There was a riff going at the RSA Conference last week.

"We say identity is the new perimeter." If you think this was heard on the show floor or was a T-shirt slogan, think again.

The quote came from Nasrin Rezai, CTO security for worldwide security architectures at Cisco. She participated in a session focused on mobile device adoption: "BYOD(device) without BYOI(insecurity)".  Dan Houser, security and identity architect at Cardinal Health, and his colleague Goran Avramov, senior infrastructure architect, were also there speaking about the thousands of personal devices that have invaded their enterprise. The two Fortune 100 companies dispensed implementation knowledge from the trenches.

According to Houser, Cardinal's "perimeter" identifies personal devices, keeps them off the network altogether and treats them like a kiosk.

What Rezai and Houser are describing is a transition that others are starting to see: security perimeters now extend beyond traditional firewalls and the creation and consumption of identity - who, what, when, why and no way - is happening in distributed infrastructures, platforms, applications and devices.

 "Identity is an architectural anchor point," said Rezai.

The discussion of that identity anchor point eventually won't be around the architecture, but on the apps and security options it enables. 

Scott Charney, corporate vice president for Trustworthy Computing used his RSA keynote to talk about enabling security, privacy and reliability strategies for cloud and big data. He said that user names and passwords won't cut it as big data sets are offered by cloud services. "We continue to need a much stronger identity metasystem, one that makes it considerably harder to spoof another individual."

Like the cloud itself, that system will have to be distributed and it won't be just about people, but devices, application programming interfaces (APIs) and other resources that need protection.

APIs are a key focus area, but out of 311 sessions presented at RSA, only two focused on APIs.

"Securing APIs is huge. It will be a big topic next year," my colleague Patrick Harding, CTO of Ping Identity, said at the Cloud Security Alliance Summit on Day 1 of RSA.  He was part of a panel called "Cloud Innovation - The Panel's View on the Next Generation of Cloud Security Devices and Services." APIs are huge because they are the gatekeepers to data and apps and they introduce all levels of security based on identity attributes from user, to device, to roles, locations, dates and times.

On other riffs, Harding said passwords are the Achilles heel of cloud security. On mobile, he said the phone has a future as an authentication device in scenarios such as mobile payments. "Add Near Field Communications to this and marry that with identity and that presents some interesting options. Those are coming in five years," he said.

And perhaps that becomes another riff at another RSA Conference.



* Required Fields