Difficulties with an enforcement-based strategy
An enforcement-based approach to security begins with a security policy supported by security controls, which are frequently stringent and designed to prevent employees from engaging in risky behavior or inadvertently increasing an organization’s potential attack surface.
The vast majority of organizations rely solely on enforcement-based security controls, which are typically implemented at the network level with a Cloud Access Security Broker (CASB) or a Security Services Edge (SSE). CASBs protect data between on-premises and cloud architectures by validating authorization rules and access controls against the organization’s security policy. Similar to SSEs, some organizations utilize CASBs to block SaaS applications; however, CASBs only support a subset of applications.
The applications that these tools do not support are frequently the most dangerous, as they do not comply with common industry and security standards, such as SAML for authentication and SCIM for user management. Cerby refers to these as “unmanageable applications,” and their research indicates that 61% of SaaS applications are unmanageable. In the post-COVID era, the rate at which employees acquire and deploy unmanageable applications has reached a new high.
Prior to COVID, IT departments were responsible for acquiring and deploying enterprise-wide applications. The transition to remote work enabled workers in all organizations to choose their own tools. Simultaneously, rapid digitization provided them with an ever-expanding selection of tools, resulting in an increase in unmanageable applications.
The average user typically does not prioritize security. Most people assume that applications are secure, and some may not care at all about security. The majority of users prioritize usability, aesthetics, and convenience. To accommodate these shifting demands, application vendors modified their product roadmaps; for many, security was no longer a top priority.
Whether or not employees are aware of it, unmanageable applications can have a negative impact on a company’s security and frequently increase the workload of technology teams. Someone is required to monitor for unmanageable applications, manually enable features such as two-factor authentication (2FA), and enforce the use of strong passwords.
Many organizations block or prohibit unmanageable applications to alleviate the burden.
It’s completely understandable why organizations take this approach; it’s a quick and dependable method for addressing an urgent and concerning issue. However, as a long-term, comprehensive solution, a system based solely on enforcement is neither sustainable nor practical.
Employees enjoy selecting their work applications, and 92% of employees and managers desire full control over application selection. This change in behavior presents unanticipated difficulties for organizations with an enforcement-based approach.
For instance, many employees who utilize banned or blocked applications also attempt to manually manage access, despite being unequipped. According to our research, employees and managers make access management decisions on the fly, exposing organizations to risk at every interaction point.
So, what is the remedy? A more pragmatic and proactive stance that strikes a balance between employee application selection and employer priorities such as security and compliance.
Advantages of an enrollment-based strategy
Enrollment-based cybersecurity empowers employees with greater freedom, autonomy, and choice, thereby enlisting their active participation in enterprise-wide security and compliance efforts. A system based on enrollment, as opposed to one based on enforcement, allows employees to select the applications they wish to use for work.
Cerby was created in response to an unmet need for a solution that strikes a balance between enforcement and enrollment and enables security and autonomy to coexist in harmony. Creating this equilibrium is the optimal solution for both employers and employees. Employers should not be concerned about the security of employee-selected applications.
When employees recognize that application selection entails responsibility and the appropriate tools are readily available, security becomes everyone’s concern. When self-enrolling and registering applications are available, the same employees who resent policies on application selection will gladly support easier and strengthen security for the sake of compliance.
This report delves deeper into how you can provide your employees with the freedom to use their preferred applications while easily securing them with Cerby.
