A corporate security team investigating an incident narrowed the exposure point to an executive’s laptop. The executive vehemently denied any wrongdoing, only to discover he had indeed left the company vulnerable. He’d used his credentials to allow his child to access his laptop to do “innocuous kid stuff” online.
That cautionary tale, told during the recent webcast, Identity Security and User Experience – There Shouldn’t be a Trade-off, underscores the current state cybersecurity professionals find themselves in, where a moment of parental indulgence can create a security event. Such scenarios are now common because people routinely use work devices for personal use, and personal devices to conduct work.
“The struggle is real,” said Ben Carr, a seasoned information security and risk executive who recalled that incident with the executive’s laptop. “How do we move to solutions that make it much easier for the end user, the customer? As a CISO, as a security professional, any time you're putting a policy of control in place, you’ve also got to put yourself in the shoes of the person that policy is going to impact. And [you have to] ask: Is this the best implementation? Is there a better way to do it, so the outcome is the one we’re expecting?”
Iva Blazina Vukelja, the vice president of product management for the Duo suite of products within Cisco’s portfolio, said authentication has evolved from the era of stringent password policies to seamless user experiences like touch ID, which she says is more frequently used by Mac than Windows customers – perhaps because Apple makes it easier to set up a biometric on its devices.
Despite the strides that have been made, identity ecosystems remain complicated, with diverse user populations and legacy systems. This is forcing cybersecurity teams to reevaluate their authentication programs to include stronger controls around verifying users and devices beyond traditional multi-factor authentication (MFA) now in wide use.
“The truth is we actually live in pretty complex environments, where there is rarely a place where all your applications are web auth’ed and enabled,” she said.
A risk-based, staggered approach to identity management
Vukelja noted the best way to manage identity is always a risked-based, staggered approach. Security measures adapt and align with an organization’s unique risk profile, which is always changing. That, in turn, requires continually identifying and prioritizing identity-related risks and current security controls.
Increasingly, it also means moving away from password management to passwordless authentication. “Personally, I would love a world where I am passwordless for absolutely everything,” said Chris Anderson, a senior principal product manager at Cisco.
Anderson raised several concerns, such as laptops used in clamshell mode and need for better industry standards, that can result in substandard security and poor user experiences.
For instance, FIDO2 is an authentication standard that enables passwordless login using public key cryptography and biometrics. But it must be compatible with an application’s underlying technology to benefit end users trying to access the app. When it isn’t, users will fall back on insecure methods.
Then there is consumer apprehension about biometric scans falling into the wrong hands – a tough loss given an iris, face or fingerprint cannot be replaced if stolen. But such situations are rare.
“There’s a misconception out there in the user community that you are giving out biometric [data] to some third party that is going to store it somewhere in the cloud,” Vukelja said. “Largely that is not happening because biometrics are stored in a safe enclave on your laptop; vendors will not store it centrally, out in the cloud. But there is that perception and resulting reticence to share biometrics. We see it in different user bases and across all customers regardless of geographical boundaries.”
Carr reminded everyone that while biometrics are more prevalent now, they aren’t without shortcomings. “Biometrics aren’t a panacea for everything,” the CISO said. “They aren’t the golden ticket.”
Reframing identity security as boosting, rather than blocking, business
All three panelists agree that organizations do themselves no service when a simple, self-administered, 30-second fix takes minutes, hours, even days to work its way through the helpdesk cue.
“Users are just trying to do the right thing,” Anderson said. Things escalate when a user is blocked from accessing something needed to do their jobs, and the steps to resolution are not shared to avoid future delays should the same situation arise again.
It’s vital that those on the security forefront position themselves as business enablers, not blockers. Communicating the need and benefits of a strong identity management program creates cooperation and collaboration, rather than conflict and combativeness. That’s why it remains vital that policies, processes and protocols be created and implemented with the end user in mind.
“The journey you send your users down is just as important as the outcome you're trying to derive,” Anderson said. “If that journey’s bad, that outcome is not going to be anywhere near what you want it to be.”