Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Security: The Ultimate Balancing Act

The phrase “balls to the wall” is one that has been co-opted to mean things you wouldn’t want to discuss with your grandmother. But in its original context, it referred to a centrifugal governor used on steam engines to regulate a consistent speed, regardless of the load placed on the machine.

The phrase “balls to the wall” is one that has been co-opted to mean things you wouldn’t want to discuss with your grandmother. But in its original context, it referred to a centrifugal governor used on steam engines to regulate a consistent speed, regardless of the load placed on the machine.

The way it worked was elegantly simple – as the drive shaft rotates, a pair of weights (usually spherical in shape) connected to the shaft would fly out on arms, driven by centripetal force. The faster the rotation, the farther out the arms would swing, with gravity pulling the weights down as the rotation slowed. The arms were connected to a valve that regulated the steam throughput, so that if the rotation slowed, more steam was allowed with the opposite true as well. Thus, balance and speed was maintained. To go full speed meant that the weights had to be at their full extension, or as was said, “balls to the wall”.

Diagram of a Centrifugal governorLike these centrifugal governors, there is a need for balance in the context of security. Businesses need immediate and convenient access to information and applications to react faster to changes in competitive markets.

Coupled with today’s consumerization of expectations, and backed by the threat of shadow IT, there is pressure for IT to deliver access to information from anywhere, on any device, without security hassles. Yet complaints about security hassles cannot dictate excessive risk exposure.

Ideally, security governs access to information at the speed of business.

In practice, security organizations tend to focus on preventing the fiendishly clever external attackers from stealing everything of value not nailed down, while keeping malevolent or misguided privileged users from exposing sensitive information. While critical tasks, the business perspective is often lost.

So what can be done to govern the balance between convenience and risk?

We’ve heard identity referred to as the “new perimeter,” meaning IT no longer has the luxury of building out elaborate infrastructures to keep the bad guys out to protect corporate data. Instead, IT must now focus on protection at the individual level for the massive amounts of data being accessed by people, from any device, anywhere, anytime.

Indeed, perimeter defense shifting to interior defense might characterize what is happening from an IT perspective. But that is a very IT-centric way of viewing security, which doesn’t quite capture the perspective that identity is a business enabler as much as a security tool.

Identity should be considered far more strategically. It is how organizations not only identify their employees, contractors or partners, but more importantly, their customers. Identity is not only an enabler for more productive work, but a connection to customer interaction that can spur new offerings to meet unrealized or potential demand.

Rather than worry about how IT defines perimeters, CIOs and senior IT leaders must get a much deeper appreciation of identity and its singular ability to enable the business. This is a defining moment for IT. Understanding how identity powers businesses to seek out new revenue opportunities, improve engagement models with customers and partners and unleash the creativity and capacity of the workforce is a necessity if IT is to remain not just supportive of the business, but more importantly, a relevant business partner worth engaging to drive the business forward.

So what can be done specifically to keep risk from spinning out of control, without shutting down the engine of business? A few ideas:

Gain identity context – associate identities with their activities, and understand if the behavior they demonstrate is appropriate and normal for that individual

Reorient access control thinking – move from device-specific to application and information access controls, particularly with mobile devices and BYOD

Make identity and access easy for the business – enable self-service access request and approval, and deliver a single-sign on experience across desktops, web and mobile apps

The centrifugal governors of old steam engines enabled a balanced and consistent delivery of power even in the face of changing demand. Identity is the control mechanism for security to provide appropriate access to information even as business demands change. Elegantly simple? That’s certainly an overstatement for technology that underpins so much, but it is the ultimate means of balancing convenience and risk.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Funding/M&A

Identity and access governance vendor Saviynt has closed a $205 million financing round.

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...