James Thew - Fotolia
Businesses under pressure to allow easier access to cloud
Businesses are under pressure from employees to use consumer-focused authentication methods for cloud applications, but that could have both positive and negative security implications, warns Gemalto
Nearly two-thirds of IT leaders admit their security teams are considering implementing consumer-grade access to cloud service for employees, a study has revealed.
This is as a result of the proliferation of cloud applications and the use of a disparate range of devices in businesses, according to Gemalto’s 2018 identity and access management index.
The poll of more than 1,000 IT decision makers globally revealed that the majority (54%) believe that the authentication methods they implement in their businesses are not as good as those found on popular sites including Amazon and Facebook, but only 44% of UK IT leaders agree.
With a growing number of cloud apps in use, more employees working remotely and pressure mounting to make authentication stronger while ensuring ease of use, IT decision makers are keen to “consumerise” the log-in process.
In fact, 70% of IT professionals believe that authentication methods applied in the consumer world can be applied to secure access to enterprise resources, but again, only 54% of UK respondents believe that consumer authentication could be applied in the workplace.
Despite the general belief that consumer authentication could be applied in the workplace, 92% of global IT leaders express concern about employees reusing personal credentials for work. This comes as 61% admit that they are still not implementing two-factor authentication to allow access to their network, potentially leaving themselves vulnerable to cyber criminals.
In the UK, 76% of businesses expect to increase their use of two-factor authentication within 2 years, up from 66% in 2016. But, on average, only 39% of staff in UK organisations are using two-factor authentication, which – although up from 30% in 2016 – is below the global average.
Out of the UK firms using two-factor authentication, only 33% of staff are required to use it, meaning that businesses are only using the solution when it is absolutely required, and not proactively deploying it.
Finding the balance between user experience and security
Despite the concerns around employees reusing credentials, the study indicates that there is increasing recognition that new approaches to cloud access can contribute to alleviating these issues.
Some 62% of global respondents said cloud access management tools can help simplify the log-in process for users, while 72% stated that a strong consideration for implementing a cloud-access system is the desire to reduce the threat of large-scale breaches.
The fact that 61% of respondents also stated that inefficient cloud identity management would be a key factor in adopting a cloud access management system shows that scalability and management overheads are of high concern to IT professionals.
“These findings clearly show that IT managers are struggling to balance the need for a simple and easy log-in experience with security,” said Francois Lasnier, senior vice-president of identity and access management at Gemalto.
“While there is a need to make things easier for employees, there is a fine line to be walked. IT and business line managers would do best to figure out the risks and sensitivities associated with the various applications used in their organisations and then use access management policies to manage risk and apply the appropriate authentication method,” said Lasnier.
“In this way, they can ensure a convenient log-in experience for their users, while still maintaining access security.”
With the growth in remote working, the cloud and secure access to applications have become important for organisations. As a result, almost all (94%) respondents believe that cloud access management is integral to adopting cloud applications.
In fact, nine in 10 also feel that ineffective cloud access management can lead to issues for their company, such as security (52%), IT staff’s time being used less efficiently (39%) and increased operational overheads and IT costs (38%). Despite this focus on protecting cloud applications, just three of the 27 cloud apps used on average by organisations are protected with two-factor authentication.
Read more about two-factor authentication
- What knowledge factors qualify for true two-factor authentication?
- How to set up two-factor authentication for enterprise users.
- Facebook ups security with Fido U2F two-factor authentication.
- Why mobile two-factor authentication is better than biometrics.
“The rapid increase of cloud apps has brought organisations lots of benefits, but also caused a high degree of fragmentation in their ability to manage access security across numerous cloud and on-premise applications,” said Lasnier.
“Without effective access management tools in place, this is liable to lead to higher risk of breach, a lack of visibility into access events, regulatory oversight, and hamper organisations’ ability to scale in the cloud,” he said.
Commenting on the poor adoption of two-factor authentication among UK businesses, Joe Pindar, director of product strategy at Gemalto, said it is clear that UK businesses want to make it more convenient for employees to access corporate resources, but many are simply failing to implement the necessary security systems to keep themselves safe from malicious hackers.
“This is emphasised by the slow adoption of protection such as two-factor authentication – although adoption is increasing and the majority plan to introduce this in the next two years, talk is cheap and not enough is being done quickly enough.
“With GDPR [EU General Data Protection Regulation] just over two months away, organisations need to move faster. IT and business leaders in the UK must quickly identify the risks associated with any applications used in their organisation, and secure their most sensitive data.
“If they lack the expertise to do this, they must look to employ a third party to assist this process. Simply doing nothing is not an option for businesses any longer and actions speak louder than words,” he said.