The Superpower of “Yes! But…”

What is your security superpower today?

It seems quaint now, but there was a time not so long ago – before the pandemic – when security administrators ruled over their IT fiefdoms through the Superpower of NO!

Want access with a mobile device? NO!

Want access from home? NO!

Want access from the road? NO!

But with the rapid emergence of a remote workforce due to Covid 19 – not to mention the proliferation of mobile devices, convergence of cloud applications, and general consumerization of IT prior to that – power over access has shifted in ever more accelerating ways. In little more than a dozen years – and especially over the past 18 months – these end users stormed the castle walls that security admins oh-so-carefully constructed to protect their enterprise resources over the previous four decades.

So how will the Guardians of the Enterprise continue to save the day?

The command-and-control approach – the Superpower of “No!” – that served IT security teams so well for so long has been usurped by the Kryptonite of the New Normal because of the pandemic. By necessity, it was already being replaced by the Superpower of “Yes!” prior to the pandemic.

But even the staying power of just saying yes wasn’t going to last. With the rapid digital transformation driven by the remote workforce that grew out of the pandemic, security admins need an even stronger superpower. They need the Superpower of “Yes! But…”, which they can achieve  through a Zero Trust Access approach that is ideally designed for the security challenges of the Next Normal.

The New Overlords

In retrospect, it should have been easy to see the shift in power from the security admin to the end user, even prior to the pandemic. Gartner warned as early as 2005 that consumerization would be “the most significant trend affecting IT” over the next decade. Yet many security admins were slow to realize just when the inflection point came…and went.

In their personal lives, employees could share (and yes, even overshare) through social channels. They could bank from home, on the road or at their kids’ soccer practices through mobile devices. They could shop for the holidays without ever having to battle it out for a parking spot at a mall in December. They could use cloud applications to track everything from measuring their heartbeats to managing their 401Ks.

As mobility manifested itself across every aspect of their personal lives, end users questioned why the organizations they worked for couldn’t say Yes, at least a little bit more, to greater access to their work resources from the outside. They became the New Overlords of the enterprise.

The other overlords – the folks in the C-suite – around the same time saw how early movers in eCommerce such as Amazon, eBay, Travelocity and streamlined the user experience and still made a lot of money doing so. They couldn’t help but wonder what a similar strategic approach to the digital enterprise would do for their own organizations.

Why couldn’t the overlords – both in the C-suite and down on the floor – do what they did with their personal devices, both mobile on the road and from the desktops in their homes, through the cloud, from anywhere, at any time?

What the pandemic has shown is that the consumerization of IT was already making organizations more productive, much, much more flexible, more competitive, and even more responsive in real time – to their employees, to their contractors, to their partners, and ultimately to their customers. The needs of these New Overlords to do their job from wherever they happened to be during the pandemic changed the world of the Guardians of the Enterprise – the security admins – forever.

MDM – The Myth

Prior to the pandemic – remember then? – security admins tried to issue everyone their own devices: Blackberries, mobile phones, laptops, tablets, etc. Great idea, poor execution. It worked for a while, but it quickly became apparent that people didn’t want to carry and manage yet another device – especially when they already had a personal device that in a perfect world should allow them to seamlessly access their enterprise resources.

So security admins capitulated, dipping their toes just a little deeper into the consumerization of IT with BYOD – Bring Your Own Devices. Ideally, the BYOD approach saves organizations money – through less capital investments in devices – while increasing user flexibility.

Some of the most evangelical supporters also posited that BYOD would reduce the burden on IT departments. After all, the bean counters surmised, if the organization didn’t own the devices, it should be easier to manage them. But the converse proved true – with the explosion of outside devices seeking access to enterprise resources, even more security was needed to deal with the outside threats.

The IT vendor world quickly took note of this business opportunity. Soon Mobile Device Management (MDM) platforms swamped the market, promising to take the onus for managing security policies for those devices off the shoulders of rapidly shrinking security teams as budgets tightened.

The only problem was, they didn’t. MDM was just one more siloed solution for security admins to manage – and one that often didn’t play well with their other enterprise applications. That was just one challenge. MDM solutions also didn’t help manage the unique ways in which end users were accessing enterprise resources from the outside. Yet they’re still around today.

Someone logging in from home through their personal PC or a corporate machine would go through a VPN. If they were logging in from a mobile device, a phone or a tablet, they would have to log in to an MDM solution. If that same person was logging in at the office, they would go through yet another gateway. Most importantly, the files the end user could view on the VPN may be different from someone coming in through the MDM platform, and may not have been close to what they could see if they were accessing their files locally.

In addition, each method of access may have had its own unique credentials. In reality, too often those credentials were just the user’s work email and a password that was easily compromised by hackers – credentials often used over and over and over again for multiple applications.

The New Superpower – Yes! But…

So, the consumerization of IT, while great for the end user, was already becoming a nightmare for security admins well before the pandemic. Like a mutant cloud sprung from the pages of a comic book, the IT security sprawl quickly spread across siloed solutions (including MDM), both local and in the cloud. The more applications, the more opportunities for supervillains to poke holes in the infrastructure…and the need for even more security solutions for admins to manage to plug those gaps.

What caused this IT security sprawl? The problem is that the vast majority of organizations – and end users – still rely on rudimentary credentials to prevent unauthorized access. Usernames and easily hacked passwords just don’t get the job done. Research shows that hackers use stolen or weak passwords in 81% of breaches. That’s not surprising, when you consider that 7.3% of users fall prey to phishing attacks – and those whose credentials are compromised through such attacks are more prone to fall for another phishing expedition.

Then the pandemic hit and everybody went home. Security’s superpower of Yes needed to morph once more, into Yes! But…

What do we mean by Yes! But…? In a post-pandemic world where the breach du jour can affect everything from hotel reservation and financial reporting systems to your local blog and website, end users still need to be able to access their valuable resources. But on the flip side, in your Next Normal those resources still need to be protected, even more so now than ever.

It’s not enough to just agree to let anyone with a username and password to log in. Additional questions should be answered – is this a trusted user, using a trusted device, from a trusted location, and even at a trusted time?

That’s where context of access comes in. It considers other factors within the user’s universe – the accessing device’s unique identifier, its security status, the type of device and network connection, even the location and time of the access request. Armed with that information, security admins can determine the level of access to grant – the superpower of Yes for granting access through the cloud or from an employee’s home office, But not granting access to everything if the circumstances surrounding a user’s context of access have changed.

A good example is a finance employee of a publicly traded company preparing for the next earnings call. If word gets out early about the corporate results, he could find himself so deep in trouble that even Captain America couldn’t save him. In the office, he has access to everything he needs to get ready for the call. He can edit the press release, work on the price-to-earnings ratio, update revenues as the quarter nears a close, and adjust headcount numbers depending on just how good of a quarter the company had.

But what happens when he now has to work on those projects from home or the coffee shop down the street from his house? His universe has changed. He’s now using a device that may not be recognized to try to access the same proprietary files. He’s now on a network connection that could be easily hacked. The axis of his context of access has shifted. On the other hand, you may want to grant a CFO – who in theory has a better understanding of the rules and regulations involved – more access when she is outside the organization.

Based on your security policies, yes, you may still want to grant the finance employee limited access – for instance, to Exchange, so he can check his calendar for upcoming appointments and respond to email. But you must ask the question: should the finance employee have access to that upcoming proprietary draft of the quarterly earnings report from such a compromised environment, especially with the rise of ransomware attacks and phishing campaigns since the pandemic started?

The good news is that it doesn’t take the Fantastic Four to regain control over how your end users access your infrastructure in a constantly evolving post-pandemic world. Using context of access, security admins today can seamlessly achieve substantially stronger granular control over access to their enterprise resources, wherever they are.

Even better, this approach makes the lives of your security administrators and end users easier as they navigate through the uncertainties of the Next Normal. With the Superpower of “Yes! But…”, you won’t need the Incredible Hulk to bust out of his shirt to save the day.