NIST's work is vital. We all know that. The requirement to safeguard sensitive data while ensuring it remains accessible is critical, particularly with the constant wave of cyberattacks. Here's the question that keeps me up at night: Is this balance truly achievable? Are we, in pursuit of a marginally improved user experience, unwittingly trading away strong security?
Security Versus User Convenience?
Ryan Galluzzo at NIST stresses the importance of not sacrificing security for user experience, which is great in theory. The real world isn't a theory. It's messy. Legacy systems litter every jurisdiction’s environment and budget realities are an ever-present obstacle. As much as you tell them not to, users will click that phishing link every time.
We all agree that phishing-resistant MFA should be the baseline, but think about it. It is. But let's be realistic. The bottom line is that for many enterprises, particularly smaller ones, the ability to even just do basic MFA right is a challenge. Jumping straight to the "phishing-resistant" variety? That's a huge leap. Or are we just setting them up for failure by raising the bar too high, too quickly? It would be similar to asking someone who has trouble walking to run a marathon.
How does this move towards easier, more secure user experiences, such as passkeys and mobile wallets, play in? I get it. I do. I’m not looking for security to be fun, or even something you think about. There's always a trade-off. The more convenient something is, the greater the vulnerabilities it adds. Think about if you left your front door unlocked only for the pizza delivery person. That way, he can lower your order without forcing you to stand. Sure, it's convenient, but is it smart?
ABAC's Allure, But Is It Realistic?
Access governance is crucial, no doubt. RBAC (Role-Based Access Control) is a great starting point, but the current hype is around ABAC (Attribute-Based Access Control). The concept of dynamic, granular access control based on the fly, based on user attributes, transaction attributes, and resource attributes would be amazing. It's identity security nirvana!
Let's get real. ABAC is complex. It seems that they don’t realize that it requires a level of sophistication in IT infrastructure, as well as human expertise, that most organizations just don’t have. Implementing ABAC even remotely well requires an intimate knowledge of your data, your users, and your systems. It's not a plug-and-play solution.
Think about it: are small businesses with limited resources really going to be able to implement and maintain a robust ABAC system? Otherwise, will they end up with a bad, half-baked implementation? That might bring in more bad than good, creating risk rather than reducing risk. That’s the Leprechaun’s gold of security – shiny and inviting, but vanishes when you reach for it.
Cost's Impact On Security Equality?
Let's talk about money. The elephant in the room. Implementing advanced identity security measures isn't cheap. That takes investment specifically in technology, training, and personnel.
The increasing expense scrolling out these initiatives is perhaps the biggest sticking point. Are we writing the rules to unintentionally create a two-tiered and less effective system? Large organizations with enough resources can afford the best security and threat detection, putting smaller organizations at risk. This would drastically increase the security gap, leaving smaller businesses low hanging fruit for cybercriminals. It's not hyperbole; it's a likely outcome.
This isn’t just corporate vagueness — it’s consumer harm. This isn’t just an example of protecting businesses over consumers. Small businesses are responsible for sensitive consumer data – credit card information, social security numbers, personal financial data, medical records. But if they can’t afford to protect that data then we all lose.
Mobile Access, A Constant Marathon
I'm a marathon runner. I get endurance and pacing, but more than anything, adaptation. Controlling mobile entry can feel like training for a marathon on a shifting treadmill. The terrain is always shifting, the weather is unpredictable, and you never know what obstacles you'll encounter along the way.
NIST’s guidelines must acknowledge and adapt to this fast-changing environment. Users are increasingly accessing systems from personal devices, from every corner of the globe, and during non-business hours. The context of access is constantly changing.
How do we guarantee security policies, if any, can be uniformly applied over such a varied landscape? How might we keep out bad actors with compromised devices? How do we balance security with the need for users to be able to access the resources they need, when they need them, from wherever they are? It's a monumental challenge.
NIST's intentions are good. I believe that. But good intentions aren't enough. What we need are practical, realistic solutions that can be put into action with widespread efficacy by organizations small and large. More importantly, we need to not fall into the trap of trying to find compromise for compromise’s sake. Focusing on this path can result in a half-baked fix that leaves all parties dissatisfied. We need to be aware and actively challenge NIST as they develop their guidelines. Together, by sharing our experiences and concerns, we can and will continue to make our digital world a more secure place.
