Shifting the security paradigm: embracing the identity edge

A conversation about data and identity with Steve Zalewski, former CISO of Levi Strauss and a seasoned security advisor.

In the ever-evolving landscape of cybersecurity, the traditional network edge is no longer the impervious fortress it once was. As businesses transition to cloud environments, remote work, and hybrid infrastructures, the focus has shifted from securing the network edge to fortifying the identity edge. In our recent conversation with Steve Zalewski, former CISO of Levi Strauss and a seasoned security advisor, we delved into the necessity of this paradigm shift, and the critical role of data and identity in modern security postures.

The evolution of security: From network edge to identity edge

Drawing from his extensive experience as a security leader at companies like PG&E, Kaiser Permanente, and Levi Strauss, Zalewski has a unique perspective on the evolution of security strategies. In our conversation, he reflected that traditionally, companies had invested heavily in fortifying the network edge with firewalls, routers, and switches. However, the advent of the cloud disrupted this paradigm, prompting a reevaluation of where the real security battleground lay.

With the migration to the cloud, the concept of a “hard network edge” began to blur, giving rise to the importance of the “data edge.” Organizations faced a choice: attempt to replicate the network edge in the cloud, or acknowledge the emergence of a data-centric security approach. Zalewski proposes a three-pronged model: the network edge, the data edge, and the identity edge. This triad, he argues, forms the foundation for understanding where to allocate resources and focus security efforts effectively.

Hybrid environments and the identity challenge

In the era of hybrid environments, where on-premises data centers coexist with cloud infrastructure, the complexities of identity and access management multiply. Thus, the shift to a “data edge mindset” becomes crucial as businesses navigate these diverse landscapes. Zalewski emphasizes the need to recognize that the concept of “identity” extends beyond human users to assets, data, and APIs. This expanded view of identity becomes paramount in managing the dynamic flow of data across hybrid environments.

Zalewski argues for what he calls a “polymorphic defense,” challenging the static policies of traditional security perimeters. Focusing on identity, the goal of this approach is to implement contextualized authentication and authorization controls in near real-time. By embracing a polymorphic defense strategy, organizations can disrupt the tactics employed by cyber adversaries, making it harder for them to exploit vulnerabilities.

The power of identity in incident response

When it comes to incident response, there are many advantages of leveraging the identity mindset. Unlike traditional security models that often require days for analysis and response, identity-centric security allows for immediate containment. By temporarily revoking access or blocking transactions, businesses gain the breathing room they need to conduct thorough investigations without compromising operational resilience. It’s a flexible, nimble approach that allows for quick, focused response and containment.

Above all, Zalewski is clear about the imperative for security practitioners to not merely view the shift to the identity edge as an opportunity for improvement, but as a mandatory evolution. The identity edge, with its focus on dynamic authentication, authorization, and containment, presents a formidable last line of defense in a world where cyber threats are continually advancing. To remain secure in a landscape where attackers increasingly exploit identity vulnerabilities, organizations must embrace the polymorphic defense offered by the identity edge. 

Hear the full conversation

Conversations with Steve Zalewski about security trends and challenges are always eye-opening—and this one was no exception. Watch the full replay here.

Related posts

Report

Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors