Our world was mostly simple. We were in control. In the driver’s seat. Most of the environment we were tasked to defend had been static and we were able to absorb the low rate of change to it. We owned everything and set clear rules of engagement. The interaction between people, assets, and data had been well defined, mostly fixed, leaving us to adjust only to the changes occurring in the threat landscape.
We created our own Maginot Line around our environment and manned the trenches in an attempt to defend it.
The mission was to protect from the outside-in while the perimeter and its defenses marked a clear control boundary between ‘us’ and ‘them’. We substituted trust with ownership and control and used a binary and static trust model where access was either granted or denied without any further provisioning.
It’s been a while since control had been lost.
These traditional security models have collapsed as businesses embraced new concepts introducing constant change to the other components of our environment that are now moving just as fast as the threat landscape. As a result, the gap between ideal security and actual security is widening at an exponential rate.
Today’s fast-paced business demands to allow anywhere anytime access to enterprise resources, wherever they are, from any user, including external users, and any device, including devices the organization does now own or control, access to resources cannot be granted just by relying on appropriate credentials.
A risk-adaptive security model, that is to control the interaction between any user, using any device and enterprise resources (services and data), wherever they are, needs to be introduced.