The survey which was undertaken by Dimensional Research involved 460 IT professionals and 301 business users. They were asked a series of questions covering security, how it is implemented, its impact on users ability to work and how IT view context-aware security.
Access management not conducive to productivity
The report state that 91% of users feel that security measures put in place by their employer negatively impact their productivity. It sounds shocking but when you drill into the statement it is not as bad as it seems. Responses broke down as follows:
- 11% Always
- 23% Frequently
- 38% Occasionally
- 20% Rarely
- 9% Never
The challenge is in understanding what is meant by frequently and occasionally. Does either represent weekly, monthly or even yearly? Even putting that to one side, the number really comes down to 34% who can say that they are really suffering a hit to productivity while the majority are just inconvenienced by changes to security.
The numbers should also be considered in the light of compliance requirements and the increase in penalties for security and data breaches. After years of somewhat lax security in many organisations, they are having to do a lot to correct a very broken process. Unfortunately, it is not possible to just throw security away and start again therefore there will be a constant hit on some users as access and controls are tightened up.
It is not just changes to security that are having an impact. One of the key points from the survey is the impact that multiple username/passwords are having on users. When asked about multiple password combinations surprisingly 2% said they had none and only 13% said they had a single combination.
Of those with multiple usernames/passwords 56% had 2-5, 18% 6-10 while 11% had more than 10. If these numbers represented IT staff then this latter group would almost certainly be system administrators who have to support multiple applications and environments. Interestingly, these numbers are just extrapolated from the business users which suggests that they are using multiple in-house and cloud services which would force them to use different username/password combinations.
Sadly, it is not possible to determine from the survey whether that 13% had access to password vault programmes or if their employers had implemented successful single sign-on programmes. It also raises the question as to why those with large numbers of username/passwords had not considered some form of password vault themselves.
The rise of the mobile device and its impact on security
IT departments have come to accept the role of Bring Your Own Device (BYOD) over the last two years. How effective it can be is still something that there is dispute over. This survey showed that just 62% of IT staff felt it increased productivity and 72% felt it brought new security challenges to the business.
With Mobile Device Management suites selling well over the past two years as Bring Your Own Device (BYOD) has gone mainstream. Solving the management conundrum is not easy. Some companies such as IBM started with very strong policies that dictated what users could run on their device. As MDM products rolled out, that policy has been relaxed as the business is able to manage its data. Interestingly the Blackberry purchase of Good Technologies recently would indicate that there is still potential in this market.
It is surprising is that only 46% of those surveyed said that the main mobile device that they use for work is owned by them. This could be a smartphone or a tablet but that distinction is not made here. It is also interesting that 51% manage the device themselves with just 12% of devices have split control with users and companies managing their respective apps and data on the device.
It is important that business and users have split ownership. In the past, users have objected to any corporate management as the default approach to a lost, stolen or misplaced device was to wipe ALL data, business and personal from the device. This means that users often delayed informing the company of a loss in the hope of recovering the device themselves. Split management means that each side can look after their own data.
The importance of the business having control is shown by the fact that 83% of users admit to using their device to access data at least once per day. 23% were accessing data more than 20 times a day.
Security on the go
A key benefit of mobile is that it is used both inside and outside the office and 52% of users admitted to working remotely. Of those users, it is not surprising, therefore, that 82% were required to use additional security measures when connecting to corporate resources. The bigger surprise, from a security perspective is that 18% were not required to implement additional security, especially if there was a risk of them using public WiFi.
Cloud yet another security challenge
There is a general acceptance that cloud improves employee productivity. The problem for IT is that they often have no visibility of what cloud services users are accessing or how secure they are. This is reflected in the report with 77% of IT staff believing there is a productivity gain and 74% accepting the security challenge faced by cloud. The interesting thing for most organisations is almost certainly the No responses here.
Time for a context aware approach
One of the challenges of the traditional security approach is forcing users to find workarounds. An example of this is users dumping data to cloud storage while in the office so that they can access it easily when mobile. As soon as they start to develop their own workaround to security silos, security becomes the weak-point.
This is the key message in the press release that accompanies the survey. It talks about ‘a context-aware approach [that] alleviates mismanagement of access issues by focusing on the context of the access request to ensure access is appropriate in real-time.’ This sounds great but for many organisations it poses significant challenges.
Dell believes that it is not an insurmountable problem. In the press release it states: ‘The other IT gains the ability to automate and “step-up” to multifactor authentication when the context dictates for an informed, priority-based decision specific to the situation.’
What it doesn’t do is explain exactly what context-aware will mean to companies. Many existing Identity and Access Management approaches are broken due to poor long-term management. For example, stay with a company long enough and as you change roles and get promoted you gain access to new data.
What doesn’t or what rarely happens is that you lose access to systems that are no longer applicable to you. As a result, there are a lot of senior people inside companies that have access to vast tracts of data that they no longer need or even have a right to access.
Addressing the problem of excess security credentials can also be solved by using password vaults or single sign-on solutions. These are relatively inexpensive and easy to implement. Over the last three years all the major providers have created integrated solutions that work with on-premises systems, cloud services and can be run on a variety of mobile devices.
According to John Milburn, executive director and general manager, Identity and Access Management, Dell Security: “It’s undeniable that IT staff, business professionals, and employees struggle with security. The business puts security first above employee convenience, and, right now, IT thinks it has only two options for security – turn the dial to 1 (open) or 11 (super secure).
“Context-aware security gives IT the ability to adjust the dial in real-time, giving users the convenience they desire without resorting to risky workarounds, and giving the security team the confidence they need to keep the organisation both safe and productive.”
Dell is shining a spotlight into a corner of security that everyone accepts is a mess but doesn’t really want to look at. While context-aware is a final goal, companies will often have to find halfway houses such as single sign-on or password vaults.
The fact that so many business users claim to have more than 6 username/password combinations is more about a failure of security and process than a failure of tools.