There is no doubt that security needs to be at the forefront of any business IT program, especially within the hybrid cloud environment. The risks inherent with any connection to the internet at all are too great to ignore, and businesses have a responsibility to do everything they can to protect their sensitive data and networks.
This begs the question, though, of whether there is such a thing as being “too secure?” Is it possible that IT security teams, in the interest of protecting the company from risk, are actually going too far and causing slowdowns not only in day-to-day activities but also in the overall productivity of the organization?
According to one study, the answer is a resounding “yes.” A study commissioned by Bromium Research of CISOs at large companies in the U.S. and Europe revealed that IT teams are spending almost 600 hours per year responding to complaints and issues from employees who have been thwarted while doing their work by overzealous security measures. In addition, 71 percent of the CISOs report feeling like the “bad guys” because they have to say no to user requests due to security concerns and that they feel caught in the middle between keeping the networks secure and letting people work freely.
It’s clear that CISOs and their teams cannot allow a free-for-all when it comes to allowing employees to do whatever they want on the network, but the growing consensus is that there is a middle ground that would allow for improved productivity and innovation while not compromising security. One aspect of that middle ground is the notion of “invisible security,” a key aspect of any effective hybrid cloud security approach.
What Is Invisible Security?
Imagine that you’re attempting to work on a project at work, and you need to access a secure database to do so. You enter a password, and you’re sent a unique eight-digit code to enter and gain access. Once you’re in, you find that you don’t have the right credentials to access the information you need. You put in a request for the credentials and in the meantime begin researching other information for your project. Only you can’t download a report that you need, due to network restrictions. So, you put in another help request for permission to download the web resources. Several hours later, you receive all of the permissions you needed, but now you are hours behind.
Sound familiar? Similar scenarios occur every day, leading to frustration and in many cases, workarounds that create greater risks than were already present. In many organizations, IT security creates roadblocks that frustrate users. In response, they find ways to simplify their own user experience. For instance, they might ignore password protocols and re-use the same credentials in multiple places to save time or stay logged in to programs to avoid going through the whole process again. In some companies, shadow IT, in which employees use programs and tools that haven’t been approved, is a major issue thanks in large part to security protocols. In either case, people are developing their own solutions to be more productive, and those solutions are creating risk.
Invisible security, then, is security that doesn’t intrude upon the user experience but instead happens behind the scenes. Employees have a seamless experience while the network remains safe. Some of the invisible approaches that are commonly in use include:
Siloing targeted activities
When users initiate certain activities, such as downloading content from the internet, it occurs on a dedicated virtual machine. That way, if there is any malicious content, it is contained to that specific machine and never reaches the network.
This security approach bases permissions and access on specific behaviors, such as the time of the access request, and the behavior of the requestor. Logging in to a database from the office during business hours would be allowed, for instance, while a request from overseas in the middle of the night would be denied.
Implementing methods of signing into accounts that use biometrics (like a fingerprint) or a single sign-on can save time and keep roadblocks from popping up.
Invisible security isn’t only about streamlining access, though. It’s also about using tools and techniques behind the scenes that users never come in contact with but that don’t slow them down. Using tools that defend against threats that don’t cause a loss of security control and the development of shadow IT will reduce organizational risk while also ensuring that your company remains productive and innovative. In short, making security invisible will ultimately make it more effective.