Illumio’s Raghu Nandakumara argues that non-user entities represent ‘the next frontier of risk’ in cybersecurity.
Identity is at the core of every security conversation today, but it isn’t necessarily being spoken about correctly. Too often, identity is associated exclusively with users and their access privileges. While this is a crucial aspect of security, focusing solely on users doesn’t reflect the full scope of identity threats.
Identity extends beyond users – it applies to devices, applications and network connections. Recognising and managing these identities is crucial for securing the broader digital ecosystem.
It’s time to rethink identity, moving beyond a user-centric view to one that embraces the full complexity of today’s environments.
The risks of a narrow view
Many organisations today view identity primarily, or even exclusively, through the lens of users – who logs in and who accesses which applications.
Why do organisations default to this narrow view? The answer is simple: making identity synonymous with users is easier. Logging into desktops or portals provides a clear and manageable point for enforcing security, and organisations are typically more confident with the quality of their user data in comparison to other metadata from their network.
However, this limited perspective leaves organisations with significant blind spots. Anything interacting within the environment, such as service and system accounts, also carries an identity that can be subverted and exploited just as readily as a human user account.
When these non-user identities are overlooked, attackers readily find potential entry points beyond user credentials. For example, service accounts often have high levels of privileged access in their roles as facilitators between applications. These accounts can be seized through tactics like Kerberoasting and Golden Ticket attacks and used as a foothold to further lateral movement.
Organisations need to rethink what identity truly means to secure their environments effectively. Identity applies to every component interacting in the network – not just the people.
Expanding the definition of identity
Every device, application and network component has a unique digital fingerprint. Just as a user’s identity involves multiple attributes, such as credentials and access permissions, so does the identity of a device or an application. For example, a server isn’t just hardware; it’s also the operating system it runs, the applications it hosts and its interactions with other devices on the network.
All these elements come together to form an identity that must be managed to the same degree as the user logging in. Attackers know this is a common gap in most security strategies and often target these weak spots, leveraging unmonitored devices or applications to gain access.
By expanding the definition of identity to include every endpoint, organisations can start implementing security strategies that protect every network layer.
Connecting identity to a broader security strategy
To truly protect an organisation, identity must be embedded in broader security, not treated as a standalone process. While securing user identity accounts for ‘who can do something?’ and ‘what they can do?’, it must be coupled with network security to control ‘where can they go?’ and ‘how can they get there?’
Organisations need to be able to answer all those questions with equal readiness to reliably limit the effectiveness of an attacker. Focusing too much on one area will lead to an unbalanced strategy that creates gaps for attackers.
Zero trust is an effective vehicle for delivering this balance. While its principles are often discussed in terms relating purely to user access, a zero-trust security policy applies equally to all system identities.
Every entity in the environment, whether it’s a user, device or application, must be continuously verified. This is crucial because a vulnerable application or unpatched device can be just as dangerous as an unauthorised or compromised user account.
Identity must be paired with other contextual information, including device health and the assets that are being accessed. This establishes a continuous, risk-based approach that accounts for much more than the user identity alone.
Harnessing network segmentation
Network segmentation is one approach that is increasingly being paired with traditional identity security technology. It’s a critical pillar of a successful zero-trust strategy, and applying the ‘never trust, always verify’ principle to govern segmentation enables the implementation of zero-trust segmentation (ZTS).
This technology acts like a series of gates within an organisation’s infrastructure. Even if an attacker breaches one area, they can’t move freely to the next. This method becomes incredibly effective when a strong understanding of the identity of every entity on the network is used to build controlled pathways for communication.
The ability to apply segmentation based on identity is what makes zero trust so powerful. Microsegmentation, which applies the most granular level of controls to segment down to the workloads level, greatly enhances cyber resilience.
By applying granular controls at every layer, organisations can ensure that only verified entities can connect to critical resources. This makes it harder for attackers to exploit any weaknesses and slows down any successful attacks.
Looking ahead
While user identity should remain a central part of any security strategy, devices, applications and network connections represent the next frontier of risk. These non-user entities must be brought into the fold of security strategies to prevent becoming the overlooked vulnerabilities that attackers love to exploit.
By embracing an expansive view of identity, organisations can move beyond reactive security measures and build more proactive, resilient defence strategies. Integrating identity into every layer of the network, supported by zero-trust principles and segmentation, empowers security teams to maintain control, even in a dynamic threat landscape.
Raghu Nandakumara is head of industry solutions at Illumio. He is responsible for helping customers across a variety of industries build resilience and accelerate zero-trust outcomes with zero-trust segmentation. Previously, he spent 15 years at Citibank, where he held several network security operations and engineering roles. Most recently, he served as a senior VP responsible for defining strategy, engineering and delivery of solutions to secure Citi’s private, public and hybrid cloud environments.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.