Most organizations are having a tough time striking a balance between maintaining the strong security they require and giving employees the freedom and flexibility they need to excel at their jobs. For example, allowing users to log in from their mobile devices ensures they can work from anywhere — but opens more doors to the corporate network that attackers could exploit. Conversely, requiring complex passwords and two-factor authentication for every log-on strengthens security — but frustrates users and disrupts critical business workflows.
Walking this tightrope has been getting tougher as the borders of the office have expanded beyond the internal network and basic VPN connections. Today, organizations rely heavily on software-as-a-service (SaaS) solutions like Office 365, Salesforce, Box, Concur, and Slack; infrastructure-as-a-service (IaaS) solutions like Amazon Web Services (AWS), Google Cloud Platform, and Microsoft Azure; and increasingly sophisticated websites that can provide many of the same functions as SaaS and IaaS, including delivering dynamic content and enabling users to upload and download data.
How can you enable access to this growing universe of applications and services as the business demands them? A glance at headlines confirms that you can’t compromise on security; attackers are constantly upping their game. But neither can you sacrifice the user experience, or you’ll lose your competitive edge and your ability to attract top talent.
Fortunately, you don’t have to choose one over the other. Here are three tips for achieving both strong security and high user productivity at the same time.
1. Think adaptive and context-aware.
Start by accepting that your concerns about the effectiveness of passwords are entirely warranted. Every week it seems there’s yet another article published about how to choose stronger passwords, but you know only too well that there is no such thing as a good-enough password. You’ve probably tried slapping band-aids on them by mandating various complexity standards and requiring frequent password changes, but the only real results were pissed-off users and an expensive spike in helpdesk calls for password resets. You might even have tried shoring up the password by adding a second factor — only to discover that users hate hate HATE carrying hardware tokens, the “personal” questions you ask can be readily answered by a quick glance on social media, and one-time passcodes (OTPs) sent to mobile devices can be hacked all too easily.
It’s time to stop asking users to prove their identity and instead take the job of authenticating them into your own hands. With the right tools, you can check a whole wealth of characteristics about a log-on or access request — without the user even knowing. Are they using the same device they used yesterday and last week? Has their mobile number been ported recently? Are they logging on from a geographical location that’s unusual for them, or that they couldn’t have physically traveled to since their last log-on?
Silently evaluating these and other criteria enable you to reliably assess the risk associated with a particular log-on or access attempt. Most legitimate users sail through the process not even knowing it happened; they’re interrupted for further authentication steps only when they’re using a new device or there’s some other risk factor in play. But at the same time, attackers are stopped cold or shunted off to a honeypot where you can analyze their tactics at your leisure. You can even tailor the amount of risk you find acceptable by the type of user and the data and systems they’re requesting access to. For instance, you might be more stringent about log-on requests from admins who can change system configurations and finance staff who can access sensitive data than you are with access requests from users with fewer privileges.
2. Think granular.
The cornerstone best practice for security is the least-privilege principle — enable users to access the resources they need to do their jobs, no more and no less. Therefore, the key to safely enabling users to access cloud services, websites, and other resources, instead of being forced to constantly deny these business requests outright, is being able to implement and enforce granular security policies.
Be sure to choose a solution that enables you to create granular security policies based on identity, service, activity, and data, and specify the appropriate response: block, alert, bypass, encrypt, quarantine, or coach. For example, you can create a policy that ensures that all data that users upload to cloud storage is encrypted, and another policy that blocks any download of confidential data to a BYO device. With this granular visibility and control, you can secure sensitive data across your organizations while enabling employee productivity to soar. In short, you can say “Yes” instead of “No” to the applications and services your business needs to be successful — without compromising security.
3. Think user experience and adoption.
We’ve already noted how users hate things that get in their way, like password complexity requirements and hardware tokens. You probably secretly hate them yourself. Moreover, you know better than anyone the costs that inevitably come along with them: lost productivity, skyrocketing helpdesk call volume, maintenance and replacement expenses, and more.
Happily, you can stop beating your head against this particular wall: There are established, proven technologies that actually streamline and improve the user experience while strengthening security. Users love single sign-on (SSO), flexible multifactor authentication options that let them use the smartphone they already have welded to their palm instead of a key fob, and adaptive authentication that remembers their devices and log-on patterns. You can even go passwordless! Choose these solutions, and you won’t have to coax, cajole, or threaten users to adopt them in order to improve security; they’ll be clamoring to be first in the roll-out.
Next steps
You might be thinking, this all sounds great, but where do I find these tools?
Check out our newest solution brief to find out, and get the full scoop on how you can finally balance productivity and security.
