Securing the Digital World

Yin and Yang: Two Views on IAM - Security vs. Convenience

Sep 11, 2017 | by Chris Williams, Stephen Mowll |

POINT: A little extra effort is worth it to ensure security.
Chris Williams – Advisory Architect, RSA Identity

Shortly after the Earth's crust cooled and dinosaurs were just potential fossil fuel sources, I began my IT career in large data centers providing services to state entities, the Department of Defense and military contractors. Security was not an afterthought – it was the basis of our offerings.

And even though we were still in the throes of the Cold War with eminent infrastructural and informational destruction looming on the horizon (remember the neutron bomb?), it was a simpler time. Mainframe systems were rigorously supported through black-world data center protocols, controls, and communication centricity.

Complementing our hardened physical data center processes, IT "information access" policies were managed by a handful of System Program-level administrators with classified clearances given infinite control over O/S level Access Control Lists and empowered by just a few Security control Programs (RACF, ACF2, Top Secret).

Once the System Programmers deemed a user worthy of obtaining access, there were still very few means to use that access. You could get a direct connect session from a terminal within the facility, or maybe you could be located elsewhere via a dedicated facility and use a controlled "access tunnel" like a remote job entry line (RJE).

The idea here was simple: We control your access – if you don't like it, then go work somewhere else. User convenience was simply not a concern.

Granted, times have changed, platforms have changed, access expectations have changed, and the way we conduct commerce, well, who remembers standing in line at the bank to withdraw $20.00 from a human being?

But now, when you look at the identity risk vector and the constant attack level capabilities, which are being advanced every day, it may be time that we strike a balance more towards caution than convenience. There is nothing wrong with mandatory password strengths, multi-factor authentication, step-up context/condition sensitive adaptive authentication. There is nothing wrong with having your users prove they are who they say they are. And, there certainly is nothing wrong with protecting your managed data with stringently enforced controls. After all, isn't an additional 20 seconds of authentication protection, better than finding out that your identity has been stolen and you just spent ten thousand dollars that you don't have?

COUNTER POINT: There's a smarter way to ensure security without added friction. It also requires a little work upfront.
Stephen Mowll – RSA Identity Architect

User convenience is the key requirement to end user adoption of technology. That does not mean to say that security has to be compromised to achieve it. Even in Chris' "good ol' days" example, if the users were tired of the pain of getting access to something new or setting a password, they could likely just walk over to see "their friend in IT" to bypass a secure process and gain access to things more directly. So, has much really changed?

Today, problems such as shadow IT explodes because IT security is viewed as a blocker to the manner in which the business wants to move and the convenience they need to do their jobs quickly and easily.

There has to be a balance. I am starting to see this balance in the innovative approaches companies are taking using identity assurance-based processes. Identity assurance goes beyond user name and password to validate that the user is who they claim to be based on different risk and contextual factors such as user behavior, device, location, and the type of data being accessed.

Companies are also using access assurance to validate if a user should have access to something based on the risk analytics that can examine user roles, permissions and policies automatically.

There are also companies that have started down the road of creating centralized policy engines for authentication to applications where access is given purely based on the understanding of who the user is and no predefined access control model. This removes the need for provisioning and joiner-mover-leaver processes outside of the identity store.

These are just a few examples of how companies are finding ways to balance security and convenience by leveraging risk and context to eliminate the friction that added security can create. Of course there are going to be some challenges in adopting these types of models, one being that you have to understand which resources and data you want to protect and you must have a high-quality source of identity truth. This is what we aspire to, but don't always have without putting in the work to make it happen.

Learn how RSA identity solutions can help you deliver convenient and secure access without compromise.