An intense discussion and trend over the last few years has been to move away from on-premises installed applications and replace them with cloud services. This is also pushed by the service providers as they see many advantages in delivery, scalability, support and maintenance compared to an application installed on every customer site. But as both applications and data move out of the private data centers traditionally protected by firewalls you need to have another approach to security that is based on the identity of the user.
In a hybrid environment, where you have applications and data both on-premises and in the cloud, identity and identity controls are the key to security. With a zero-trust or identity-based security approach, you apply security mechanisms based on the identity of the user. The best example is to enforce multi-factor authentication (MFA) to all services and applications that contain sensitive data. Instead of using only username and password, the user instead gets prompted to perform multi-factor authentication with the identities issued and/or approved by the company (OTP’s, mobile apps, smart cards, virtual smart cards, tokens etc.).
Identity-based security can also be applied at different levels. For example, if the device that I’m using is controlled by the company, joined to the domain, and authenticated to the corporate network with a certificate, then maybe for some services and applications this is enough, and I get single sign-on to the service. But if I try to access the same service from home or from the airport, multi-factor authentication is always needed to ensure my identity.
Some people say that firewalls will disappear, but we think that they for sure will be around and play a role in delivering a form of protection for a while. But it is a really good idea to shift focus to an identity-based security approach asap.
Stay secure out there…