Complexity can mean a lot of different things in the security industry, from granular (the complexity of deploying, implementing and managing one singular security technology) to large-scale (the complexity of managing hundreds of different vendors and solutions, and making sure they play well together).
But security needs to complement existing tech. IT complexity within an enterprise organization extends to every aspect across people, processes and technology. It might result in a lot of legacy infrastructure and dependencies that make security patching and updates challenging, if not impossible to do without rendering systems inoperable.
As for people, as you grow, your user base and the diversity of it does, too. Somehow, your technology and security platforms need to support many different users:
- A remote, distributed/global workforce
- Contract, temporary, third-party providers
- Executives and sales employees that travel often
With all of these different work use cases come different devices, applications, permissions and data.
- Human Resources (HR) needs access to employee data applications that house payroll, W2s, benefits, etc.
- Engineers need SSH access to production servers to push proprietary code
- Sales employees need access to customer relationship management (CRM) applications to access personally identifiable business data on prospects and customers
Different levels of access for different types of user groups range from limited, specific access for contractors to higher levels of access to more sensitive parts of a system for a variety of administrators.
To further complicate matters, employee-owned phones, tablets and laptops used to log into work applications come with many potential risks:
- They might be slower to run updates with critical security patches
- They might be jailbroken or rooted
- They might not be encrypted or passcode-protected
I think you get the point. Complexity in all of its forms breeds many challenges for security (not to mention specific needs to meet different compliance requirements), including:
- Falling into the expense-in-depth trap, "the multilayered approach to ensuring minimal return on investment." You’re spending a lot, but is your security approach actually effective?
- Too many alerts and false positives can result in too much data, too much noise - how do you make sense of what’s important in order to inform and strengthen your security posture?
- More code, more problems - at least, a larger attack surface. Sometimes security software can contain vulnerabilities within its very own code, as Mudge found years ago in his DARPA research: about 29% of all vulnerabilities tracked across 100,000 networks were found within security software.
- Lost productivity due to time/resource-wasting implementations, and time spent managing solutions that could be better spent elsewhere
Organizations may be struggling to do it all - including managing the complexity of your IT environment, needs of your users, meeting compliance and actually securing their company against a potential compromise or data leak.
Reducing overall organizational complexity requires solutions that do the work of many (known as ‘force multipliers’), allowing you to scale as you grow. They also need to be flexible enough to adapt to the needs of your different users, supporting different use cases and scenarios. And they need to effectively protect against threats today.
Duo can help secure more complex IT environments in a few ways:
- Verify user identities with many different methods of two-factor authentication (2FA) to fit different login scenarios
- Get global visibility into users’ devices from a single dashboard, including managed and unmanaged devices across different platforms, without installing mobile device management (MDM) agents
- Unifying useful, at-a-glance data with policies that let you limit access by employee-owned, unmanaged devices and/or devices that fail to meet your security requirements
- Simplifying and enabling the login experience with single sign-on - no virtual private networks (VPNs) required - while giving admins control over which applications certain users can access
By examining and consolidating your security solutions and vendors, you can achieve reduced complexity and enhanced business productivity, all while balancing usability with security.