In this ESG360 Video, ESG's Mark Bowker and Jon Oltsik discuss employees coming into the business environment with personal devices, the question of corporate vs. personal identity, and how are businesses dealing with this issue.
Read the related ESG Blog: How Is Identity and Access Management (IAM) Changing (Video)
Mark: I'm back here together with Jon Oltsik and the topic today is really, identity and access management, Jon. The big one, the scenario that I see is people coming into work or business environment with their personal devices. And there's a question of identity. Am I using my corporate identity, am I using a personal identity, and how are businesses dealing with Mark Bowker's identity to give me secure access to apps and devices. Do you see this as a challenge amongst the CISOs and other security professionals you talk to?
Jon: Yeah. It's a huge challenge and there's no easy answer. I mean, historically, that was a corporate device and there was corporate control and there were mandates. You can't do that. And a lot of companies…there are few companies that still do that, but mostly, that isn't true. And so, now, how do I as a CISO adapt to an environment where I don't control the device, where there are multiple types of devices, and yet, I still have to provide equal or better security than in the past. So it's difficult.
Mark: Yeah. And the interesting thing too is even applications, right? They aren't all installed on the local machine or installed in the data center. There's applications that are cloud delivered, there's applications that are mobile delivered. And now I've gotta provide policy and access, and even things as simple as single sign on, are important for organizations.
Jon: Yeah. Again, it's more difficult because you lack the control. So, things like policy are really important, things like monitoring are really important. We're seeing much more of a move toward multi-factor authentication because managing passwords…user IDs and passwords, forget the fact that they're insecure, but just managing the number of them and the combination just doesn't work.
Mark: Now, so if I roll back to the days I was in IT, even using things like Active Directory, right? It was really username and password place where we'd set that, but, you know, managing that, I'm still not seeing people even take full advantage of what it can do. So they may have expired passwords, right? But there's a lot of more policies they could be setting, even just within Active Directory, that people really aren't taking full advantage of.
Jon: Yeah. I think for years, Microsoft was very good at enhancing Active Directory, making it easy to use, but I don't think they did a good job of teaching people how to use it effectively. So, they're catching up now and there are lots of good features for security. There's a lot of integration with Active Directory, but historically, it was sort of used in a basic way.
Mark: Agree. Totally agree. So you'll see more from Jon and I on this exact topic. We've got some research in the field right now, so stay tuned. And Jon and I will take the time to read out some of the findings and see if we can discover or dig further into some of these answers.
Jon: Sounds good.