All organisations today are striving for an appropriate balance between security and usability when it comes to managing staff access to their application estates and data.
When a user is required to constantly jump through security hoops - having their identity and access permissions constantly challenged in order to gain and then maintain access to a secure environment - friction can start to creep in. If a layered or defence-in-depth security strategy creates barriers to usability, adds administrative layers to system access, and/or impacts performance or productivity, people will most likely try to bypass the protections.
Defence-in-depth was challenging enough when businesses had fairly well-defined IT boundaries. But in an era of hybrid work and multi-cloud environments, the ‘edge’ of the network is now considerably more elastic and constantly being stretched.
From a State of Security Resilience report: “The acceleration in hybrid work — including a mobile workforce, the proliferation of devices, and the hyper-distribution of applications over multiple cloud providers — has resulted in growing challenges to securing this widespread, fragmented interconnectivity.”
People and device movements have become more “dynamic,” and organisations need to protect their people, devices and information assets ‘on the move’ in a much broader range of locations and scenarios.
These scenarios may sometimes conflict with internal policy settings and risk appetites. An employee may find themselves transiting through international ports or working in locations where a third-party cloud service has little to no domestic servers or presence, where arranging secure cloud access could mean routing traffic to a geographically distant cloud region over a mix of terrestrial and subsea cables, adding latency and potentially extra security challenge ‘inconvenience’.
Securing a dynamic enterprise environment in a frictionless way requires new thinking, new layering of security protections, and new approaches to the challenge generally.
Optimising security at the edge
To secure the dynamic ambient conditions encountered in today’s workplace, organisations are adopting Secure Access Service Edge (SASE) frameworks, technology and governance structures.
SASE converges networking and security into a cloud-delivered service, simplifies operations, and helps organisations remain resilient in the face of ever-changing business demands. Importantly, it ensures that users are authenticating to the right environment, from an expected (‘right’) device and from an expected (‘right’) location, and that any deviances are challenged or addressed.
The ‘right’ resource to authenticate to should also be the most optimal one - optimal based perhaps on the proximity of the user to a cloud server or cache location, its hosting location or jurisdiction, and the ability to conform to security policy expectations. Are users connecting to infrastructure that is the most ‘local’ to them? Is additional assurance, such as via a re-authentication or proof-of-identity prompt or security challenge, required if they’re being routed through a more geographically distant gateway?
If users are being directed to log in via a different SASE gateway than usual, there may be a good reason for it. Perhaps it is because there is some sort of technical problem with their regular point of access. A system fault on their usual gateway may cause their login to be routed to and then come in from a different gateway infrastructure. That may cause a login delay for the user and trigger governance and risk thresholds. Is this known or expected user or system-based behaviour in the event of a fault or issue? It could be that the extra time taken to authenticate and log in triggers an additional security challenge for the user because the usual time limit for authorisation has been exceeded.
Alternatively, login via a different gateway may be entirely expected because the user is travelling, the organisation is aware of their plans, and the user has set their temporary location manually so that they can continue to authenticate via VPN seamlessly. If the user did not communicate their international travel plans, feasibly their traffic may be routed back to their regular gateway halfway across the world, causing them friction and potentially raising governance red flags back home.
So, the key to governance is being able to identify whether the right security components are being used, whether or not they’re optimally located with respect to the user and/or device, and then whether they’re valid.
Importantly, organisations should work towards optimising their ability to see and manage these various scenarios. To set this up, organisations will need certain forms of visibility and intelligence at hand.
Behavioural analytics is likely to be a useful input. Users tend to have fairly regular usage patterns and locations, and these can act as a kind of ‘fingerprint’. It may be that these locations become relatively trusted, and it’s only when the user pops up in a new location or even appears in a subsequently distant geographic location in quick succession that they may face additional security prompts.
These analytics may also be fed to a machine learning model that can then make recommendations for more advanced security and access control-based decisions based on detected user behaviour or pattern changes.
Recommendations could also deal with whether the SASE system itself is making the right ‘decisions’ on where it routes user traffic and how it handles authentication requests. It may be that the system logic can be optimised further based on the way users experience the system’s traffic routing rules.
At its core, this level of intelligence can only be captured and understood by visualising the user experience from end-to-end through every layer of security implementation. Only with the ability to continuously measure, compare and benchmark the impact of different security postures on user experience, can efforts be put in place to ensure not just a secure digital experience, but a great digital experience.