In identity and access management, security and productivity are classically framed as being in tension—that “age-old battle” of securing access to sensitive resources on the one hand and streamlining employees’ ability to get access to those resources on the other.
But one of the more intriguing takeaways from ConductorOne’s 2024 Identity Security Outlook Report—a survey of over 500 US-based IT security leaders about their identity security challenges and priorities—is that the most secure companies today tend to be those who treat security and productivity as mutually beneficial goals.
How are they getting security and productivity to play well together? By prioritizing the end user experience as an important element of their overall identity security strategy. Using modern tools and automation, they’re increasing efficiency and removing friction to make it easy and attractive for end users to take secure actions. It’s security by default = a win for security and productivity.
What the data shows
The majority (77%) of security leaders surveyed for the Identity Security Outlook Report (ISOR) said there had been instances of cyberattack or data breach at their organization in the last year due to improper access or overprivileged users. So it’s no surprise that “reducing risk” was respondents’ top priority (55%) for identity and access management (IAM) in the coming year. But risk reduction came in only slightly ahead of “improving team productivity” (50%) and “improving user experience” (46%). As ever, both security and productivity are top concerns for teams.
Nearly half (47%) of respondents also reported that their company’s identity security strategy and access policies currently hinder employee productivity. * * This data tracks with traditional approaches to identity security; IAM safeguards have long been considered counteractive to productivity. Employees consider layers of passwords, multifactor authentication, and other access protocols frustrating hoops they have to jump through to get the access they need to perform their jobs—a persistent view that’s born out in the ISOR’s data. Respondents claimed employees’ resistance to change (38%) and employees ignoring policies (30%) as two of their top challenges.
These primary statistics paint a familiar picture of the classic security-productivity relationship. But a cross-analysis of the data reveals how that relationship is evolving. Of the respondents who reported multiple instances of access-related cyberattacks or breaches in the past year, 49% also stated their access management process was highly manual and time consuming. This indicates that inefficient manual processes not only affect productivity but likely introduce errors and encourage employee behaviors that lead to greater risk.
Further, those survey respondents who did not report any instances of access-related breach or attack in the last year were far less likely (only 4%) to claim that their security policies significantly hinder productivity. This supports the idea that identity security strategies that prioritize productivity are more likely to result in employee compliance with security policies—thus reducing risk.
So there appears to be a statistical correlation between improved productivity, better user experiences, and increased security. But what does this look like in practice?
How the end user experience impacts security
The path of least resistance is, well, hard to resist. When employees can’t get the access they need, when they need it, they often find a workaround. That workaround may come in the form of shadow IT, and in particular, SaaS apps that employees log into and use without IT’s authorization. In 2022, 41% of employees were using technology outside of IT’s view, and Gartner predicts that by 2027, that percentage will rise to 75%.
It may also come in the form of shared credentials. Employees impatient to get access may resort to using a colleague’s login information, spreading account usage across multiple devices and increasing the risk of credentials being compromised.
And when it’s hard to get access in the first place, it’s hard to give it up once you have it. To maintain productivity, employees and their managers often argue to retain unnecessary access and privileges—for fear of not being able to get them back if needed.
Ben Godard, Director of Security Engineering at Spotnana, a ConductorOne customer, is all too familiar with how vulnerable companies are to the access risks these practices introduce. As a former ethical hacker, Ben has tested every possible way to get into companies’ sensitive systems: “I can only count on one hand the number of times I got in through a bug or flaw in someone’s code. By far the most common way I got in was through normal access channels. I would either get access to valid credentials or get code running on a user’s machine that allowed me to just be them.”
That first-hand experience not only convinced Ben that securing identity is mission critical for companies, but that reducing friction for end users is one of the best ways to protect identity. At Spotnana, he’s taken a secure-by-default approach to identity security, putting modern systems in place that make it quick and painless for employees to submit access requests and get approved for the access they need.
This has not only minimized the risk of employees looking for insecure workarounds to stay productive but has allowed Ben to implement stronger access controls than the company previously enforced—without pushback. Spotnana now uses just-in-time (JIT) access to reduce standing privileges for sensitive production resources. Because Ben has integrations and automation in place that make requesting and getting JIT access incredibly easy, employees are happy to give their access up when it expires.
“At the end of the day, people don’t want standing access if they don’t need it,” Ben says. “They just want the access they need to get their work done, and to not have to think about it the rest of the time.” Now, because Spotnana employees can get access when they need it, “they don’t mind giving it up. In fact, they prefer it,” says Ben.
How to improve the end user experience
There’s no one-size-fits-all approach to identity and access management, but there are common steps most organizations can take to improve end user experiences and thereby support productivity while encouraging secure behavior.
Centralizing control of all the identity and access data in a company’s environment and, as much as possible, using automation to streamline access request, approval, and provisioning/deprovisioning workflows is a great first step. Automation removes a huge burden from IT and security teams, eliminating manual ticketing bottlenecks that are so often the cause of employee frustration (while simultaneously decreasing instances of human error).
Meeting employees where they are by allowing them to self-serve request and/or approve access using tools they’re already familiar with encourages secure behavior. End users who can seamlessly perform access-related actions in tools like Slack or a CLI are more likely to follow desired security protocols, usually without even realizing it—the most convenient actions just happen to also be the most secure.
The same tactics improve identity security processes beyond requesting and approving access. User access reviews also become more efficient and effective when the user experience is intuitive and empowers reviewers to make well-informed review decisions quickly and easily.
The result is a virtuous security-productivity cycle—by prioritizing the use of modern identity security solutions that create better end user experiences, companies improve overall productivity and employee satisfaction, which in turn reduces risk, amplifying the effectiveness of those solutions. It’s win-win-win, for security teams, employees, and organizations.
To learn how ConductorOne can help you improve the end user experience for employees at your organization, take a product tour or chat with us!
And check out our Guide to Modern IGA to find out how modern identity security solutions are improving on legacy approaches to the end user experience. ↓
