What sets a security solution apart in 2015…and beyond
When you purchase a home, every entrance to the house comes with a lock. The first thing almost every new homeowner does is change those locks so that they can feel safe and secure.
But this may not be enough. So, they may add another layer of security – such as an alarm system. Then they may put their valuables in a safe, located inside a locking closet. This may make them feel safer at first, but getting into their house and getting access to their valuables becomes a hassle over time.
So, what do these homeowners do? They stop setting the alarm when they leave the house or when they’re in for the night. They even start putting their valuables on their nightstand when going to sleep instead of unlocking the closet and putting them in the safe.
Why do they do this? Because the processes they created for themselves are too cumbersome, and require them to act in an unnatural, complicated way. This isn’t limited to just physical security. The same thing happens with cyber security solutions.
A quick glance at the headlines shows a perfect example of this – then Secretary of State, Hillary Clinton, using a personal email account for both personal and professional email.
When asked why she did this, she was quoted as saying, “I opted for convenience to use my personal email account, which was allowed by the State Department, because I thought it would be easier to carry just one device for my work and for my personal emails instead of two.” (emphasis is mine)
To summarize, she opted for “convenience over security.” We are all guilty of this, right?
Convenience and ease of use are often the deciding factors when it comes to a security or authentication solution being effective or not. And – with ease of use being so essential – it’s also an incredible indicator of whether a security or authentication solution can stand out and truly be successful in what is an extremely crowded and competitive marketplace.
However, convenience that doesn’t also provide strong security suffers at minimum, the same as strong security solutions that are so unnatural and cumbersome that they are forsaken and circumnavigated at the first opportunity.
Take single sign-on solutions and single-factor authentication as examples.
First of all, single sign-on itself is a bit of a fallacy. These solutions promise that a user will only have to sign in once, and then have complete access to all sensitive data, applications and accounts. Unfortunately, that’s not entirely the case. Not all legacy applications work with single sign-on, making the basic promise of a single instance of authentication untrue.
Worse, single sign-on solutions are inherently dangerous for the enterprise. These solutions essentially say that once a single, or multi-factor authentication process is complete, the entire network, all data and all applications are now at the disposal of the user.
In many cases, the single sign-on is a single factor authentication just requiring a user name and password. This is trouble, since – as we’ve described in recent posts – many users reuse passwords across both their personal and private lives. Remember the ‘first’ factor of authentication is something YOU know, kind of hard to separate personal and business on this one.
Should a high-ranking official or executive fall victim to a phishing attack or have the credentials for one of their personal accounts get compromised, there’s a good chance that the same credentials can gain the hacker access to their professional accounts as well. And, should the enterprise be utilizing a single sign-on for all systems and applications, that hacker now has unfettered access to everything that individual is authorized to access on the network.
In the case of breaches like the Sony, JPMorgan Chase and Anthem attacks, this kind of access was absolutely devastating for both the company and its consumers.
Luckily, the next generation of security and authentication will be both strong and simple. Authentication will cover multiple factors, such as inherence, possession and location. And the processes will simultaneously feel natural and not require devices, fobs or objects more than what the everyday consumer already carries.
And these next-generation, multi-factor authentication solutions will not only better protect an enterprise from breaches and stolen credentials, they’ll also help to identify and mitigate damage when credentials are compromised.
By building profiles of a user’s activities and reputations for the user using the information gathered in the authentication process – such as location – these solutions will be able to identify when it’s a bad actor – and not the intended user – that is accessing their accounts and profiles.
For example, if John logs into his virtual desktop from Singapore two hours after logging into it from his office in New York City, something is clearly amiss. There’s just no way he could have physically gotten from one place to another. In cases such as those, these next-generation authentication solutions can be programmed to deny access to the individual. They will also be able to be programmed with rules that will help mitigate insider threats – such as denying access to company networks and files from the intern’s home computer.
Much like the locks, security systems and safes in a house, security and authentication solutions need to be tough, but easy to use. The next generation of security and authentication solutions that will gain traction in this crowded, competitive marketplace will have both characteristics. They will also offer new capabilities – such as using the information and reputations they can build for users – to become more proactive and better protect the enterprise.