Don’t be Doctor NO: New Book Helps Balance Restrictive Cybersecurity with Empowerment and Accountability
Balancing what we’d like to do from the pure security control perspective with the need to align solutions with the business is a recurring theme in my book, Rational Cybersecurity for Business. The actual book is publishing very soon – maybe next week! In the meantime, I can offer a blog-friendly adaptation of excerpts from Chapter 8, “Control Access with Minimal Drag on the Business.”
This part of the book covers access control, something that’s required for most IT assets. The work of managing access involves both identity and access management (IAM) and data protection disciplines. Work from home, remote access, and other trends of COVID-19 times have reopened debates between those favoring highly restrictive approaches to access (as compliance might suggest) or permissive approaches that empower users to maximize productivity.
Balance Access Control and Accountability
Businesses need to strike a balance between risk reduction and productivity, or the ability to get work done. Between risk and drag, in other words. There is no way to completely eliminate risk even with highly restrictive controls. It is also imprudent to operate a digital business without some drag from controls. Figure 8-3 depicts the notion that between the two extremes of having too many restrictive controls or too few, businesses have a broad area of realistic operating conditions.
“Protect” and “Detect” Controls Impact Users Differently
One might ask, couldn’t we end up still having too much risk and too much drag if we took a middling approach? Fortunately, additional tools are at our disposal. We have “protect” (aka restrictive) controls to prevent inappropriate access. Or we can choose detect and respond controls to create an accountability-based approach to discourage or react to it. Detect controls create less impact on the user experience and allow users to have more access rights. For example, some banks use a control called “passive authentication” to log users into online banking sessions instead of requiring highly complex passwords or authentication devices. The bank operates sophisticated monitoring tools in the background to detect any suspicious activity.
In the realm of access control, we can choose to “trust but verify” or promote high standards of accountability to control risk without deploying controls that restrict user activity. Staff could have more discretion to make subtle choices, i.e., Should a salesman send an “internal” document to a prospect? What is the classification of that document anyway? Is it ok to let this vendor into the building Saturday for a meeting when the receptionist is gone? Is it ok to edit a confidential company document on my personal tablet device while I’m on vacation? Arguably, security policy could cover any or all of these circumstances but in the real world of work there is always more context and circumstances where the answer may be it depends. Figure 8-4 depicts a more nuanced view of businesses trading off risk and drag, restrictive access control and accountability.
Risk and Cultural Determinants
Where to end up on the control continuum is a function of security culture and the nature of inherent risks. Some businesses have a cultural inclination toward more trust, others towards more control. Regulatory guidance tends to emphasize control, least privilege, and separation of duty. But regulatory guidance usually includes a caveat that the approach can be “risk-based,” thus allowing planners to mix and match “compensating controls.” There are also opportunities, such as deploying privacy-enhancing controls, to reduce both risk and drag at the same time.
A restrictive control approach has long been the dominant theme for cybersecurity professionals, and we’ve tended to default to “protect.” However, many organizations are adopting more of a people-centric security (PCS) approach originally espoused by author Lance Hayden and by Gartner security analysts. At the intersection of IAM and PCS, we must ask how much discretion we can give access managers who grant other users access? Do we want the access request process to be highly discretionary (and therefore flexible) or highly prescriptive (mostly rules-based and potentially inflexible but more difficult to abuse)?
Work from home and other moves toward the consumerization of IT in the wake of the COVID-19 pandemic may reignite interest in people-centric security.
The Control Continuum
Observe that our second risk/drag figure (Figure 8-4) has a more nuanced notional continuum of controls than the previous Figure 8-3. One business, such as a bank, might choose a restrictive control set to meet its regulatory requirements and to abate the constant risk of financial fraud. Another business, such as a technology startup, might choose a permissive control set. The control environment, in this example, likely varies due to the companies’ difference in assets; perhaps the startup only needs to protect documents, but the bank must protect everything from documents to bank accounts.
The bank could, however, tune or optimize its control set to reinforce accountability for document access through awareness training and deterrent monitoring. This would reduce the need for restrictions on access in some use cases and might improve the user experience without increasing risk very much. On the other hand, a startup should generally formalize more restrictive access controls (and rely less on trusted staff) as it expands and takes on higher risk customers and customer use cases.
Access control and data governance require cross-functional business alignment. Security and business stakeholders should work together intentionally to seek that middle ground as shown in the Rational Cybersecurity Alignment Key below.
What are Accountability-Based Controls?
Unlike restrictive controls, accountability-based controls operate within the trust space of empowered users and managers to raise the odds they will do the right thing. Accountability-based controls comprise a mix of carrots and sticks.
Carrots include positive messages imparted through user awareness and training to create the user perception that access is a privilege. These messages help users understand why security policies (such as not sharing restricted information) should be followed.
Sticks, on the hand, can be the awareness that monitoring systems will detect violations of policy, and that policies will be enforced through disciplinary action. Sticks can be communicated through legal contracts, systems and applications’ cautionary messages, and user awareness programs.
I trust this post has given you some new perspectives on IAM and data protection architecture choices. Check out the book (due out in June) for the full chapter on these topics. Contact us if we can help with your cybersecurity strategy or identity management architecture.