The push to adopt digital transformation initiatives is prompting many organisations to accelerate their adoption of cloud technologies. That, in turn, threatens to disrupt some well-established security practices.
The situation can often put IT and security professionals at odds with developers and business execs, both groups being very eager to quickly launch new apps and devise new ways to share data.
This article looks to offer four strategies that we’ve seen proven effective in helping security professionals be more responsive to the business -- without compromising on strict security needs. The goal is to strike just the right balance between innovation and a secure, governable enterprise.
1) Make security an integral part of digital transformation – not an afterthought
The latest cloud application or disruptive technology is so critical to business success that it will be implemented by the business come hell or high water. That often means security is brought in as an afterthought, or worse, after the fact.
When security is forced to retrofit to projects already in flight, the result is often barriers and obstruction, which counteract the very motivation for digital transformation. Users become disgruntled, operations grind to a halt, and no one is better off.
The better approach is to have security at the table from the beginning, allowing new technologies to be deployed in a manner that is both transformative and secure. Moreover, users and the business can benefit from the new technology conveniently, without additional risk. Here are security practices that can strengthen digital transformation projects:
- First seek to leverage existing secure authentication methods wherever possible rather than creating a disjointed user experience requiring multiple authentication attempts, many passwords – and spurring users to find insecure workarounds. The result is user enablement, increased operational efficiency, reduced risk, and a default to doing the right thing, i.e. remaining secure.
- Similarly, extending established authorisation profiles to new applications (as opposed to defining authorisation independently on each application) streamlines the user experience, minimises risk, and removes one of the major barriers to successful digital transformation – security that obstructs business objectives.
- Finally, implement an adaptive, risk-based approach that only requires additional security assurances when the situation warrants it. Often the kneejerk reaction to a new application is to place a barrier (such as a VPN or multi-factor authentication) in the way of user access. But this is heavy-handed and often results in disgruntled users finding ways around the security measures. Instead, use an adaptive approach that takes into account a variety of risk factors (such as location, time-of-day, behaviour patterns, and role) and secure only when needed.
2) Bring Shadow IT out of the shadows
Shadow IT is so ingrained in digital transformation that the two have almost become synonymous. But it doesn’t have to be that way.
The reason line-of-business users adopt new technologies without IT’s knowledge or security’s endorsement isn’t because they don’t want them to know – it’s because they don’t want security and IT to tell them “no.”
So, the success technique here is for security professionals to switch from an attitude of denial and restriction (just say no, or sometimes maybe) to one of enablement and empowerment (let me help). This simple shift, while often easier said than done, will be welcomed by individuals who may have been acting rogue for a while.
The theme for security professional to keep in mind is that it’s all about communication and working to prove themselves as partners. Some tips:
- Take more interest in the operations and objectives of a project – rather than simply focus only on a project’s vulnerabilities.
- Find out what the line-of-business is working on, uncover their concerns and goals, and insert yourself as an ally—rather than a killjoy there to shut them down.
- For example, if provisioning encompasses all systems, uses a unified authorisation, and empowers the line-of-business to do much of the work themselves (rather than having to rely on IT), “yes” becomes the default answer from security rather than the exception.
3) Stay away from silos
The knee-jerk reaction to the introduction of a new technology is to look at it as an island, unrelated to the rest of the enterprise. Securing this island is easy—you implement the best authentication, iron-clad authorisation, and purpose-built administration of users and access.
However, with digital transformation often many islands should talk to (or work with) one another. Rather than islands, think of a thriving island chain in enterprise ocean.
Without that more global vision, you’ll end up with too many passwords, role-bloat, and the need for IT to get involved any time anything deviates from the norm. Nothing could be further from the essence of a digital transformation.
So, to pivot your point of view, think about ways to leverage well-known fundamentals of access and security—authentication, authorisation, and administration.
Here are some ways we’ve found to implement these for new applications or services in a manner that reduces complexity, avoids redundancy, and streamlines administrative activities. Essentially, security professionals should:
- seek to provision once (and while you’re at it, let the line-of-business drive),
- establish a single source of the truth for roles and authorisation that applies across all applications (legacy, cloud, whatever),
- and automate as much as possible with orchestrated processes and a high level of self-service.
In other words, embrace the cloud, but not at the expense of legacy systems. Seek to serve both masters—it can be done.
4) Make identity your new perimeter
Digital transformation may be great for the business – but unless IT and security are invited to be involved early, these projects can extend the threat surface. With an expansion of cloud and mobile solutions, risks can be exacerbated – and that hurts business, not helps it.
But thinking about digital transformation and security as two sides of the same coin brings a win-win perspective. Security professionals must adapt to the need for speedy digital transformation projects to empower the business. Businesses must come to grips with the idea that a cool new app, if broken into, could kill not just the project, but the company.
A major key to making this pivot in perception is thinking of identity as the new perimeter: With rock-solid authentication and a very clear view of which users should have access to what, it becomes much easier to detect bad actors and lessen the impact when the inevitable breach occurs.
When the right people, have the right access, to the right systems, in the right ways (and it’s easy for them), only then can the true potential of digital transformation can be realised. The business achieves its objectives, users are happy and productive, and it all happens without an increase in risk or decrease in security.
Todd Peterson, IAM evangelist, One Identity
Image source: Shutterstock/Wichy