Skip to main content

Better security means access is not a simple yes/no question

(Image credit: Image Credit: 8MAN)

It seems simple: to keep data secure, you need to make sure that the person requesting access is who they say they are, and they have the right to access the data they are requesting.

But, as with everything else, it shouldn’t be so simple—not if you want to get security right. Not all data is equal. Some data should be protected with the strongest security, while other documents are far less critical. And proving identity is also not quite so straightforward—it’s far easier to trust an employee using a company-owned device in the office than one working remotely using an unsecured device.

So as an IT service provider or managed service provider (MSP), how do you strike a balance?

One approach is to make everything highly secure and ensure that every employee requesting access proves who they are without room for doubt. But not only is this time consuming and inefficient, this is how employees end up circumventing security—posing an even bigger danger. Instead, a new approach is needed—one that assesses the risk of each request and demands the appropriate response.

The risk presented

With the lines between work and play blurring, and employees using their work devices for personal use—and vice versa—attempting to protect a business by declaring that particular devices are safe is no longer sufficient.

The level of access that is granted to each individual needs to be based on the level of confidence, or risk, they present to a business, and the level of resource access they require. So, if an employee is accessing the company network using a corporate device that is trusted, we know that that individual is secure—this person presents less risk.

But if this same person was accessing the network from a different device, say a personal one, that the network had never seen before, and from an unfamiliar place—then this person’s level of risk would go up.

The material that an individual is also trying to access needs to be considered. If the material is particularly sensitive, or is outside the regular level of access, then again, the risk increases.

When we think of risk, it’s about assessing whether the individual is who they say they are, and how likely it is that a compromised device is trying to gain access to the network.

Adding pressure

This does mean that when increased risk is present, there is some extra work for the user. Instead of granting automatic access, and potentially allowing an infected machine or unauthorised user to come onto the network, the user could be asked for additional authentication, to prove they are who they say they are.

This approach is something most people see on a day-to-day basis. When you collect a parcel or a package, although you may have an order number, you will be asked to prove your identity with photo ID or a bank card.

It’s an approach that’s widely embraced in the world of mobile banking. While minimal security is needed to look at a bank balance—usually a four or a six-digit code—if a person wants to transfer funds, then an added level of authentication is needed, to ensure protection against fraudulent behaviour.

But while adding pressure may seem like an added inconvenience, it doesn’t need to be if MSPs and IT service providers follow the 80/20 rule—treating 80 per cent of their employees in a similar fashion and treating the ‘risky’ 20 per cent with higher levels of security.

Most employees and users (the 80 per cent) will have the same needs—they will require regular access to certain materials, and restricted access to more sensitive information. The ‘risky’ characters (the 20 per cent) can also be easily identified, as they will be employees that require access to more sensitive information—such as IT administrators, HR and finance staff, and C-level executives.

Applying the 80/20 rule

With this in mind, how do MSPs and IT service providers apply the 80/20 rule, and in which scenarios is more pressure needed? How does an MSP know where their responsibilities end?

Ultimately, there will be certain users where an MSP will need to go further than it has done before, to ensure that they are fully secure. If there is a person within the organisation that can access the crown jewels, then it’s the MSPs responsibility to ensure that anyone trying to get their hands on the jewels isn’t doing it from a device that is dirty, from a network that is compromised, and that a close eye is being kept on their activity.

Let’s put this into practice. The head of HR for an organisation will be able to access data on every single employee within their organisation—and accessing this information from an untrusted, insecure device presents a huge risk. In this instance, an MSP will want to ensure that the device is controlled and that it hasn’t been compromised. It may be that security trumps convenience here, and that the user needs to use a trusted device to access the most sensitive information.

The MSP’s responsibility is to understand the most important and sensitive data about the businesses it serves: the data it holds, the data that needs protecting, the systems that are used to access this data, and the individuals that have access to it. The MSP also needs to create a division between the 80 per cent and 20 per cent staff, as well as identify the crown jewels that need special protection.

Better security, better access

With the rise of remote working, and the increase in cybersecurity threats, businesses today can’t afford to simply grant broad access to every employee in the same way. They need to use the 80/20 rule to appropriately balance risk and security.

MSPs and IT service providers have an important role to play as a trusted partner to businesses, ensuring they are keeping data secure, and giving users the access they need to be able to do their jobs. In order to do this, MSPs need to ensure they fully understand their customers’ businesses and their most precious data. They also need to put processes in place to ensure that trusted employees can access this data and apply pressure in circumstances that could be considered risky.

An MSP ultimately needs to ensure that only royalty can have access to the crown jewels.

Tim Brown, VP Security, SolarWinds MSP