July 20, 2022

Why has identity management for the hybrid workforce become so difficult?

Richard Dornhart
National Practice Manager - Security at Data#3
We all know the story of the mad scramble organisations faced in shifting from a primarily office-driven workforce to a remote workforce over the last few years. While that has settled into varying degrees of hybrid working, it’s time for organisations to revisit the systems and processes they originally put in place. 

While those approaches have largely worked, there is a general acknowledgement that from a cyber security aspect, they often weren’t the most elegant of solutions, consisting of various combinations of VPNs, MFA, cloud security etc. These solutions definitely added a bit of friction to our working lives, but given the environment we were dealing with at the time, it wasn’t too onerous to deal with – especially when people weighed up the benefits of being able to work from home. 

The need to embrace the hybrid workforce more fully has accelerated the ongoing shift from the centralised, perimeter-based network, or data centre, security to more distributed cloud-based security incorporating Secure Web Gateways, Zero Trust, SD-WAN, and CASB – all of which help align with the principles of SASE

However, unless your organisation has a well-developed Single Sign On (SSO) solution, you probably still end up spending more time than you want, logging in and re-authenticating to all your applications each day when working remotely. Even with SSO, there are probably still outlier apps that still need a separate login. This is in stark contrast to the in-office experience which is largely invisible and friction-free. Questions are being asked – “why can’t it be the same no matter where I’m working from?” 

Ultimately, this comes down to an identity problem, and while it sounds simple to solve, the shift to hybrid working has made managing identity more complex.  

Complicated vs Complex Systems dedicated 

To understand why – and to work out how to address it – we first need to discuss semantics and the subtle difference between complex and complicated systems.   

Complicated systems are usually (but not always) the combination of many simple systems that have been developed to solve a specific problem and deliver a consistent outcome. It’s an engineeringbased approach that is predictable for the most part, with the same inputs to the system causing consistent outputs. Think of a modern passenger jet – it’s a very complicated system consisting of thousands of sub-systems, but every switch, circuit and chip is well understood and performs one or more functions that act in the same way every time unless there is a failure somewhere. 

A complex system is more organic and less predictable. Think of self-driving cars trying to work out what’s happening in the environment around them and then deciding how to respond. The same inputs can have dramatically different outputs due to unpredictable variables like human behaviour, weather and the environment. These challenges can still be solved, but it takes different thinking than the engineering-led problem of designing and building a plane. 

What has all this got to do with identity and the hybrid workforce security problem? 

When we had centralised, perimeter-based security, it was complicated. We had (and still have) multiple layers of network, identity, application and data protection, but they each work relatively predictably, and organisations can use an engineering-led approach to protect their environments. It doesn’t mean they’re always successful in keeping out malicious activity, but with everyone working according to consistent rules, it’s robust. 

Yet when complicated becomes complex, things become much harder. After all, complexity is the enemy of good security, and with a hybrid workforce, cyber security quickly became complex.

That’s because we now need to think about humans as the new perimeter (View the Human Perimeter video). This means catering to the needs and activities of individuals (as opposed to groups) driven by: 

  • a change in the applications we access 
  • the location of those applications 
  • the devices we use to access those apps  
  • where and when we access those apps from  

It’s also different for different people and different teams. Marketers’ needs are very different from field engineers’ or finance, and the variables involved in understanding exactly how everyone will behave in different environments and working out what is needed across all these dimensions is a complex system. The often default approach of solving the problems with another point solution doesn’t work very well for complex systems, but in hindsight, it was all that could be done when speed and agility were required.  

The Increasing Importance of Identity 

 As we mentioned earlier, one aspect of this shift to “humans as the new perimeter” is the increasing importance of identity as the first line of defence. Identity management is arguably becoming the most important layer in your defence arsenal, and it’s about more than just identifying a person or a device. We’re talking about also extending identity to all parts of your organisation – your apps, your data, your automations and your systems. Places where system scripts and machine-to-machine communications rely on sharing robustly authenticated credentials to ensure that the requester is really allowed to have access.  

This might mean using multiple tools to cater for all your requirements, but tight integration between these tools and the rest of your environment becomes critical for it to work as designed. But However, if you get the identity layer right (even if it requires more than one identity solution from different vendors), then there are options for you to consolidate and simplify what exists behind your identity layer at the core of your cyber security approach – a. And it’s in the core where adopting single vendor approaches can have a huge payoff with their tight integrations and centralised management with savings in licences, support costs and deployment. 

Conclusion 

Solving the identity challenge of a hybrid workforce requires a change in thinking because as we’ve described, it has all the hallmarks of a complex system.  

What’s needed is a way to try and remove or better understand the complexity first, and that needs a more consultative, discovery-style approach such as the Identity Strategy and Roadmap service offered by Business Aspect3. A method to analyse, document, categorise and organise all the variables in the environment first so that an engineering style, advisory-led approach can then be used to provide solutions. What we’re essentially talking about is using design thinking principles for solving complex problems like these. 

Depending on the results, you may be able to simplify your environment, or it could become more complicated. You may be able to consolidate vendors and products, or you may need to add them, but complicated is still a good outcome as a complicated system can be documented and aligned to clear management processes more easily than a complex one. Especially with the help of partners like Data#3 who can manage this for you. For example, you may need a tool like Cisco Duo for one group of people but a different MFA tool for others. Whatever the outcome, Data#3 can provide the skilled support to help you design and implement these solutions. 

There is no one-size-fits-all identity solution though and the idea of “best-of-breed” has also become less relevant. Instead, we think in terms of fit for purpose. If you’re dealing with humans as your new perimeter, then you need to understand your requirements in detail, and they will likely be different from any other environment, even if that’s just in small ways. Once you understand, you can then design and build the right solution.  

Data#3’s dedicated cyber security practice can help with services like our Cisco Duo Proof of Value engagement or a free Cisco Duo software trial. For more information visit www.data3.com/cisco/security or contact us today.