Identity is the New Perimeter (Zero Trust) - Episode 219

On this week's Compliance Unfiltered, discover why identity is the new perimeter in cybersecurity. This episode reveals how zero trust principles can protect your systems by continuously verifying user identity and behavior. Learn about the risks of traditional defenses, the evolution of compliance standards, and practical tactics for implementing context-aware verification. Perfect for IT leaders and security professionals ready to strengthen defenses and build a trustworthy digital environment. Listen now to stay ahead of threats.

Episode Transcript:

Today, Adam, we are going to talk about identity as the new perimeter. That’s right, folks. Zero trust is the topic for today.

Now, Adam, if someone logs into your system with the right username and password, do you automatically trust them?

Adam Goslin:
That’s the issue. Most organizations still do, but today, credentials are one of the easy things for attackers to steal or buy. Just having somebody with a valid login doesn’t necessarily mean that it’s a legitimate user.

The bad guys are taking measures to gather up this information in detail, and they’re not necessarily hacking the system, but they’re just going ahead and logging in, if you will.

Todd Coshow:
Sure. We’ve heard for years that the network perimeter is dying. Now the real question is, is it officially dead?

Adam Goslin:
There’s a couple of different ways to look at it. In a practical sense, yeah.

We’ve got cloud. We’ve got software as a service. We’ve got folks doing remote work. Not only just the general sense of remote work, but also, depending on the roles of the individuals involved, part of their job is literally being on the road all the time.

There’s not a notion in particular of what is inside, just because users, devices, data are being interacted with across a broad scope of geographic spread and all that fun stuff. It’s certainly getting more exciting than getting less, if you will.

Todd Coshow:
Fair enough. I guess the next logical question then is: what replaces it?

Adam Goslin:
Identity is now the perimeter. If you can control and identify the identities properly, then you’ve got the capability for securing the access regardless where the user is.

One of the big elements here is, for a lot of organizations, and the ones that are in the security and compliance space have been used to this for a longer period of time, but you see more and more organizations mandating, requiring multiple factors of connectivity. That certainly has gone a long way to being able to make improvements.

But part of the issues come in when, let’s say that you’ve got a username and a password that’s now been breached or shared amongst bad actors, coupled with attacks on multi-factor organizations, etc., it becomes an issue, if you will.

Todd Coshow:
Absolutely. How big of a problem is credential abuse in modern—

Adam Goslin:
It’s one of the biggest elements because the attackers have a cottage industry of scraping data and information from a wide variety of various breaches.

This could be phishing that they’re doing, or from prior breaches, data and information that they’re pooling up on the dark web. The problem is that the bad guys are sharing a lot of information amongst themselves, which makes it more and more difficult for organizations to have a substantial trust factor in the identities that they’re allowing through the door.

It makes things monumentally more complicated. Think about it. When you’ve got attackers that attacked this site, that site, the other site, and they’re pooling all this information, each of your users, individually, has probably been scraped up into several different data sets from various data breaches from the various vendors that they even use individually.

We’ve talked about this before when we were talking about good password hygiene.