The rise of the mobile-first workplace: How to verify a moving target

HP printer
(Image credit: HP)

The mobility trend is reaching new heights and today’s workforce works much differently than it did even ten years ago. Working from home has more than doubled among workers who are not self-employed since 2005, according to recent data from the Census Bureau. Mobile devices have proliferated the workplace, flexible remote work policies are on the rise, and companies are trying to appeal to the work styles of millennial and Generation Z workers. It’s a fact – we’re an increasingly mobile workforce.

In years past, binding to an Active Directory (AD) domain was a great solution to solve authentication issues, and it was something I heavily encouraged during my time at Apple many years ago. AD works well for organisations where all employees come to an office and log into the corporate network – but this isn’t an accurate portrayal for many employers’ workforces today. With AD or Lightweight Directory Access Protocol (LDAP), users are forced to take the old-school approach of being on an organisation’s local area network (LAN) or use a virtual private network (VPN) to connect to internal resources, which provides a sub-optimal user experience. If you’re using the Active Directory plugin, users can only change their passwords when AD is reachable — which often causes both confusion and costly help desk tickets.

Over the last few years I’ve come across more and more end users who only use the organisational VPN when they have to change their AD password. Everything else that they need to do their jobs is cloud-based and does not require a connection to a particular network.

Empowering and protecting today’s workforce requires new approaches to security so employees can access the applications and data they need, from any location, without sacrificing security or performance. So how should an IT department’s approach to identity and security shift, and how do you get all stakeholders on board with this new approach?

Enter cloud identity! There is a way where you can be more secure, not require VPN connectivity, and make password changes easier for your users. The approach to identity and security has to evolve – which is where cloud identity providers come in. Cloud identity allows IT to centrally and remotely manage users, groups, passwords and access to corporate applications and cloud resources. Providers such as Microsoft, Google, Okta, IBM and OneLogin — and Security Assertion Markup Language (SAML) and Open Authorisation (OAuth) are offering a path to making this evolution a reality.

But shifting from AD or LDAP to cloud identity requires getting all the appropriate stakeholders on board. When looking to sell your team and leadership on this shift, start with the below.

  • “Let’s stop wasting IT resources.” When employees work remotely, they are not automatically on a company network. With companies that bind to AD, this can create password issues. Gartner has reported that up to 40 per cent of an IT desk’s volume are password resets, and many of these resets are from remote workers looking for a lost password. As you know, every help ticket costs money, so companies could be wasting thousands of dollars on password resets alone. With cloud identity, IT can remotely manage passwords and allow users to connect on the go without hassle.
  • “Let’s protect our company from security incidents.” It’s very hard to implement multi-factor authentication or even think about increasing your security through methods like device trust while using AD, LDAP and Kerberos as your primary means of user authentication. iPass conducted a report showing the biggest threat to company data security is the mobile workforce. In fact, 57 per cent of global CIOs and IT decision makers suspect that their mobile workers have been compromised or caused a mobile security issue in the past year.
  • “Let’s secure and streamline the enrolment process.” Pick a partner that leverages modern authentication to ensure the right user is on the device before deploying proprietary company information to it, allows you to create local accounts based on a cloud identity provider and use supported identity provider multifactor methods at the login window.
  • “Let’s leverage cloud identity everywhere possible.” Use cloud services that allow for cloud identity authentication methods instead of AD and LDAP. Sometimes, this means that you have to pay for a higher tier of service. However, you will be able to use multi-factor and much more complex security policies – and can anyone put a price on peace of mind?

As you move down this path, keep a few things in mind as you progress.

  • This is a good time to revisit your basic password policies. With multi-factor becoming more ubiquitous think about lengthening, or even eliminating, any password expiration policies that you have. Even Microsoft is suggesting doing this.
  • Use adaptive security policies to make life as easy as possible on your users. Keep users secure, but not annoyed, by leveraging known networks and other factors to not require users to enter passwords as often. For an even better approach, look at password-less authentication or multi-factor step up instead of requiring the same password over and over again.
  • Move as many systems and services as possible to use your cloud identity. This keeps things simpler for your users, and lets you have the immediate ability to expire passwords and disable users if required. Plus, you’ll get centralised logging of authentication events.

Today’s hiring environment is tight. Employers want to be on trend in order to acquire top talent, but also want to make sure they are protecting themselves and their data. It’s time for organisations to recognise their new workforce’s needs and make their environment more secure – all while cutting down on the number of password-related IT support tickets.

 Joel Rennich, director of Jamf Connect, Jamf

Joel Rennich

Joel Rennich, Head of Device Identity, JumpCloud.