Segmentation of the Risk Space and Adaptive Security

Identity Data concerns also change in the context of the new, evolving network models. When organisations move beyond the traditional “perimeter”, and when authentication and authorisation mechanisms need to enable users moving in a fluid way reaching the resources they want, a new security “zoning” model is necessary.

The common “enterprise” model with a single or very few authentication realms must change to a more complex, diverse environment which I call “segments.” I use this term to highlight the difference with the standard “concentric” model with an outermost boundary separating the organisation from the rest of the world.

Higher complexity is necessary to address incremented variety of the organisational ecosystem. This is almost a physical evidence. Each segment should then be protected with a specific security policy, defining in this way a new “separation of the risk space” around the organisation.

Data classification, risk evaluation, user types and business model must be considered for the definition of the security policies but I estimate that a large organisation (>10000 employees) –almost in any area of business, will have 10 to 15 “segments” of its risk space. A consequence of this approach is that the proverbial “flat network” which exists in most organisations just behind the primary firewall and is build on the prototypic Active Directory domain, also disappears. Note: I do not exclude that each segment will have subdivisions, but these can be addressed in the standard way. i.e. by means of additional user credentials/claims.

This can be formulated in a more general way: as organisations move towards more open, interconnected and collaborative environments (ecosystems), with more resource sharing  inside and outside of the central network, the network zoning model should change from perimeter protection (concentric) to segmented protection (radial segments). By “segment” I mean the access routes arranged around combinations of user types, resource types and security policies. The users should be able to move from one segment to the other supported by adaptive/risk-based authentication. This can be called “status-based” access control, to refer to a combination of risk and attribute-based mechanisms which have been available for many years.

As indicated above, the key is there should exist a security policy for each access route, so that resources are authorised explicitly and not implicitly (there should be no all-or-nothing policies). In this way, networks and networks of networks become auditable by their own structure while at the same time protection is increased and user experience is enhanced.  Note the segmentation model is not similar to the so called “zero trust” approach which has very little to do with “status-” or “contract-based” access control.

In the segmented model, credentials and claims become data elements of the digital identity, and in that sense, identity data management is reaffirmed as being essentially a discipline focused on Data Management and quality criteria.