Network Security
January 22, 2024

Identity in Action: The Power of Identity Context in Fortifying Network Defenses

Jon Kraft
Founder, Managing Director

The digital landscape is expanding at a rapid pace while the cybersecurity perimeter continues to shift. As organizations face increasingly sophisticated cyber threats, the importance of interlacing user and device identity into a secure network architecture cannot be overstated. In fact, identity should be a core component of any zero-trust network access (ZTNA) strategy. This blog will explore the role that identity plays in securing our digital future and provide examples of how identity can be incorporated into network security.

Traditional segmentation isn’t enough

For what seems like a lifetime, network security strategies were focused on segmentation. Network segmentation involves dividing a network into smaller sub-networks to isolate groups of devices and grant different network-level permissions. The isolation is typically enforced by an access-control list configured on a gateway device that interconnects multiple sub-networks together. An access-control list can be thought of as a set of rules that define which sub-networks can communicate with each other.

While traditional network segmentation does help organizations control and restrict traffic flows, grant different levels of network access, and improve network performance, it lacks the modern contextual information needed to build an adaptive network security solution that makes informed decisions when granting application access. Instead, access-control lists rely on rigid network segments to permit or deny IP address communication without taking into consideration who is using the device, the current state of the device, and whether the traffic is expected or unusual. Additionally, traditional network segmentation typically does not restrict communication between devices within the same sub-network. This means that a single compromised device can potentially breach adjacent devices without interacting with network security controls.

What types of identity context can be used in network security?

In order to understand how identity context can help improve our security controls, it is important to understand the common types of identity context that are used in policy enforcement. The following list is not exhaustive; however, it includes the most commonly used context components.

User Identity

User identity is the most straightforward identity context we can layer into our network security controls. User identity refers to the current logged on user of a given device trying to access a protected resource. References to user identity in network security controls usually include username and/or group attributes provided by an external identity provider. Oftentimes, User Identity is paired with multi-factor authentication to prevent against the abuse of stolen credentials.

Device Identity

Device identity examines characteristics of a device connected to a network. Common device identity components are vendor, operating system, domain settings and installed applications. However, device identity often looks deeper to identify current versions of applications, whether vulnerabilities are present, registry settings, running processes, certificates, etc. Using device identity in network security is extremely powerful as it can help identify whether devices are corporate owned, and can even determine the current health of the device or whether it may be compromised by a malicious actor.

Behavioral Identity

Behavioral identity is a more advanced type of identity context that often relies on artificial intelligence (AI) and machine learning (ML) to determine whether network traffic is expected or anomalous. Behavioral context utilities often require a “learning period” to monitor and analyze an organization’s network to establish a baseline of what types of traffic are considered normal. If a connected device is determined to be sending anomalous traffic into a network, the behavioral context utility can dynamically quarantine the device from the network.

Incorporating identity into network security

There are many ways to incorporate identity into network security. In fact, many network security appliances include built-in features that allow you to implement identity-based security controls without needing to invest in additional tools. The following section will examine a few introductory examples of implementing identity into on-premises network security.

User Identity in Firewalls

Most organizations already have a firewall implemented in their network to provide internet protection as well as internal segmentation. Many common firewall platforms include features for transparently capturing user identity. Once the user’s identity is captured, it can be used within firewall policy to enforce stricter role-based access control. This is one of the simplest identity controls to implement as it relies on technologies that most organizations have already implemented, an identity provider and a firewall.

For example, let's say Acme Incorporated has a business-critical ERP server connected to a “Server” network segment that only 5 users need to access. The 5 users that need to access are connected to a “LAN” network segment shared by the entire organization of 150 users. In order for the 5 users to access the ERP server, the firewall permits communication from the entire “LAN” network segment to the entire “Server” network segment. Ultimately, this means that any of the organization’s 150 users can access the ERP server, whether or not they actually need to.\

After user identity is incorporated, the firewall policy can be modified to only allow access to the ERP server from specific users, as seen in the diagram below. Incorporating user identity into firewalls typically requires integration with a third-party identity provider.

As you can see in this example, Acme Incorporated has implemented role-based access control by restricting access to the ERP Server to only 5 users while blocking access to others connected to the same network segment.

Device Identity through Endpoint Posturing

As mentioned previously, there are many types of device identity characteristics that can be used within network security controls. The level of complexity when incorporating device identity into network security is dependent on the characteristics that an organization wishes to use. This is because capturing certain characteristics may require an agent to be deployed to the devices while other characteristics can be passively collected using standard network protocols.

Let’s build upon our previous example where we implemented user identity controls. Acme Incorporated would like to further restrict access to their ERP Server to only healthy devices. “Healthy” will carry a different meaning to different organizations and we will not explore that in this blog. However, in this example, Acme Incorporated has deployed an agent to their devices which is continuously examining the operating system and applications to ensure certain criteria are met and that the device has not been infected with malware. If a device is deemed to be unhealthy, the firewall policy must block it from communicating with the ERP Server, even if the Source User is a member of the ERP Users Group.

This type of device identity enforcement is extremely powerful and can be used in many ways beyond firewall policies. Agent-based device posturing can ensure that devices have not been tampered with which is often a sign of malicious behavior.

Behavioral Identity through Advanced Analytics

Implementing behavioral identity context into network security is more complex than the other identity types we have discussed.  In most cases, a third-party analytics solution will be continuously fed traffic streams while machine learning (ML) and artificial intelligence (AI) engines simultaneously examine the flows for anomalous traffic that may bypass traditional, static security controls. The analytics solution will determine whether the anomalous flows are benign or if they present a larger threat such as an active breach. If the traffic is deemed to be malicious, the analytics solution can inform other network security appliances so the traffic can be blocked, or the device can be quarantined.

Continuing with the Acme Incorporated example, a network analytics solution has been integrated with the network firewall. When the network analytics solution detects anomalous traffic that it deems to be risky or malicious, it provides telemetry data to the firewall and the firewall policy is directed to block the traffic, potentially stopping an active breach.

Capturing behavioral analytics is quickly becoming a popular addition to defense in depth network security strategies. While implementing user and device context into network security is effective at enhancing segmentation and detecting risky endpoints, adding behavioral context enforcement helps organizations automate the detection of breaches while reducing false positives.

Endless Possibilities for Identity Context

By integrating identity context into network security, organizations can improve existing controls to establish a robust security framework that better protects against unauthorized access, insider threats, and cyber-attacks. While this blog introduced a few identity use-cases, the possibilities are seemingly endless across all facets of security. User, device, and behavioral context can be used to enhance security within on-premises, cloud, and SaaS environments.

If you would like to improve your organization’s IT security using identity-based context but don’t know where to start, contact Trustlink Technologies to learn about the latest trends and technologies that can help you migrate from legacy segmentation to an identity-based, application-centric network security platform.

Related blog