Securing the Digital World

Identity for Modern IT: A New Appreciation for User Experience

Jun 07, 2016 | by RSA |

The following is a simple analysis that puts into perspective the user experience of modern IT that organizations typically require their users to endure:

Imagine a midsize enterprise with 1,000 users, each of whom has between one and three devices that connect to the enterprise infrastructure. Each user has installed between 25 and 100 applications on each device, including the device's system software. Now, imagine that these users routinely use between one and four different networks to access applications and data-for instance, the enterprise network, the mobile network, their home network, and potentially other wireless networks such as mobile hotspots. Keep things simple by ignoring any additional complexities, such as users joining and leaving the organization, devices getting lost, stolen, or upgraded, and the potentially broad diversity of roles, devices, and applications.

User Experience

How many total user experiences are implied by this modest IT infrastructure, which provides authorized users with access to the applications and data they need, when they need it, from the devices and networks that are most convenient?

The numbers are surprising. A simple Monte Carlo model shows that, with a 90 percent likelihood, there are more than 290,000 user experiences in this basic scenario and a 10 percent likelihood that there are more than 660,000. The median value is around 475,000, which means there are nearly half a million ways users may be asked to provide assurance of their identities before they can gain access to the applications and data they need to be productive or collaborate with others. This is just for 1,000 users-imagine the magnitude of these numbers in a much larger and more complex IT environment.

Learning From This User Experience Model

An old-school IT response to this analysis might be to implement severe restrictions, such as a highly constrained number of user roles, strict limitations on devices and applications, and forced connections to the corporate network for all types of access. However, these are the strategies that have led many users to embrace the freedom and flexibility of shadow IT.

After all, improving the user experience is among the leading drivers for current investments in information security, as seen in research by the Aberdeen Group. Enabling user productivity (53 percent of all respondents), enabling collaboration between users (26 percent), and improving user satisfaction (22 percent) are at the top of the list of reasons why organizations update their IT. This means that, at least by intent, security combined with modern IT is increasingly intended to be an enabler for businesses, as opposed to the means for control, compliance, and cost reduction for IT staff.

An alternative, forward-looking response is expressed by the vision of RSA Via, particularly RSA Via Access, which includes single sign-on access to a variety of application types, flexible and innovative authentication mechanisms for a variety of devices, and the ability to implement access policies based on real-time intelligence and context. Both the research provided and the related analysis endorse a strong and deliberate focus on improving the user experience.