Today we are really excited to have a guest blog post from Mark Child, Research Manager for IDC’s European Security Group.Mark’s specific area of focus is on Endpoint Security and Identity and Digital Trust (IDT). Mark also monitors innovation in security technologies and the emergence of new security approaches and how organizations can leverage these to address the evolving challenges within IT security. Mark is also responsible for agenda creation for one of IDC’s most successful event series, the CEE Security Roadshow.
To hear more from IDC and the benefits that can be gained from integrating your identity controls, download our IDC Analyst Connection.
“Forgot your password? Click here to reset.” For both employees and customers, those 7 words have become a frustrating experience. For organisations, too, they are a major cost, a source of lost productivity, and potentially lost business as well. The average cost of a password reset is around $50 (depending on which source you check). Multiply that out for an organisation with thousands of employees, millions of customers, and potentially thousands of failed logins per week, and it’s clear that the digital world is crying out for a solution.
User experience – UX – is a major focus throughout the Identity and Digital Trust (IDT) sphere, as authentication and access processes are such ubiquitous friction points for end users. The IDC view is that an optimum approach to identity and access should neither sacrifice the security nor the UX, but rather allow your organization to ‘have your cake and eat it’. In other words, there is a need for enterprises to provide end-to-end and effective security that gets out of the way of genuine users, allowing employees to focus on their core responsibilities and customers/consumers to focus on acquiring the products and services they desire.
Addressing the Identity Challenge
The IDT market has evolved as the adoption of cloud, mobile devices and mobile access, and “e-everything” (eGovernment, eBanking, eCommerce, etc.) has become widespread. New approaches and technologies have emerged to facilitate identity and access processes more smoothly and/or strengthen security around digital interactions. These include multi-factor authentication (MFA), single sign-on (SSO), contextual and adaptive/dynamic authentication, behavioural analytics, and biometrics. This is good, but it can leave security teams struggling to determine the optimum approach for their organization and which IDT tools and components are the best fit to their processes and infrastructure. Crucially, they also need to ensure that enterprise-wide adoption will be as smooth and painless as possible for all users.
When it comes to delivering a smooth and painless experience, it is also important to bear in mind the needs of the security and IT teams who support and operate identity technologies. From an operational perspective, maintaining a positive user experience while enhancing security is best achieved when the organisation has adopted a unified security approach. The key to this is deploying integrated solutions (for example, an identity platform) that work well together and bring benefits both to security and IT (e.g., lower operational and management burden) and to the broader workforce (user satisfaction, productivity). From the side of the IT and security teams, this represents a strong move towards operational excellence in security; from a user perspective, it means a smooth and seamless experience as they go about their day-to-day activities.
Identity Is A Business Issue
Business is the ultimate beneficiary of both operational and UX improvements. This is of paramount importance: as we all know, without the support of the business, driving enterprise adoption of new platforms can be challenging, even when we as the IT or security team know the benefits it will bring. Communicating those benefits to the board and the users is important too. In this time of frequent data breaches and eroding consumer trust, a progressive approach to identity and security shows that the organisation takes care of individuals’ personal data (employees, customers, and all other stakeholders). This helps build the digital trust that has become a critical currency in the digital era, crucial for the success of any business.
EPM, SSO and MFA
So, let’s get back to that frustrated user and their password reset. How can your organisation reduce those pain points? Enterprise password managers (EPMs) are becoming an indispensable part of the worker’s toolkit. The typical end user these days has anything from 90 to 200 logins and passwords for different sites (and often more!). Weak passwords and password re-use are significant, widespread problems that can lead to accounts being compromised and systems being breached. A good EPM doesn’t just lock up all your passwords in one user-friendly but impregnable box, however. It will also check the credentials of the site or application you are trying to log in to, and if it is not legitimate – e.g., if you have been directed to a malicious imitation of your online banking service – then the EPM will not enter your credentials. An extra layer of protection delivered without any additional effort on the part of the user. What’s not to like?
Another priority is SSO. The days of employees needing to log in to a handful of on-premises applications are long gone: multiple cloud-based and on-premises applications are the norm, supporting productivity, flexibility, creativity, efficiency and everything else you can think of that is fundamental to successful digital business. Even the online sandwich delivery for those lunchtime meetings ought to be covered by SSO! Multiple disparate logins to the application toolkit are counterproductive. When it comes to improving user experience and security, deploying a good SSO solution is one of the best steps your organization can take.
Finally, let’s talk about multi-factor authentication. This is another crucial component of the organization’s identity platform and this one comes firmly from the ‘stronger security’ side. As hackers have taken on one legacy authentication method after another, every organization from banks to booking agents has had to strengthen authentication requirements for providing access or approving transactions. This has driven innovation across the vendor landscape. The outcome is MFA offerings appropriate for all company sizes and requirements; on-premises or cloud-based; and with any number of authentication methods available, to enable the customer to opt for whichever is most suitable for their business and use cases. To put it another way, whatever level of risk the organization is looking to mitigate, there is an option out there.
Identity as a Service
So, the solutions are out there, it’s clear that an integrated identity platform represents the most effective and manageable approach, but what is the best deployment model? Traditionally, organisations would implement an on-premises solution (or solutions) and then carry the burden of managing, maintaining, and updating it whenever necessary. However, cloud-based identity as a service (IDaaS) solutions represent a means to address many of the operational challenges around managing the identity platform and can even improve the overall level of protection for your organization. For a start, this will require fewer internal resources (both in terms of headcount and required skills), freeing up the security team for other tasks; secondly, it taps into the experience and expertise of a dedicated identity provider; finally, it can provide considerable cost savings – so the business benefits yet again. The market is responding to these benefits: according to IDC data, cloud-based identity solutions grew at more than triple the rate of on-premises solutions in Europe in 2018.
Last, But Not Least: The User
Is that ‘job done’ on your identity management program? Not quite. Users, be they employees or customers, often bear the brunt of criticism for inadvertently exposing systems and data to compromise. This can seem somewhat unfair: ultimately, the primary focus of a sales exec is to drive business and generate revenue using whatever tools are available. “Security expert” isn’t part of the job description. Nevertheless, there are many basic practices – so-called good security hygiene – that require little additional effort beyond habit forming but can provide considerable benefit when adopted company-wide as part of a broad security culture. Small things like locking your device whenever you are away from it, not reusing passwords across sites, or not sharing credentials within a team. Bigger things like always checking with the IT or security team if it’s safe to install that productivity app (shadow IT remains a major concern for all organizations), or not storing sensitive customer data on your hard drive. Security training and awareness – ideally delivered in digestible quantities on a regular basis – is an important part of the security arsenal and should not be overlooked. These factors will all come together, driven by a seamless user experience from the supporting technology, to help embed good security hygiene as part of company culture and business as usual.
An Integrated Approach to Identity
To wrap up: EPM, SSO, and MFA – three acronyms that will help your users avoid those dreaded 7 words. To ensure that the IT and security teams are happy too, look for an integrated solution set or vendors that have established alliances. Consider an IDaaS solution as the optimum way to provide an identity platform for your organization. This will ease the processes of deployment, configuration, and management and ensure that the team can focus on making sure it delivers the most effective protection to your business, with the least friction for your employees and customers.
Author:Mark Child, Research Manager, IDC Security