Is Identity really all that important?

Recently, I found myself in a discussion with a former colleague about the concept of identity maturity. Both of us are now at a new organization, yet we are grappling with familiar challenges related to outdated technological stacks, and once again, the pressing question of how to modernize our identity platform. The platform we are dealing with is far from mature—it lags significantly behind current industry benchmarks for identity management. As we delve deeper, we find ourselves contemplating the possibility of a major leap forward, one that brings the platform up to modern standards in a single, transformative step. This exploration spurred a broader discussion about where organizations ought to be with their security, particularly identity management, and how we can evolve outdated platforms to meet the demands of modern cybersecurity.

?

Are You Really Ready?

Before we dive into more advanced security topics, let's get one thing straight: if you still haven't addressed the basics, this article isn't for you. You need to focus on building a strong security foundation before considering more sophisticated strategies. Here's a reality check:

·?????? You don't have multi-factor authentication (2FA): If your systems rely solely on passwords, you're leaving your organization exposed to basic attacks. 2FA is essential in today's security landscape.

·?????? You lack a solid asset management program: If you can't confidently say what assets you have, don't know whether they're up-to-date, or if they're vulnerable to critical vulnerabilities, you're putting your organization at significant risk. An effective asset management program enables you to monitor your infrastructure, know where vulnerabilities exist, and patch them within a 24-hour window when necessary.

A lot of companies get obsessed with the "Protect" and "Detect" parts of security, but here's the kicker: you can't protect or detect what you don't know about. The "Identify" function is the bedrock of any security setup, especially in the NIST Cybersecurity Framework (CSF). If you're bragging about your top-notch pen-testing team but skipping the basics, you're putting the cart before the horse. Get your foundation sorted before you chase the advanced stuff.

Ok ok, the reality is, most of you (and us) are still struggling with the basics, whether due to legacy systems or a just a general lack of understanding of where to start. So maybe there's an opportunity here to get something out of this and consider making a leap for yourselves too. Some of the elements discussed below, when linked together, can help you bridge that gap and move toward a more secure future.

?

Identity is King, But Our Collective Technology is Behind

In today's security landscape, identity management is kinda a big deal. Everything revolves around knowing who has access to your systems, ensuring that only authorized individuals can get in, and verifying their identities at every step. Without strong identity management, it doesn't matter how good your firewalls or intrusion detection systems are, attackers will find a way in by exploiting identity vulnerabilities in and around the applications protecting your critical data.

While on the surface Active Directory (AD) may seem to be lagging behind, under the hood, Microsoft has clearly recognized the need for evolution. Despite its long-standing reliance on protocols like Kerberos and NTLM, which have been a pentesters playground ?for all of time, Microsoft has made significant strides in modernizing AD. For example, the integration with Azure Active Directory (Azure AD) enables hybrid identity models, passwordless authentication, and advanced security features like conditional access and multifactor authentication (MFA). Additionally, Microsoft has adopted and integrated modern standards such as OAuth 2.0 and OpenID Connect (OIDC). These advancements demonstrate Microsoft’s efforts to address modern identity challenges. However, it doesn’t mean that organizations are adopting or using these newer practices.

The evolution of identity management has been a slow but inevitable process. Organizations are increasingly realizing that legacy systems like AD can't keep up with modern cybersecurity demands. The adoption of cloud-based identity platforms like Azure Active Directory and Okta represents a significant shift. These platforms not only offer centralized user management but also integrate seamlessly with OAuth 2.0 and OpenID Connect. They support multi-factor authentication (MFA), conditional access policies, and zero trust architectures, enabling more granular control over who can access what, when, and from where.

Yet, adoption has been slower than expected. Many organizations are held back by the complexity of migrating from on-premises systems to cloud-based alternatives. This transition requires not just a technological shift but also a cultural one. However, as more organizations face breaches due to weak identity management, the push to adopt modern systems is accelerating. It's no longer a question of whether to adopt cloud-based identity management, but how quickly.

?

Get People Off Your Network Already

One of the biggest risks organizations face today is continued reliance on internal networks. Yep, I understand that legacy applications and systems still exist and are often business-critical. However, these systems come with significant security issues.

Legacy applications typically:

• Use outdated authentication mechanisms that are easy to exploit.
• Can't run modern security tools like Endpoint Detection and Response (EDR).
• Etc etc and the list goes on...?

This leaves a huge gap in your ability to protect and detect potential threats. The solution isn't to ignore and we can't always retire these systems 'right now', so we have to design secure ways to access them. This could include moving legacy systems to isolated environments, ensuring that access is controlled via VPNs or Zero Trust Network Access (ZTNA) with strict authentication protocols like MFA. Simply RDPing into a legacy system from your corporate network is a recipe for disaster. Reducing exposure and limiting access are key to keeping these systems secure.

5 Quick Tips for securing legacy applications:?

• Network Segmentation: Isolate legacy systems into restricted network segments to limit exposure and control access.
• Micro-segmentation/Host-Based Firewalls: Apply fine-grained controls around legacy systems to restrict traffic to authorized source ports only.
• Patch Management: Regularly apply patches or use virtual patching to mitigate vulnerabilities in legacy systems, “where possible”.
• Logging and Monitoring: Enable detailed logging and continuous monitoring to detect suspicious activity quickly.?
• Strong Authentication: Enforce multi-factor authentication (MFA) via a jump host architecture to secure access to legacy systems.

?

The Missing Piece of the Puzzle?

When it comes to protecting data in transit, point-to-point encryption (P2PE) is the only way to ensure true security. It's the gold standard for encrypting data with certainty, ensuring that only the sender and recipient can decrypt and access the content. But here's the question: How are your business applications implementing this level of encryption, and more importantly, who holds the keys?

Platforms like Signal offer robust, free solutions for secure communication with end-to-end encryption, meaning not even the service provider can access message contents. Despite this, similar strong encryption models haven't become prevalent as we increasingly rely on productivity services like Microsoft Office 365 or Google Workspace.

The reality is that while data may be encrypted, encrypted copies are still being stored, whether through backups or archiving. Over time, encryption standards weaken, and that data could eventually become vulnerable. While many might think, "Who cares? Who's going to decrypt my old data?", the right question is, "If we can fix this, why wouldn't we?" Moving toward stronger, point-to-point encryption in all business applications, where you control the keys, can eliminate future vulnerabilities and ensure sensitive information remains secure long-term.

?

Taking the Leap Towards Web3 Integration

As I sit here with my colleague, discussing how to leapfrog our outdated identity platform into something far more modern, we can't help but wonder: Can we take it even further? Is it possible to not only catch up to current identity standards like OAuth 2.0 and OpenID Connect but also leap ahead into the next era by integrating Web3 authentication mechanisms into our Web2 enterprise applications and SaaS services?

Yep Web3 again.

The idea of skipping incremental steps and embracing the future with decentralized identity solutions, blockchain-based authentication, and smart contract-enabled access management seems both ambitious and attainable. The same standards that enable zero trust architecture can also form the foundation for bridging Web2 and Web3. By adopting secure, token-based authentication protocols, we can facilitate the secure integration of decentralized technologies into existing enterprise ecosystems.

The question is no longer just about modernizing our identity platform—it's about whether we can build for the future by embracing the power of decentralized authentication and Web3, while ensuring our Web2 environments remain secure and user-friendly. This generational leap could not only solve current challenges but also position us as leaders in the emerging landscape of digital identity.

?

Re-Architecting the Foundations

As I reflect on the state of security and identity, it's crucial to remember that the internet was never designed for what we're facing today. Initially conceived by academics with the simple goal of transferring bits around the world, the internet's architecture wasn't built for the vast, complex web of commerce, personal data, and global threats we see today. The challenges have evolved far beyond what the original creators ever envisioned, and the threats are more diverse and sophisticated than ever.

This means we're now faced with the need to re-architect some of the fundamental building blocks of the internet, starting with identity and authentication. These are critical to enabling zero trust access and ensuring that only legitimate, verified users can access sensitive data and intellectual property across enterprises, governments, and industries worldwide. Access management must become smarter and more adaptive, continuously verifying who is accessing what, from where, and under what conditions.?

But the need for change goes beyond identity. We must rethink other foundational aspects of the internet's structure to defend against modern threats effectively. Whether it's upgrading encryption methods, ensuring the integrity of data in transit, or implementing decentralized trust models, the security landscape demands more from the internet than it was ever designed to deliver. The push towards Web3, zero trust, and decentralized systems represents just the beginning of this necessary re-architecture, laying the groundwork for a safer, more resilient digital world.

Now that we have fixed identity, shall we have a crack at? DNS?