The authentication arms race continues
This week we are heading back to 2006, when we reported on that sadly-perennial favourite: IT access security, and more specifically, Managing Access Securely.
As our contribution to the bit of fun that is Throwback Thursday, we’re taking a weekly stroll in the Freeform Dynamics archives.
At first glance, little has changed since then. The human element remains a huge part of the problem, as does the proliferation of authentication schemes (confirmed by a study we ran just a few months ago), and of course too many business managers and organisations still see security primarily as a cost and a nuisance, not as an enabler.
Yet when we read deeper, we also find that everything has changed. In particular, the technology has greatly evolved. Single sign-on, multi-factor authentication and biometrics all took off as we foresaw, and hardly anyone mentions Service Oriented Architectures any more – those kinds of capabilities are taken for granted now.
Unfortunately, we can also see just how much the risks and threats have evolved too, and perhaps it’s this arms race that produces the sensation that, overall, nothing has changed – the weapons and armour have been upgraded, but the fight is the same. Plus ça change, plus c’est la même chose.
It’s misleading though, like comparing a mail shirt with a bulletproof vest – sure, both are pieces of armour, but they belong on dramatically different battlefields. Cybercrime, like modern warfare, has become industrialised and commercialised. For example, back in 2006. the idea that criminal syndicates would be making many millions of dollars from ransomware schemes – some of them simply assembled from the cybercrime equivalent of a Lego kit – was still the stuff of science fiction.
That’s where we are now, though. Of course, our defences have ratcheted up too – who in 2006 foresaw the use of artificial intelligence to sift through vast collections of alerts and logs, looking for anomalies for the humans to investigate?
Change is coming – for some, at least
Fortunately, while many of the underlying problems remain the same as they were back in 2006 – for example human susceptibility to social engineering, the proliferation of identification mechanisms, the need to secure devices outside the office perimeter as well as inside – there are signs of welcome change too.
In particular, the issues of regulatory and legal compliance that were becoming visible back then are now mainstream. One consequence is that we are finally seeing – in a few organisations, at least – IT security treated as a “spend as much as necessary” issue, rather than “spend the minimum we can get away with”.
And as the underlying technology has advanced, the idea that access security can add business value as well as cost is no longer just an idea. In 2006, it was still largely about allowing the business to operate and evolve safely.
In 2020, the legal, regulatory, reputational and financial risks are far larger. But so too are the opportunities that secure access can bring, from greater disaster resilience, through access to a broader and deeper talent pool, to enabling business transformation. All these were theory 14 years ago, now they are becoming real and visible.