Enforcement vs. Enrollment-based Security: How to Balance Security and Employee Trust
Challenges with an enforcement-based approach
An enforcement-based approach to security begins with a security policy backed by security controls, often heavy-handed and designed to prevent employees from engaging in risky behavior or inadvertently expanding the potential attack surface of an organization.
Most organizations exclusively use enforcement-based security controls, usually carried out at the network level with a Cloud Access Security Broker (CASB) or a Security Services Edge (SSE). CASBs secure data between on-premises and cloud architectures, validate authorization rules, and access controls against the company’s security policy. Some organizations also use CASBs to block SaaS applications, but like SSEs, CASBs only support some applications.
The applications these tools don’t support are often the riskiest because they don’t meet common industry and security standards, including SAML for authentication and SCIM for user management. At Cerby, these are called “unmanageable applications,” and according to their research, 61% of SaaS applications are unmanageable. Unmanageable applications are popular, and in a post-COVID world, the rate at which employees buy and deploy them has reached a new height.
Pre-COVID, IT departments were primarily responsible for purchasing and deploying organization-wide applications. The shift to remote work empowered employees across organizations to select their own tools. At the same time, rapid digitization gave them an ever widening selection of tools to choose from, causing a surge in unmanageable applications.
The average user doesn’t typically think about security first. Most people tend to assume applications are secure, and some might not care about security at all. Most users care about user-friendly features, design aesthetics, and convenience. To meet these changing requirements, application vendors altered their product roadmaps; for many of them, security was no longer a top priority.
Whether employees know it or not, unmanageable applications can negatively affect an organization’s security and often create more work for technology teams. Someone has to monitor for unmanageable applications, manually enable features like two-factor authentication (2FA), and enforce strong passwords.
To remove the burden, many organizations block or ban unmanageable applications.
It’s entirely understandable why organizations take this approach – it’s a quick and consistent way to address an immediate and concerning problem. However, as a long-term, comprehensive solution, a purely enforcement-based system isn’t sustainable or realistic in practice.
Employees like choosing their work applications, and 92% of employees and managers want complete control over application choice. This behavioral change creates some unexpected challenges for organizations with an enforcement-based approach.
For instance, many employees using banned or blocked applications also attempt to manage access manually, even when they’re ill-equipped. According to our research, employees and managers are making access management up as they go, creating risk and exposure for organizations at every point of interaction.
So, what’s the solution? A more practical and forward-facing posture that balances employee application choice and employer priorities such as security and compliance.
Benefits of enrollment-based approach
An enrollment-based cybersecurity approach empowers employees to have more freedom and individual autonomy and choice, and thereby engages them to participate in enterprise-wide security and compliance efforts actively. Unlike enforcement-based systems, an enrollment-based approach enables employees to choose the applications they want to use for work.
Cerby came into existence due to the previously unmet need for a solution that balances enforcement and enrollment and enables security and autonomy to liv in peaceful coexistence. Creating this balance is the best answer for both organizations and employees. Employees should be able to choose their applications, and employers shouldn’t worry about security.
When employees understand that application choice comes with responsibility, and the right tools are readily available to make this happen, security becomes everyone’s concern. When self-enrolling and registering applications are accessible, the same employees who resent policies on application choice will willingly get on board with easier and strengthened security with the benefit ofcompliance as well.
Check out this report to take a deeper dive into how you can empower your employees with the freedom to use their favorite applications while easily keeping them secure with Cerby.