Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Security: The Ultimate Balancing Act

The phrase “balls to the wall” is one that has been co-opted to mean things you wouldn’t want to discuss with your grandmother. But in its original context, it referred to a centrifugal governor used on steam engines to regulate a consistent speed, regardless of the load placed on the machine.

The phrase “balls to the wall” is one that has been co-opted to mean things you wouldn’t want to discuss with your grandmother. But in its original context, it referred to a centrifugal governor used on steam engines to regulate a consistent speed, regardless of the load placed on the machine.

The way it worked was elegantly simple – as the drive shaft rotates, a pair of weights (usually spherical in shape) connected to the shaft would fly out on arms, driven by centripetal force. The faster the rotation, the farther out the arms would swing, with gravity pulling the weights down as the rotation slowed. The arms were connected to a valve that regulated the steam throughput, so that if the rotation slowed, more steam was allowed with the opposite true as well. Thus, balance and speed was maintained. To go full speed meant that the weights had to be at their full extension, or as was said, “balls to the wall”.

Diagram of a Centrifugal governorLike these centrifugal governors, there is a need for balance in the context of security. Businesses need immediate and convenient access to information and applications to react faster to changes in competitive markets.

Coupled with today’s consumerization of expectations, and backed by the threat of shadow IT, there is pressure for IT to deliver access to information from anywhere, on any device, without security hassles. Yet complaints about security hassles cannot dictate excessive risk exposure.

Ideally, security governs access to information at the speed of business.

In practice, security organizations tend to focus on preventing the fiendishly clever external attackers from stealing everything of value not nailed down, while keeping malevolent or misguided privileged users from exposing sensitive information. While critical tasks, the business perspective is often lost.

So what can be done to govern the balance between convenience and risk?

We’ve heard identity referred to as the “new perimeter,” meaning IT no longer has the luxury of building out elaborate infrastructures to keep the bad guys out to protect corporate data. Instead, IT must now focus on protection at the individual level for the massive amounts of data being accessed by people, from any device, anywhere, anytime.

Indeed, perimeter defense shifting to interior defense might characterize what is happening from an IT perspective. But that is a very IT-centric way of viewing security, which doesn’t quite capture the perspective that identity is a business enabler as much as a security tool.

Advertisement. Scroll to continue reading.

Identity should be considered far more strategically. It is how organizations not only identify their employees, contractors or partners, but more importantly, their customers. Identity is not only an enabler for more productive work, but a connection to customer interaction that can spur new offerings to meet unrealized or potential demand.

Rather than worry about how IT defines perimeters, CIOs and senior IT leaders must get a much deeper appreciation of identity and its singular ability to enable the business. This is a defining moment for IT. Understanding how identity powers businesses to seek out new revenue opportunities, improve engagement models with customers and partners and unleash the creativity and capacity of the workforce is a necessity if IT is to remain not just supportive of the business, but more importantly, a relevant business partner worth engaging to drive the business forward.

So what can be done specifically to keep risk from spinning out of control, without shutting down the engine of business? A few ideas:

Gain identity context – associate identities with their activities, and understand if the behavior they demonstrate is appropriate and normal for that individual

Reorient access control thinking – move from device-specific to application and information access controls, particularly with mobile devices and BYOD

Make identity and access easy for the business – enable self-service access request and approval, and deliver a single-sign on experience across desktops, web and mobile apps

The centrifugal governors of old steam engines enabled a balanced and consistent delivery of power even in the face of changing demand. Identity is the control mechanism for security to provide appropriate access to information even as business demands change. Elegantly simple? That’s certainly an overstatement for technology that underpins so much, but it is the ultimate means of balancing convenience and risk.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...