Every day, we all make countless choices that affect what we do. Should you snag a donut from the stack in the break room or go to the gym? Every decision has short- and long-term implications. If donuts are your favorite food, you may decide that the sweet and luscious experience of eating one eclipses whatever the long-term effects of 500 calories and 30 grams of sugar might be on your body.
Every choice involves tradeoffs. Selecting one option may mean you may miss out on something else. Even worse, sometimes benefits and results don’t happen immediately, so it can take time for the effects of a tradeoff to become obvious.
In making decisions about technology, and particularly cybersecurity, every solution you consider is going to have trade-offs. The key is to understand which trade-offs aren’t worth it. In making decisions, you need to look at both the short and long-term impacts of your choice.
Historically, in cybersecurity, businesses have often prioritized convenience over security. The old saying, “the best security is the security you’ll actually use” is certainly true. But many companies place such an emphasis on “easy” that they overlook the security trade-offs they have to make to get that coveted ease of use. For example, if you’re looking at multi-factor authentication (MFA) solutions, easy setup is nice to have. The sooner you can turn it on, the better, right?
Yes, but is having an easy setup as important as having offline authentication and failover to other authentication options in the event of an internet outage? Probably not.
You may only set up a system or a user once, but security gaps have serious long-term consequences. The fact it only took 30 seconds to set up a user doesn’t matter if you have a system breach a month later. Verizon has found that 82% of breaches involved human elements such as stolen credentials and phishing. Because of the increase in digitization and the loss of any type of network perimeter, organizations need to reevaluate their calculus. Those 30 seconds aren’t worth the time and money it will cost to repair a breach.
Businesses simply can’t afford to sacrifice security at the altar of convenience. But they can’t add so much friction that they drive users away either. This either/or situation is a losing proposition. Ideally, the goal should be both security and convenience.
Always on, high availability (HA), and offline authentication capabilities are critical for many organizations. MFA can’t just work some of the time; it needs to work all the time and support all the operating systems people are using.
Many midsize to large organizations with complex IT estates also are dealing with a mix of on-premises, cloud and mobile resources that all need protected access. These businesses must support mission-critical on-premises/legacy platforms, applications, and infrastructure with thousands of additional open standard and managed resources. Doing so eliminates the need for multiple identity management solutions, and ensures a seamless user experience, from the desktop to the data center to the cloud.
Any authentication solution needs to be able to deliver comprehensive security that’s both convenient for end users and easy for IT to deploy and maintain. A solution should offer a broad set of authentication options such as push to approve, one-time password (OTP), biometrics, FIDO, SMS, and hardware tokens to account for a range of users and preferences.
More than adapting to individual user preferences your MFA solution should adapt to different situations as well. Risk-based authentication steps up security only if behavior analytics and other advanced capabilities indicate that the risk warrants it. And risk-based authentication automates the contextual or behavioral analysis of a series of risk indicators, such as device attributes, user behaviors, and geolocation. The higher the risk level presented, the greater the likelihood that it is a fraudulent identity or action. If the risk engine determines the request to be above the acceptable policy, then a “step- up” action is required with another form of authentication.
RSA has been at the forefront of authentication technology for more than 30 years. Our solutions are designed for reliability and use the latest cryptographic standards. Whether your organization is just starting to move applications to the cloud, or you are well on your way to full zero-trust implementation, our solutions can support your cybersecurity initiatives. Don’t settle for either/or. Discover how true hybrid can finally deliver the power of both/and.