Technological transformations for the workforce have increased productivity, but they've also introduced more complexity. A digital worker in an enterprise organization in the United States now has 50-plus applications to access and at least two devices to access these applications from, according to the 2021 Duo Trusted Access Report. Remembering the URLs, user names, and passwords for all these applications is a challenge, and it's not getting easier.
On the other side, IT and security teams are struggling to comply with regulations and constantly prevent attackers from breaching their environments. The obvious solution is to enforce more security controls for all access requests, but the downside is the friction these controls introduce for the end user.
What’s the right balance and approach to offer trusted access for your workforce? Here are three recommendations we learned by deploying easy and secure access for more than 30,000 organizations around the world.
1. Strong User Authentication for All Users and Applications
Having strong user authentication for every application and every user significantly reduces the risk of a breach. After all, passwords are easy to compromise.
Multifactor authentication (MFA) offers strong control even when a password is compromised. Most organizations have MFA, but it’s not enabled for every application. Security is only as good as the weakest link. Have a road map to enable MFA for every login request in your organization. No exceptions. Of course, you can leverage single sign-on and adaptive authentication policies to avoid MFA fatigue for the end user. You can challenge a user for authentication only when something changes or when the risk is high.
The authentication factors you use for MFA matter. For example, one-time passcodes (OTP) delivered through SMS are no longer reliable because attackers can steal them through man-in-the-middle-type techniques or with a hacker tool to trick users into disclosing the OTPs. Still, it’s better than not having any MFA.
We recommend stronger authentication factors, such as mobile push or U2F key. You can also consider modern passwordless solutions that eliminate dependency on passwords and leverage U2F and biometrics built into devices for strong authentication.
2. Inspect the End User Device Before Granting Access to Applications
Maintaining up-to-date operating systems and browsers for all of your end user devices offers you the biggest bang for your buck. Microsoft, Apple, and Google control the majority of the operating systems and browsers and release patches frequently. IT and security teams need to think about enabling the end users to maintain their devices.
For example, you can leverage authentication technologies that tell the end user when they need to update their device. Security-conscious organizations block devices from accessing critical applications if the device is not up to date.
Inspecting the device to see whether the disk-level encryption is enabled and the host-level firewall is turned on is also critical. Make a list of attributes you need to inspect, and establish a device posture program. For example, you can make installation of your corporate approved antivirus agent a requirement for any device to get access to your on-premises network or applications. It’s like the rides in Disney World – you need to be this tall to get on the ride.
3. Think About Reducing Friction for the End User at Every Step
Your employees just want to get their work done. They don’t want to think about security and compliance all the time. What if the easiest way to get work done is the most secure way?
For example, in a traditional organization the user needs to login into a virtual private network (VPN) to access a custom on-premises application. Logging into a VPN adds friction. If not properly configured, you are also giving the user excessive access to the entire network instead of limiting them to just the application they need.
VPN-less remote-access solutions enable you to publish your on-premises applications as a cloud app. So the user just logs into them without using a VPN the way they log into a cloud application.
Modern trusted access solutions inspect the user, the device, and the user's behavior in real time to decide whether to grant access. These platforms are evolving to evaluate attributes post-login and offer continuous trusted access.
A future where trusted access and actions are enabled with the least amount of friction for the end user looks promising.