Complexity is something that CIOs and IT leaders need to address. Complexity not only inhibits user productivity and administrative efficiency, it introduces risk. On the user side of things, users will find ways to make their IT experience (Work Tasks) easier usually at the sacrifice of security or company standards. From the IT administration side, the complexity of multiple tools and niche products that live in their own silos introduce risk by having too many touch points to ensure security, especially in the fast paced IT world we live in now. Below is a good illustration of this taken from Citrix Synergy presentations:
Complexity is driven by multiple forces including the change in today’s workforce compared to the past in both workforce composition and technology used. There are new threat landscapes to go along with the traditional threat landscapes. There are market pressures to “do more-faster”, to beat your competition. Complexity in an environment can slow the time to market, thus eliminating a competitive advantage. Last, but not least we have regulatory compliance standards such as HIPAA, PCI, GDPR and the new California Consumer Privacy Act of 2018
For Security teams, this means a complex web of methods and tools to ensure device, network, data and physical security as well as regulatory compliance. For end users, this presents a complex and inefficient work model comprised of multiple login points, multiple passwords, locked down devices and inflexible work processes. This complex work model inhibits their productivity and thus their compensation.
For this post, I want to focus on why the changing workforce introduces complexity, how complexity is the Enemy of the User State and how new security models should adapt to put the user at the center of the security or trust model.
Today’s workforce and staffing models introduce different security boundaries from the past. The workforce today is mobile, multi-device and more tech savvy than in the past. They want to be able to work anywhere on any device at any time. This means a company may not control the device or network the users connect from. More often than not, an access method for untrusted devices is needed in addition to methods for trusted devices. This adds complexity for the user and IT staff. For the user, anything that hampers them will be tossed aside for something easier and likely less secure. Users will gravitate to the path of least resistance while the approved IT process becomes “the path less traveled” to paraphrase a popular book title.
Companies are using more third parties than before. These third parties need access to corporate data, but the company likely does not control the endpoint or main identity of the user. This leads to multiple identities for those workers as well as complex networking, firewall, and other methods to allow secure access.
Complexity and the user
How many times have you been hampered by technology while performing a task? What did you do? Most of us find ways around the obstacle, forwarding email to a personal account or using public cloud storage rather than corporate sanctioned storage. We could probably build a long list of “tips and tricks” that lead to the path of least resistance and allow us to not use IT provided services. This all comes at the expense of security and introduces risk not only to the organization (data leaks, malware etc.), but also to the individual who exposes data or weakness of IT security (read your employment agreement). The new workforce “causes” some of this complexity as noted above be requiring different trust and security models depending on how they are working. This leads to multiple entry points, multiple passwords and even multiple authentication factors. The user must know HOW they are working before they can work.
Am I on a trusted device? What URL do I need to use for access? What password for this SaaS application? Did I remember my token/do I have a soft token on my mobile device? Where is the shortcut for that application? Can I save locally? Can I print?
All of these decision points need to be addressed in order to complete a task, thus creating inefficiencies inhibiting productivity and user experience. The passwords are likely the same across all items-network login, SaaS App 1, SaaS App2, and are likely stored on a sticky note or in notepad (if you are lucky, maybe a password protected Excel spreadsheet).
New Security Models
Users avoid complexity. We as IT Solutions experts should remove that complexity and provide the best user experience so users WANT to use the IT services that we provide and secure. We need to put the user at the center of our security models. We need to redefine the traditional physical perimeter of the datacenter and traditional applications. We need to move to a Secure Digital Perimeter that follows the user. We need to change the illustration above to the illustration below:
More to the story
Complexity for the user is just one side of the story. I will address Complexity as the Enemy of the IT State in my next blog entry and show how we can find the balance between User and IT Administration in the battle against complexity.
Thanks for reading and I look forward to discussion.
Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.
Want specific TechBytes? Let us know! firstname.lastname@example.org