The Case for Convenience vs. Control
3.2 Billion. That’s the number of people connected to the internet today. A security expert might look at that number and say, “That’s 3.2 billion potential risks.” And while they wouldn’t be wrong, what that number also demonstrates is the fast-paced, digital world we live in. Digital drives the way people work today, allowing them to work whenever they want and wherever they are. It has also created a level of complexity for security professionals that cannot go ignored.
It’s as if every IT security manager has a frustrated business user on one shoulder shouting “convenience” (easy access now!) and a CISO on the other shoulder shouting “control” (lock everything down tight!).
All humor aside, these diametrically opposing needs are being felt by everyone in IT security today, and especially by identity and access management professionals.
The Case for Convenience
As the digital world grows larger and more complex, so does the challenge to manage risk within today’s open enterprise. We want to provide employees, business partners and contractors with anytime, anywhere access, which has quickly become less of a luxury and more of a necessity, giving us the case for convenience.
For businesses to compete and move forward, they need to provide an increasing variety of people with access to an increasing number of digital assets to work effectively with the organization. From enterprise cloud applications such as Salesforce and Workday to web applications such as portals and intranets, to legacy (yes, even mainframe) applications, people are traversing in and out of the physical corporate network, often from their own devices, on a regular basis.
The Urgency of Addressing Cyber Risk
The fundamental needs of the business aren’t going away, but there is a growing need to better balance business needs with security needs. IT security staff must keep pace with the surge of cloud and mobile applications layered on top of the organization’s traditional on-premises applications. They must also facilitate a global workforce and partner ecosystem that blurs the lines between employees, contractors, partners, and sometimes even customers.
As the network perimeter dissolves, security controls must accommodate this shift. Rather than targeting networks and applications, hackers are attacking the humans running them, and they’re succeeding. Identity is where security begins for the modern enterprise.
Is Single Sign-On the Answer?
While providing a great deal of convenience, single sign-on is not exactly a security measure. SSO is a method of access that allows users to log in once and gain access to a variety of applications. While it certainly enhances productivity and aids with issues like log-in fatigue, SSO isn’t designed to provide the automation and controls required to ensure that people have the appropriate access to the right applications at the right time in a manner that secures the enterprise. SSO is one tool in the IAM toolbox, but one that is focused on convenience rather than control.
Identity Governance – Balancing Convenience with Control
To balance SSO’s convenience with the proper level of controls, organizations need a robust identity governance solution. Identity governance provides the right preventive and detective controls required to control access and identify and remediate security issues.
Some of the key functionality that identity governance provides to complement and strengthen SSO includes:
- User provisioning: to automate defined processes for granting, changing, and removing user access privileges.
- Policy management: to help strengthen passwords across all applications and to enforce unwanted “toxic combinations” of access privileges.
- Self-service Password Management: to allow end-users to manage their own credentials, anytime, anywhere, without having to involve the help desk.
- Access certifications: to ensure that user access is appropriate, conforms to policy, and meets audit and compliance requirements.
With Identity governance, security organizations can confidently provide access to the open enterprise knowing that appropriate preventive controls are in place.
Conclusion: Striking the Elusive Balance
Like it or not, the days of “locking down” technology environments – and banning personal tools and devices – are over. The revolving door of technology, users and geographies put identity at the center of it all, making the effective management and governance of those identities paramount to any security strategy.
You can also look at the digital population another way. There are 3.2 billion identities. Many of those are working in our globalized economy, collaborating and moving businesses forward on a global scale. Putting identity governance at the foundation strengthens security, provides user convenience and gives organizations the power to achieve a healthy, sustainable balance between convenience and control.