Download your copy of our State of Authorization: Playbook Edition Get it now »

Policy-driven authorization and the quest for a better remote work experience

Remote work is here to stay. This means organizations need to offer a better remote work experience that is both frictionless and secure.

Remote work is here to stay. While there are varying degrees of remote work, there is no argument that a significant percent of knowledge workers now work remotely compared to before 2020. The share of the American workforce working from home more than tripled from 2019 to 2021, according to recent reports from the U.S. Census Bureau. This means that organizations offering a better remote work experience that is both frictionless and secure have a competitive advantage when it comes to attracting and retaining top talent.

Experience versus security and the burden on users

A remote workforce means the physical perimeter is gone so you must put a perimeter around your workers and their identities. A common approach is a static model, which focuses on authentication as the digital perimeter.

While authentication is a critical element of access control, using only authentication usually creates an imbalance between security and user experience. For instance, for a static model to be secure, policies must re-authenticate users constantly throughout multiple sessions in the application which creates significant friction and leads to frustration.

Shifting from a static model to one that is dynamic and powered by policy-driven authorization, seamlessly shifts the burden of security from the user to the application. It is a successful approach in part because it is session-based, meaning that in the event the signals suggest there is increased risk in the access event that warrants re-authentication, then that may justify introducing some friction as a means to mitigate risk. Because it is dynamic, introducing re-authentication (potentially an element of friction to the user) is only done as needed and is not the status quo, as is the case in a static approach.

This distinction matters because the ability to discern access risk enables organizations to enable secure sharing of more sensitive information assets. Let’s take a look at the following example below to illustrate this point.

Let’s pretend a user is working remotely and needs to access sensitive customer information from home. The information is sitting in a cloud application without a VPN as this organization is shifting to a cloud-first world.

In this instance, the organization can either choose to deny access all together or, knowing the user is not working from the company network, adjust their authorization policies to reflect the level of risk their security team is comfortable with. Perhaps at the office, this user is allowed to download customer information, but from home they can only view customer information.

A user only has read only access at home whereas they have full access at work.

By adopting a policy-driven authorization strategy, employees can access information based on policies put in place by the organization to ensure the right people get the right access under specific conditions.

Zero Trust to create trust… ironic right?

The removal of a physical office perimeter when working from home immediately shines the light on the need for Zero Trust. While the movement to “never trust, always verify” is absolutely the shift identity and security strategies must make, at some point when people (or machines) eventually get access they are trusted for a period of time. The question becomes…how long should that trust be granted?

That decision can be made significantly easier when adopting a policy-driven authorization strategy that continuously evaluates access decisions during every session whether you are an administrator or knowledge worker.

A Zero Trust framework also helps enterprises keep up with evolving global regulations as many of them focus on identity and access management as well as Zero Trust. These regulations will continue to evolve as organizations face an ever-increasing number of cyber threats and attacks focused on compromising user identities.

Policy-driven authorization and the future of work go together like PB&J

The future of work for a global and remote workforce is inevitably tied to the adoption of policy-driven authorization as it combines a Zero Trust framework.

Request a demo today with one of our solution experts to see why some of the world’s biggest organizations continue to work with Axiomatics to enable collaboration and ensure compliance in an ever-changing threat landscape.

Have 30 minutes? Let's show you a demo!

See how our award-winning solution can help you meet today's access control and Zero Trust needs.

Request a demo

  Join us on LinkedIn for more insights
Archived under:
About the author

As the chief product officer for Axiomatics, Mark is responsible for shaping the company’s innovation and product strategies. Mark has more than ten years of experience across product management, product marketing and business development, with companies including e-Share, Titus and Accenture.