Don’t you wish you could give your users all the access they need, without worrying about them becoming frustrated with the increased security measures put on the business and then taking actions into their own hands to avoid those security measures in order to remain productive? Simply providing users with IDs and passwords for each application or data set will not keep your business secure…or productive…anymore. A truly successful security strategy must look at information in context, exploring the "who, what, when, where, and why" of access activities. Your strategy must understand where gaps exist, while supporting secure and convenient access to both legacy and emerging applications for users -- who expect to stay productive -- and the IT staff responsible for keeping the business secure.
The theory behind security is noble: IT should ensure that only approved users can access systems and data, that they access them only for the right reasons, and that they’re doing the right things once they’ve gained access. In practice, though, security has been a static process of IT administrators saying "no", denying access and placing barriers (multiple passwords and access protocols) between users and the resources they need to do their jobs.
In fact, a recent global security survey confirmed that common access management processes limit employee productivity, and often force them to find workarounds to get their jobs done yet expose the organization to greater risk. 91 percent of business respondents said their productivity is negatively impacted by security measures put in place by the business. If a business were to replace traditional, static access processes with a context-aware security approach, 97 percent of IT professionals say they would see improved worker productivity without compromised security.
Risks like business-destroying theft have turned security into a moving target. The advent of mobile users and increasingly sophisticated attacks are motivating organizations to enhance their security footprint by deploying a context-aware (or adaptive) approach that ensures user productivity while enforcing access rights to business assets. This approach provides a real-time evaluation of the “who, what, when, where and why” surrounding each request for network access.
Evaluating the risk of multiple pieces of security Information to make educated, real-time security decisions
One context-aware model implements a security analytics engine (SAE) that returns a risk score based on multiple factors, or contexts, of the users’ access request:
- Browser used -- Includes historical analysis of any browser use that falls outside of normal behavior for the user
- Location pattern -- Detects any requests for access originating from an abnormal location
- Specific location -- Prevents access initiated from specific locations or geographies known to foster malicious activity
- Time -- Detects any requests for access that occur outside of customary times and days for the user
- Blacklist -- Prohibits requests for access based on a list of forbidden networks or network addresses
- Typical behavior -- adjusts security requirements based on normal user behavior, if an access request falls outside of the norm, security can be adapted to reduce risk
The SAE weighs the "who, what, when, where, and why" of access requests according to the organization’s needs, user populations, threats, practices, applications, and infrastructure. It then produces a total risk score to adjust enforcement in real time, thus providing the right security in any situation.
Static security, based on a collection of unlinked security factors, no longer suffices for 21st century security which both secures the organization and keeps users productive. A context-aware approach to security gives organizations the power to protect business without imposing burdensome authentication requirements and password schemes on users. The result is stronger security and a more productive workforce.
Imaged Credit: soliman design / Shutterstock
Bill Evans is senior director, product marketing, Dell Security