In a blog post on the OneLogin website titled “4 Things Manufacturers Need to Know to Balance Security and Productivity” on January 26th, 2018, by Jack Shepherd manufacturers were provided some food for thought when considering the increase in data access across the board the future will bring.
OneLogin is an access and security management company that offers solutions that address the 4 things mentioned in the article(1). OneLogin is a respected company and is partnered with some of the best IT firms in the business(1). Generally such blogs are hard to separate from a sales pitch but in this case Mr. Shepherd hits pretty close to the mark. I actually think his purpose for the post narrowed the focus of a problem whose focus needs to broaden.
More people, more places.
That access control and security become more complex is an obvious truth for any company that partners with or shares data with another in order to do business. And managing this is one major leap in a company’s need for security and access control. Traditional security in the past meant training your staff, allowing a minimum amount of remote access, and strictly enforcing your use policies. Single Sign On authentication meaning you only need to log on to something once and that login and password then gives you access to all your services from database applications to your entire Microsoft Office 365 suite. Though this is convenient, the only warning to consider is that with single sign on it is common for all the individual accounts to have the same login and password. In such cases in spite of the protection any solution offers, hackers only need to gain access to one of the services like Office 365 and they have the login and password to everything. But the fact is still true that any increase in who is accessing, why they access,and from where they access has risk and must be addressed.
Balance or enhancement when it comes to security?
The more complex a solution is the more problems users will have with it. These problems reduce efficiency, waste time, and carry significant cost in both loss of productivity and time invested by a company’s IT department. Really there is no balance, there is only enhancement. Balancing security would mean having to lower security to increase productivity. That is unacceptable risk. The real key is to enhance security without compromising other factors like ease of access and productivity.
How to enhance security without scaring users
Use Multi-factor authentication (MFA) which is a standard for increased security. Amazon Web Services stress its use,as do most remote access applications. It adds an extra step for the user during login, but that is what makes it Multi-factor; the last step in authentication has to come to you and then you use it. That assures the same person logging in actually verifies it is they who started it in the first place. So if someone stole your login and password using MFA also means they need a device you happen to own to verify authentication.
Use machine learning
Machine learning can keep track of irregularities in attempts to access an account. It can also combine this with determining the location of the login attempt (on the planet), the device (computer, laptop,or cellphone) attempting the login, and can learn the pattern of access by each individual with an account. This means that even if someone has your login and password and was able to crack your MFA, if they are in a country you have never logged in from, and/or they are trying to access at a time you do not usually log on to the system it is not going to happen.
Pay me now or pay me later
This is no joke. Managing a single company with remote users (road warriors) is costly and complex for the IT department of a single company. Managing access based on contracts between third party companies can be exponentially greater. Add the fact that the risk of a breach is also greater and you are looking at spending a lot of money to stay safe, and possibly insane amounts of money if it fails. This is where an outsourced security solution can be a twofold benefit. With a Service Level Agreement (SLA) that transfers risk from your company to theirs and a full time company managing your access and security your total cost of operation is fixed at a lower rate than you ever provide without actually taking the risk of balancing security with usability; which as I said is one expensive compromise.
What I took away from this post was the need to address a raise in security risk. A publication by IDG called CSO wrote a piece on the rise in security threat in 2017 that addresses very similar issues as the OneLogin post. The one thing they mention that holistically addresses three of the “four things” (1) is the concept of a “security divide” and that part of the problem is social(2) Simply adding that thought to the post gives one a whole new view on the difficulty of maintaining security across regions or between companies.