Security Experts:

Security: The Ultimate Balancing Act

The phrase “balls to the wall” is one that has been co-opted to mean things you wouldn’t want to discuss with your grandmother. But in its original context, it referred to a centrifugal governor used on steam engines to regulate a consistent speed, regardless of the load placed on the machine.

The way it worked was elegantly simple – as the drive shaft rotates, a pair of weights (usually spherical in shape) connected to the shaft would fly out on arms, driven by centripetal force. The faster the rotation, the farther out the arms would swing, with gravity pulling the weights down as the rotation slowed. The arms were connected to a valve that regulated the steam throughput, so that if the rotation slowed, more steam was allowed with the opposite true as well. Thus, balance and speed was maintained. To go full speed meant that the weights had to be at their full extension, or as was said, “balls to the wall”.

Diagram of a Centrifugal governorLike these centrifugal governors, there is a need for balance in the context of security. Businesses need immediate and convenient access to information and applications to react faster to changes in competitive markets.

Coupled with today’s consumerization of expectations, and backed by the threat of shadow IT, there is pressure for IT to deliver access to information from anywhere, on any device, without security hassles. Yet complaints about security hassles cannot dictate excessive risk exposure.

Ideally, security governs access to information at the speed of business.

In practice, security organizations tend to focus on preventing the fiendishly clever external attackers from stealing everything of value not nailed down, while keeping malevolent or misguided privileged users from exposing sensitive information. While critical tasks, the business perspective is often lost.

So what can be done to govern the balance between convenience and risk?

We’ve heard identity referred to as the “new perimeter,” meaning IT no longer has the luxury of building out elaborate infrastructures to keep the bad guys out to protect corporate data. Instead, IT must now focus on protection at the individual level for the massive amounts of data being accessed by people, from any device, anywhere, anytime.

Indeed, perimeter defense shifting to interior defense might characterize what is happening from an IT perspective. But that is a very IT-centric way of viewing security, which doesn’t quite capture the perspective that identity is a business enabler as much as a security tool.

Identity should be considered far more strategically. It is how organizations not only identify their employees, contractors or partners, but more importantly, their customers. Identity is not only an enabler for more productive work, but a connection to customer interaction that can spur new offerings to meet unrealized or potential demand.

Rather than worry about how IT defines perimeters, CIOs and senior IT leaders must get a much deeper appreciation of identity and its singular ability to enable the business. This is a defining moment for IT. Understanding how identity powers businesses to seek out new revenue opportunities, improve engagement models with customers and partners and unleash the creativity and capacity of the workforce is a necessity if IT is to remain not just supportive of the business, but more importantly, a relevant business partner worth engaging to drive the business forward.

So what can be done specifically to keep risk from spinning out of control, without shutting down the engine of business? A few ideas:

Gain identity context – associate identities with their activities, and understand if the behavior they demonstrate is appropriate and normal for that individual

Reorient access control thinking – move from device-specific to application and information access controls, particularly with mobile devices and BYOD

Make identity and access easy for the business – enable self-service access request and approval, and deliver a single-sign on experience across desktops, web and mobile apps

The centrifugal governors of old steam engines enabled a balanced and consistent delivery of power even in the face of changing demand. Identity is the control mechanism for security to provide appropriate access to information even as business demands change. Elegantly simple? That’s certainly an overstatement for technology that underpins so much, but it is the ultimate means of balancing convenience and risk.

view counter
Travis Greene, Identity Solutions Strategist at Micro Focus, possesses a blend of IT operations and security experience, process design, organizational leadership and technical skills. After a 10-year career as a US Naval Officer, he started in IT as a Data Center Manager for a hosting company. In early 2002, Travis joined a Managed Service Provider as the leader of the service level and continuous improvement team. Today, Travis conducts research with NetIQ customers, industry analysts, and partners to understand current Identity and Access Management challenges, with a focus on provisioning, governance and user activity monitoring solutions. Travis is Expert Certified in ITIL and holds a BS in Computer Science from the US Naval Academy.