A Transition Phase in Access Management: Are We Ready for a Future Without Passwords? Part III

By: Tim Coleman, Director of Secured Managed Services, CISO Global, Inc.

We had to embrace a vision of it being a culture instead — one with the courage to accept today’s realities and the imagination to prepare for what’s coming.

That vision informs CISO Global’s motto

And it’s a vision we deliver to clients every day.

For some clients — particularly work-from-home, decentralized, cloud-based organizations — the idea of becoming a passwordless company isn’t so disruptive. Their culture is already primed for it. They’re ready to embrace the newest technology, and we’re happy to help them with that.

But for other clients, the risk of a major business disruption from moving so rapidly is too great.

So, as a managed cybersecurity provider, we look first at the client’s ultimate business goals, work backward from there, and make sure they can still get work done while staying secure.

Luckily, the current technology affords this

It lets clients align security goals with business goals by transitioning into a passwordless world gradually with single sign-on (SSO) and token-based multifactor authentication.

And it’s that sort of compromise that characterizes the idea of culture over product, of principles over technology, of message over medium.

But while that’s great today, what about tomorrow?

With a firm hand, a provider won’t let the latter clients — those hesitant to let their access management move rapidly into the password-free future — become complacent with passwords alone. 

The provider will help the client recognize that with countless breaches every year, the future has to be less about managing what we’re carrying around in our heads (i.e., passwords that are likely to be compromised) and more about managing hardware (i.e., physical tokens that are less likely to be compromised) and trust frameworks (i.e., a set of rules and standards that all participants are encouraged to follow).

The big bang vs. the phased approach

This brings to mind a client we’re helping right now.

They have many locations in multiple countries, and lots of remote workers and external partners who need access to the client’s data. 

So we’re co-managing a privileged identity management (PIM) solution with their in-house IT staff — not forever, just until the staff’s ready to manage it themselves, which takes the anxiety of a big-bang approach out of the equation and replaces it with the peace-of-mind of a phased approach.

First, we started with a pilot group, a handful of the client’s most technologically savvy users — the ones least likely to be disrupted by PIM.

Next, we moved that pilot group from onboarding to everyday use, took note of any issues that arose (i.e., cultural, technological, physical, etc.), and ironed out those issues completely.

And finally, we rolled out PIM to the rest of the 300-person organization.

For that latter, larger remainder of the community, this might be their earliest encounter with a passwordless identity management system in their work lives, but it almost certainly isn’t anything new in their personal lives. That post-pilot group may already use solutions like multifactor authentication to access their banks, gaming services, email, social media, and more. 

And it’s the job of a provider to help its clients capitalize on this fact, to help them see the opportunity that exists not just as an organization managing its employees’ passwordless access to its systems, but as an organization managing its customers’ access, too.

Technology agnosticism helps avoid disruption

At CISO, we’re technology agnostic, so we’ll look at what our clients are using for their business productivity right now (e.g., Microsoft 365 and Azure) and introduce them to the access management solution that won’t disrupt their business activities (e.g., Microsoft Hello for Business). 

But whether it’s Okta, AWS IAM, OneLogin, Microsoft Azure AD, Windows Hello for Business, or something else, we’ll make sure their access management consists of a single federated authority that makes granting, changing, and revoking access a seamless experience.

What if a client doesn’t actually believe they need help taking their access management into a passwordless future? 

First, a provider will audit the system as it stands, including interviewing the staff, reviewing incident reports (i.e., did they have a data breach?), and rooting out the causes of downtime and outages.

Next, the provider should focus on any evolving threats and high-risk patterns they see and devise a way to disrupt them.

Then they should construct a narrative around the client’s profile, zoom in on specific details through a security lens that might not have been used otherwise, and identify where improvements can be made and how the client can be a better steward of sensitive data — particularly the very personal data that will make a passwordless future possible, like biometrics.

After that, the provider will walk through and provide tactics for what-if questions like, “What if your biometrics data gets compromised?” and “What if a flaw is discovered in your passwordless system?”

And finally — and this is key — the provider will use the utmost tact when delivering this information to the client, reassuring them that: 

• these strategies are in no way a critique
• risk management isn’t a single problem that simply gets solved, never to be heard from again
• cybersecurity is a journey — a perpetual, adaptive exercise 

Making that journey comfortable

Along the way, a client might find itself conceding that, yes, passwordless access to their systems must be managed, but biometrics goes too far. Perhaps it’s too reliant on personal information for their taste. 

Or perhaps their BYOD policy makes it difficult to dictate to their employees how to use the devices that they themselves own and pay monthly fees on. 

What then?

A great provider will accommodate that preference and give that client other passwordless options, like a Fast IDentity Online (FIDO) authentication hardware token — a key fob, smart card, or dongle.

What if that’s still too much to ask? What will a provider have to do to persuade the reluctant or the uncooperative client to appreciate the importance of embracing a passwordless future?

Again, it’s about culture over technology — conveying the understanding of “you’re not only protecting yourself, you’re protecting your co-workers, your company, and your customers.”

It’s about analogies over abstractions — analogies that illustrate the human tendency to defeat or work around security solutions, like, “a house with even the most expensive alarm system and the strongest door locks is still vulnerable if a window is left open by someone.”

It’s about keeping an ear to the ground instead of sowing paranoia and fear — adopting a sense of vigilance and optimism over anxiety and dread.

This is what I mean when I say access management in cybersecurity is in a transition phase. 

As the threat landscape evolves, the role of the provider is evolving, too.

It’s not only about recommending technology and best practices to our clients.

It’s about scouting out what’s ahead and fostering in our clients a spirit of readiness.

Looking for more information about how access management protects your organization’s reputation and data in a passwordless world? We should talk. Reach out to CISO Global, Inc. now.