mega-trends have sparked, it’s now hard to track down where all your data is and what kind of data you have.

Only 16% of companies know the location of sensitive structured data and, even worse, only 7% know the location of sensitive unstructured data according to research by Ponemon Institute.

So before you can embed security in your data you have to ask a few questions that will not only help you in your security efforts but will also help you make a case to the business for investment in data security:

  •  Where is it going? How is it flowing/ being used?
  •  Who has access to it?
  • What regulations apply to it?
  • Is it protected? Where are the gaps?
  • What’s the value of the data? What is the cost if it’s stolen?
  • Where’s its residency (the jurisdiction governing it)?
A buyer’s guide to Microsoft Enterprise Security

A buyer’s guide to Microsoft Enterprise Security

Remove the complexity from Microsoft’s comprehensive security technology ecosystem. Download the 43-page e-Guide today and understand:

  • What Microsoft security technologies exist – and their key features and benefits
  • How each technology integrates and works together to maximise your security
  • Microsoft 365 licensing requirements – including a handy infographic
Download e-Guide

The new perimeter applies to every piece of data

Once you have a clear picture of what data you have, its value and where it travels, you can begin to implement your new security perimeter.

The tools you use will vary depending on the data you are protecting, but will likely include at least one of the three most common:

1. Encryption

This should be a minimum for enterprise data, whether it’s at rest or being downloaded to an employee device. You can also create automatic rules based on that encryption. For example, you can prevent encrypted files being synced to a non-approved app to reduce the risk of sensitive data leaking into a shadow IT infrastructure.

2. Tokenization

This can be ideal for data sets that fall under regulation; for example, PCI DSS regulations for sensitive payment data. Once you substitute a sensitive data element with a non-sensitive equivalent, referred to as a token, that data no longer has extrinsic or exploitable meaning or value. This often means the data set is no longer in scope of regulation, making compliance much easier to achieve.

3. Transformation (or masking)

This method is particularly good for big data sets or data used in software testing because it creates a functional substitute of the data but doesn’t leave sensitive or identifiable information exposed.

Identity is the key!

Of course, as you apply these measures you also have to think very carefully about identity and access management. There is no point opening data up to unnecessary risk: with encryption, for example, the data is only safe if the encryption keys remain secure.

Considering that Forrester estimates that 80% of security breaches involve privileged credentials, it’s important to define and implement role-specific access controls as part of your wider data security practice.

Protection is possible

“Data centric controls are the hot commodity,” says Bill Burns, CISO, Informatica.

If you are holding up department requests for new cloud services apps and trying to rein everyone back inside the old network perimeter, then you are effectively closing the stable door after the horse has bolted.


There’s no doubt that re-drawing the security perimeter and shifting the focus to data itself is a challenge. But it’s a challenge CISOs can and must meet. And it’s a challenge worth meeting because, rather than the old, breached perimeter, it actually has a good chance of keeping your enterprise safe.

Next, watch our conditional access and MFA webinar on-demand and learn why these technologies are key to securing your organisation’s assets.

Or download ‘The business case for cyber security’ e-Guide for best practice on how to take a proactive and pre-emptive approach to tackling the issue.

Want more great security content? Subscribe to the ThirdSpace mailing list!

Want more great security content? Subscribe to the ThirdSpace mailing list!

Keep your finger on the pulse of security and Microsoft technology. Submit your business email to get the latest content and event invites straight to your inbox.

Profile shot of David Guest.

About David Guest

Solution Architect and Technology Evangelist

As ThirdSpace’s Solution Architect and Technology Evangelist (yes, he knows it’s a long title), Dave has a background in IT that goes back to installing a piece of kit called a Microsoft Softcard in...


You may also like...


How the SolarWinds breach highlights the dangers of federated authentication – and what you can do to protect against it


What is Microsoft Identity Manager (MIM)? Everything you need to know


Uniting disparate directories: What is Azure AD Connect cloud provisioning?

Recent Blog Articles

View All
Related topics

A buyer’s guide to Microsoft security

Understand what each Microsoft technology does and how they all integrate.

Download 43-page Guide

Need some help?

Send us your questions or feedback.

Friendly folks are standing by!

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.