There’s plenty of news out there about the way mobile technology, BYOD programs, and other facets of the consumerization of IT trend are reshaping the workplace and the IT department. The traditional daily routine of typing a username and password into PC in the morning, using that computer all day long, and shutting it down before heading home is gone for many of us.
Today, we use a mix of devices in the office, during meetings, on the road, and often from home. That mix of devices, a range of different apps, cloud services, and remote access empowers us in ways that were unimaginable a few years ago. In this new workplace, however, do we need something more than the old username and password to make resources available and keep them business data secure?
According to enterprise expert Benjamin Robbins, we probably do. As he points out in a recent blog entry, the old model of user identity doesn’t provide enough security and flexibility for today’s ever more mobile world.
One issue is that the old paradigm was designed with a physical security system in place – if I’m typing my username and password at my desk, I’ve already gotten into the office building, into my company’s office, and sat down in my cubicle – even if there’s no ID badge needed to do that, I’ve passed people who know me and haven’t questioned my authority to be there. My PC is, of course, connected to my company’s network and is behind a firewall that ensures a significant level of data security.
A lot of that protection vanishes if I’m sitting at Starbucks with my iPad using public Wi-Fi to access a cloud-based resource (possibly one that would be in a vendor’s datacenter and thus remote even if I was at my desk). That’s a lot of variables in itself, but if my iPad is stolen while I’m ordering my second or third latte then even the less than stellar security in place could be gone if I didn’t use a passcode or had left the device unlocked.
Adding features like device type (iPhone, iPad, MacBook, Windows desktop and so forth), a specific device identified by serial number or another unique characteristic, physical/geographical location, the type of network I’m connected over, and even the apps that I’m using creates a much more specific picture of my user identity – any of those identifying factors can be used to disallow or restrict access to secure systems. If my username and password is stolen and somebody in Europe tries to use it to access confidential data hosted in the cloud (or even in the office), for example, they can be denied access simply by virtue of being thousands of miles away and/or for using an unrecognized device/computer.
The concept is really an extension of two existing IT practices. First is two factor authentication, which requires something like a smartcard, RSA SecurID token, or biometric data such as a fingerprint or iris scan needs to be provided as well as my username and password. Second is managing access or environment based on device or device group – a basic concept with Windows/Active Directory group policies as well as Apple’s managed preferences architecture where my username is associated with specific user groups and groups of devices – which can be used to allow or restrict access to data, apps, and can provide an overall computing experience and configuration.
There isn’t even much challenge to creating such a system isn’t particularly technical since most of the needed data is already easy to retrieve. The biggest challenge is likely getting executive and user in buy-in to a model that requires a fair amount of personal information like location data by shared with and/or recorded by IT.