There's an old business trope.
Good. Fast. Cheap.
It's why sufficiency and "good enough" are essential to business conversations about IT and cybersecurity.
I recently thought about this trope when implementing a secure access project. Because, at its core, secure access has three competing priorities.
What is Secure Access?
To secure access into modern business infrastructures, one needs to answer two fundamental questions:
- Who has access to the data?
- From where?
The first question is a solved problem - using directories like Google Workspace, Microsoft Entra ID and multi-factor authentication.
But the "From where?" is a trickier question, especially when using cloud services.
On the surface - the question is about locations. Remote or office-based working?
But there's depth to this question.
It also covers what types of devices can access the data - for example, phones, tablets or laptops.
And - who owns the device. Is it a company-owned and managed device or a personal device?
The combinations of these details increase rapidly. And all combinations need to be considered to provide secure access.
This means the context of the access request is crucial.
Finally - for each device type working in an approved context - you must know that your minimum security standards are met.
Does the device use a firewall, antivirus and so on? Are the security patches up to date?
For business-owned devices, the answer is simple. Use a device management platform to gather the crucial details to help in context-based access decisions.
A similar approach can be used for personal devices.
The Secure Access Trinity
This leads to the Secure Access Trinity. The three competing priorities at the core of secure access.
- Context-based access decisions
- Device management
Next - I'll discuss if the business need to address all three is possible.
Or if we are forced into an uncomfortable choice of picking only two.