Security Shifts to Identity
Lori MacVittie, Principal Technical Evangelist, Office of the CTO at F5, examines the increasing shift towards identity-based security
In the eight years since we first launched the annual research that would become the State of Application Strategy Report, we’ve seen the steady rise of security to the top of the app security and delivery services stack.
Availability as a general category, comprising technologies like load balancing and caching and CDNs, maintained the highest priority for about as long as it took for a newly launched web server to survive unmolested on the Internet in 2003. Which, for those unaware, was not very long.
Security shot to the top of the stack and has remained there, unchallenged since about 2017—until now.
This year, for the first time, we saw a non-core security service rise to the top of the “most deployed.” That service is identity.
But it’s not just that identity and access have risen to become the most deployed technologies. There is ample evidence throughout our research that points to a significant shift toward identity-based security.
Consider API security. Yes, people are deploying it. But we dug into the details and asked about specific types of protections that respondents considered valuable. We grouped them loosely into three categories:
- Traditional. These protections derive largely from the web-based protections included in web application firewalls for years. Rate limiting, OWASP Top Ten, and of course encryption/decryption.
- Modern. These protections have emerged in the past few years and risen as a significant source of security for APIs. This group includes payload (content) inspection like seeking out malware and malicious content and authentication/authorisation. Spoiler: that’s the identity part.
- Adaptive. Adaptive protections are a new category, fueled by the ability to leverage AI and machine learning to perform behavioral analysis that can differentiate between human and non-human users. These techniques tend to form the foundation for anti-fraud and bot protection services.
We asked what respondents considered the most valuable protections on this list. The results showed a high degree of security sophistication, especially among those who had implemented API protections in the past year. As with deployment of services, identity was at the top of the list of most valuable protections for APIs.
The value placed on adaptive methods is promising. That’s not entirely surprising given the eager embrace of AI and machine learning to fuel security services. Given the volume of data and the impact of missing an attack, it’s no surprise that the entire industry is turning to more advanced and adaptive methods of security to protect everything from infrastructure to applications to the business itself.
Both identity and behavioral analysis are important parts of a comprehensive security strategy, especially for APIs given the role they increasingly play in powering the digital economy. Inspection remains key as well, as many attacks—particularly malware and malicious content—are often easily identified by a unique signature that can be matched against the payload of an API transaction. Speed of identification is as important as confidence in identifying a possible attack, and inspection remains a quick and reliable method of identifying malicious content.
Lastly, we see identity-related technology deployment as a result of COVID-accelerated digital transformation. We asked respondents what kinds of changes were being made to their security strategies post-COVID. More than one-quarter (26%) have implemented a credential stuffing solution and 34% have implemented API security frameworks.
That first number is the relevant one to this topic, as credential stuffing is all about protecting the identity (credentials) of people in a digital world. Given the incredible rise in digital options for every kind of business over the course of the pandemic, it’s heartening to see at least some taking their responsibility to protect identity seriously.
This is a relatively fast-moving trend in security, and we expect it will continue to become more pervasive as organizations further expand their presence in the digital economy. The importance of APIs foretells a need to identify more accurately the ‘user’ of APIs, especially with the growing importance of APIs in automation, cloud-native application architectures, digital ecosystems, and, of course, IoT. Protecting APIs in a digital economy is not just a technology concern but a business one as well.
But the trend also indicates how important identity is in a digital world, and why it’s only somewhat surprising to see identity-related services rise to the top of the most deployed application security and delivery technologies in 2022.
This shift toward identity revealed by our research is also significant as the market embraces zero trust as a foundational approach to security. Zero trust was named by 40% of respondents as the “most exciting” trend or technology. As an architectural model, zero trust focuses on securing and protecting applications and infrastructure by designing networks with secure micro-perimeters and limiting risks by restricting user privileges and access.
At the heart of zero trust is a simple question: who should have access to a resource? While there’s definitely a lot more that goes into answering that question and enforcing resulting policies across core, cloud, and edge, without identity the entire approach falls apart.
Whether identity stays top of mind remains to be seen but, given that emerging trends like Web3 also place a heavy emphasis on identity as a core construct, we think it is likely that the shift in security toward identity is just beginning.