As we approach 2022, organisations are looking at long-term strategic approaches to enabling remote work. As IT and business leaders plan a vision for this new future, security and risk mitigation are at the top of their agendas. This shift also requires a new approach towards employee accessibility and trust. Nimbus Ninety and Ping Identity sat down with IT and security leaders to discuss their long-term plans of enabling work-from-anywhere and in particular, how their approaches to security and passwordless authentication.
The Steps of Working-From-Anywhere
Richard Bird, Chief Customer Information Officer, Ping Identity, kicked off the evening by acknowledging it is unimaginative to say the pandemic has changed everything, but this is the truth in security: when it comes to risk mitigation, the stakes are high. For many organisations, advanced authentication was merely a concept, but the pandemic has forced it to become a reality. The gaps in secure access through the adoption of a work-from-anywhere culture has accelerated the attitude that passwordless is a viable option moving forward.
However, passwordless is a journey. Organisations must assess their current level of security maturity and for many, the ability to transition to a passwordless business model is unlikely to be immediate. Multi-factor authentication is a fundamental component of the journey with QR codes, biometrics, and physical keys paving the path for a passwordless experience. Organisations next must evaluate which methods work best for them, but also if they are possible. This needs to make sense from an operational standpoint with each organisation having their own custom requirements pertaining to user experience. Once you understand your user base requirements and login scenarios you can create higher tier authorisation and authentication capabilities. You can then evaluate risk and determine which actions need to stepped-up or stepped-down.
Embarking on the Path to Passwordless
In a poll undertaken by attendees, the majority conceded that they are either learning about the journey to passwordless or at the beginning of the journey. Only 11% had current passwordless capabilities, which Richard Bird could bet was only implemented on a small scale. With attendees all in a similar position on the journey of working-from-anywhere, the discussion produced the subsequent key observations:
- People are no longer the barriers to passwordless. People are not necessarily a roadblock on the road to passwordless anymore. The pandemic has produced a personal and work-life cross-over through a technological and cultural shift, with the adoption of passwordless now more readily accepted in the workplace; especially younger employees who are used to and demand quick access. Organisations now need to work towards delivering this expectation and employees are quick to embrace the change. As noted by multiple attendees, the process is much more than turning on a piece of technology: it requires a fundamental shift in managing data, information, and processes. This game of catch-up is confounded by hardware supply chain issues. Hardware is not always available, or it is not appropriate for many highly regulated industries. Furthermore, since the pandemic began, the demand for work-from-anywhere tech has sky-rocketed, creating increased demand that is already putting pressure on strained manufacturers and supply chains.
- The path to passwordless is marred by trust issues. An atmosphere of distrust still surrounds the process, especially within highly regulated environments. However, cybersecurity breaches have not reduced in the last 30 years, they are actually getting worse. To tackle the growing pains of increasing security and risk mitigation, it is beneficial to begin with ‘small wins’ like low-risk activities that do not access highly sensitive material. The key challenge of the work-from-anywhere model is balancing security with productivity. A fundamental trust in employees is necessary to be confident that they can do the work as well as maintaining the safety and security of the information when accessed remotely.
- There are demographic considerations when choosing to implement passwordless within organisations. It was noted that despite preconceptions about younger employees being a risk to security due to a potential lack of value placed on data protection, security risks are across the board when it comes to the demographic of employees. Mistakes can be made by the most careful employees, with hackers averaging a dwell time of 280 days within organisations. The issue of the persistence of trust that allows for these security breaches requires a fundamental change in attitude towards who is trusted. The ability to ask questions and challenge legacy practices is paramount.
- It is important to consider time-to-value. Rather than purely focusing on implementation time and return on investment, organisations are considering the time it takes to add value to people and processes. The need to balance security with productivity increases the value of the journey by ensuring it speeds up the business. Passwordless may not be applicable for all organisations, nor can it be deployed in all business areas or scenarios. The realities of legacy technology and issues with agility all must be considered to produce value from the journey. Although passwordless is an important capability, organisations need to approach it from a strategic standpoint. Understanding what the best model is for each business to service customers and employees accelerates the time-to-value process.
This event was held in partnership with Ping Identity, an American software company.