Jim Duchrame, Vice President of Identity Products, RSA Security
Take a look at the year so far in business and technology; so much seems to have happened in a flash. Business executives and their teams have gone from commuting to the office to working from home. Gig workers are signing up in higher numbers than ever to deliver packages and people everywhere they need to go. We’re all relying almost entirely on apps and websites for much of what we do in our daily lives – ordering food, catching the latest movies, even seeing the doctor. These changes in how we work and live have consequential implications for cybersecurity in general, and identity and authentication in particular.
When so much happens virtually, gaining confidence in the identity of anyone seeking to access information or transact business becomes both challenging and critical than ever. The implications are even more consequential when you consider that these changes may not really be as sudden as they seem, nor as short-lived as we may have initially assumed. Instead, they are the continuation of fundamental trends that were already underway but now unfolding at an unprecedented pace.
One example of change that’s both ongoing and disruptive and requires us to rethink how we establish trust in identities is in today’s workforce. We’re living in a time when both the “who” and the “where” of the workforce are simultaneously transforming in ways that impact authentication and security. Even before recent global events, remote work and temporary work were already beginning to redefine the workforce for many organizations. In the RSA Digital Risk Report published at the beginning of 2020, dynamic workforce risk was consistently among the top three concerns in the future for organizations undergoing digital transformation. Workforce transformation as a part of digital transformation already existed at the time of the RSA study – just not yet at the scale or speed at which it continues now.
Considering the transformative potential of a remote workforce, it’s essential to keep in mind the principal security challenge of a remote workforce: the complete disruption of the model for establishing trusted relationships
World events that transpired after the RSA study was published have increased the urgency of security concerns stemming from workforce changes. One RSA customer, a major financial and insurance services firm, enabled around 7,000 employees, mostly claims adjusters, over a single weekend to work from home. The implications for secure authentication were immediate. When an adjuster is working from home, instead of within the secure perimeter of the office network, how do you know with certainty that’s who is really signing on to the network every morning? And once you realize you can indeed establish that knowledge using modern identity technology, and everything is working smoothly, the questions become larger. If all those people are authenticating securely from remote locations, do you really need them all to eventually return to that costly Manhattan office building? No? Well, then, do you really need all those claims adjusters to live and work in Manhattan? Could you hire more adjusters in other cities, attract more talent, and build a more diverse workforce?
Considering the transformative potential of a remote workforce, it’s essential to keep in mind the principal security challenge of a remote workforce: the complete disruption of the model for establishing trusted relationships. Think about the ritual of a new claims adjuster starting a job onsite, presenting credentials like a driver’s license and a W-4 form, and getting a good-luck handshake from her manager. It’s irrelevant in a remote world, both as an onboarding process and as a way to begin to build trust between the organization and the people who work there (or literally not there, as the case may be). What do credentials mean, and how is trust built in a world where trust is traditionally built on a personal presence and in-person relationships?
The question of trust is amplified by the gig economy, where people are both off-site and short-term. How much trust do you need in someone whose access to customers and their information is limited to dropping packages off at their front door? What credentials are needed to establish that trust? And how is it different from the trust required in someone who’s carrying not packages, but customers? Or someone who is processing customers’ financial transactions? And is it different if they’re processing them at home instead of in the already IT-secured office?
Adapting to change is part and parcel of managing identities and access, and this time in history is no different. It’s just happening faster and on a greater scale than we’re accustomed to. Today’s changes will continue to raise many questions. It’s not essential or even expected, that we have all the answers right away. The most important thing is to be aware of the nature of change and know that it’s going to affect how we build trust to secure critical data and resources.