One of the roles I use to do was PC support for a mid size insurance company – as the new IBM PS/2 pc’s were being rolled, out one of the things that was new was that they had a hardware or boot password. I was called to look at a problem with Word Perfect (and does that date me!). On a sticky note on the PC was “the password is whatever”.
This was in the early 90’s and cyber security was no where where it is today as a top of mind issues, but it does illustrate the issue that just a password alone is not that secure.
Can you both improve security and simplify the user experience ?
Something you have, Something you know.
I refer you the the Wikipedia article on multi-factor authentication for a brief discussion on the topic ;- https://en.wikipedia.org/wiki/Multi-factor_authentication.
Using current technologies, it is possible to remove the need for a password for somethings like basic network access, and further ensure that application access is granted from devices that are enterprise security compliant.
Example – VPN access to the enterprise.
This example can equally apply to network admission control and applies to a project that I was running in 2013 in the IBM CIO’s office – and which has now been made available as part of the VPN access of IBMers.
As part of the global workplace standards, every device in IBM that accesses IBM business capability needs to have Device Management (MDM) installed and to be security compliant. Using the information from the MDM system, combined with a certificate based VPN service means that we can reduce the need for a password every time you wish to connect.
If the device ever goes out of compliance you get an email stating that your device is non-compliant, and that your VPN access will be withdrawn within a certain amount of days if you do not fix the non-compliance. Non-compliance includes a device that hasn’t reported in for a number of days as well (normally 30).
This both improves the user experience – because the VPN password is no longer needed, and improves security as non-compliant devices, such as home PC’s are not being used in the environment. And it reduces cost as there is one less reason for the support desk to get a call.
This is essentially moving a significant part of the decision/compliance away from the user to the infrastructure – based on what we know about the device rather than what the user may be asserting . One could call this “cognitive”.
The key technologies are available.
One of the bits of advice I give to customers is that device management is great – but the downstream use of the information to simplify the users experience and improve compliance is where the value of having a Device Management solution is realized.
All the technologies are available, now, and every enterprise should be looking at ways to, if they haven’t already, start using the telemetry from their devices to reduce complexity and improve security.
Thanks for reading.