Adaptive Authentication: High Security for the Organisation, Low Friction for the User
How can the security industry rise to the Authentication challenge?
As any reputable security vendor will admit, there is no silver bullet to solving the challenges of today’s evolving enterprise boundary.
With that in mind, how can the security industry rise to the challenge? Can we as security vendors provide a secure solution, without creating unnecessary user friction?
Key security considerations include:
- Where are the most likely attack points?
- Which applications are considered critical?
- Where is the data stored?
- How are access controls currently implemented?
- How can we reduce the attack vectors?
- What is the biggest breach concern for the organisation?
As the landscape within an organisation company changes, the answers to these questions need to be continually challenged and reassessed.
While these lists can provide context around some of the security challenges faced by an organisation, they do not necessarily result in activity that matches the rapid pace of new and emerging security threats. The result of which is twofold:
- A painful user experience due to overly restrictive controls.
- No overall improvement in security, the weaknesses still exist at some point.
If we focus on the identity as the perimeter, we can very quickly define and cover the weak points as a fundamental part of the security landscape. As an identity interacts with your organisation at whatever point, being in control of their access, in real-time, is critical.
This approach enables an organisation to:
- Increase security – Prevent unmetered lateral movement across applications.
- Reduce unnecessary friction – Provide authentication challenges when needed vs all the time.
- Increase flexibility – improve the user journey – access anywhere, from any device.
Is two-factor authentication enough?
If we look at the traditional “something you have”, “something you know” standard two-factor authentication (2FA) deployment, do we consider that to be enough? Can the authentication vendor just wash their hands post authentication?
To satisfy today’s changing enterprise landscape it’s essential to include available intelligence as part of the authentication process. As a result of the initial authentication request, contextual data can be captured including:
- Device Recognition
- Geo Location
- IP Reputation
- Group/Attribute Information
- IP Whitelists/Blacklists
The result of which is the beginning of an access history for this identity.
This information can be used in a real-time manner during subsequent authentication attempts:
- Is the device the same?
- Is the geo location the same?
- Is the IP reputation the same?
- Are the group memberships and attribute information still correct?
- Has an improbable travel event occurred? (Geo-Velocity checks)
Using this identity intelligence, it is possible to form decision points, dynamically changing the authentication process for the end user. Decision points could be:
- Step Up – A risk indicator dictates that we need to ask the user to prove themselves.
- Step Down – A risk indicator dictates that we can securely authenticate an identity using the available intelligence without requiring additional authentication checks.
- Block – A risk indicator dictates that we should block the authentication request immediately.
- Redirect – A risk indicator dictates that we should redirect the identity through a different internal workflow or to a different external site.
An organisation can now control which authentication options are presented to an end user (if any) and drive the best user journey.
The initial authentication should only ever be considered as the start of the user journey. Creating a perimeter around the user’s identity allows an organisation to protect that identity as it moves laterally through applications, in turn allowing us to responsibly utilise the great advantage of single sign-on (SSO) while proving the identity throughout a day.
As we now have the access history in place and we have authenticated the user, if we are aware of anomalies around the identity we should have the ability to adapt to the identity attribution information by stepping up or killing a session as required.
Applying behavioural biometric techniques to the identity perimeter allows the detection of hijacked sessions. This allows for sessions to be stepped up by analysing the way an identity interacts with their keyboard and mouse within an application. Keystrokes, sequence and flight, along with mouse movements are unique to each identity and can be used as an extra layer in an identity’s security perimeter.
Using these controls we can improve the user experience, increase security and mitigate risk from lateral movement throughout their interaction with an organisation be that from an internal/external employee, active customer/consumer or third party organisation perspective.