As any reputable security vendor will admit, there is no silver bullet to solving the challenges of today’s evolving enterprise boundary.
With that in mind, how can the security industry rise to the challenge? Can we as security vendors provide a secure solution, without creating unnecessary user friction?
First of all we need to really evaluate the problem. Often this requires a rethink about approaches to traditional security perimeters.
• Where are the most likely attack points?
• Which applications are considered critical?
• Where is the data stored?
• How are access controls currently implemented?
• How can we reduce the attack vectors?
• What is the biggest breach concern for the organisation?
This list can grow into quite a complex challenge. As the landscape within a company changes, the answers to those same questions need to be continually challenged and reassessed.
While such lists are important to understand the landscape and to highlight challenges, the traditional approaches resulting from such lists generally do not evolve at the pace of new emerging threats and organisational needs. The result of which is generally twofold:
• a painful user experience due to overly restrictive controls
• no overall improvement in security, the weaknesses still exist at some point
If we consider focusing not on the end point or entry points in isolation, instead on the identity as the perimeter, we can very quickly define and cover the weak points as a fundamental part of the security landscape. As an identity interacts with your organisation at whatever point, being in control of their access, in a real time manner, is critical.
This approach enables an organisation to:
• Increase security – Prevent unmetered lateral movement across applications
• Reduce unnecessary friction – Provide authentication challenges when needed vs all the time
• Increase flexibility – improve the user journey – access anywhere, from any device
If we look at the traditional “something you have”, “something you know” standard two-factor authentication (2FA) deployment – Do we consider that to be enough? Can the authentication vendor just wash their hands post authentication?
To satisfy todays changing enterprise landscape it’s essential to include available intelligence as part of the authentication process. As a result of the initial authentication request, contextual data can be captured including:
• Device Recognition
• Geo Location
• IP Reputation
• Group/Attribute Information
• IP Whitelists/Blacklists
The result of which is the beginning of an access history for this identity.
This information can be used in a real time manner during subsequent authentication attempts:
• Is the device the same?
• Is the geo location the same?
• Is the IP reputation the same?
• Are the group memberships and attribute information still correct?
• Has an improbable travel event occurred? (Geo-Velocity checks)
Using this identity intelligence, it is possible to form decision points, dynamically changing the authentication process for the end user.
Decision points could be:
• Step Up – A risk indicator dictates that we need to ask the user to prove themselves
• Step Down – A risk indicator dictates that we can securely authenticate an identity using the available intelligence without requiring additional authentication checks
• Block – A risk indicator dictates that we should block the authentication request immediately
• Redirect – A risk indicator dictates that we should redirect the identity through a different internal workflow or to a different external site
An organisation can now control which authentication options are presented to an end user (if any) and drive the best user journey.
The initial authentication should only ever be considered as the start of the user journey. Creating a perimeter around the user’s identity allows an organisation to protect that identity as it moves laterally through applications, in turn allowing us to responsibly utilise the great advantage of single sign-on (SSO) while proving the identity throughout a day.
As we now have the access history in place and we have authenticated the user, if we are aware of anomalies around the identity we should have the ability to adapt to the identity attribution information by stepping up or killing a session as required.
Applying behavioural biometric techniques to the identity perimeter allows the detection of hijacked sessions. This allows for sessions to be stepped up by analysing the way an identity interacts with their keyboard and mouse within an application. The key strokes, sequence and flight, along with mouse movements are unique to each identity and can be used as an extra layer in an identity’s security perimeter.
Using these controls we can improve the user experience, increase security and mitigate risk from lateral movement throughout their interaction with an organisation be that from an internal/external employee, active customer/consumer or third party organisation perspective.
By constructing a perimeter around the identity, adopting continuous authentication techniques and reacting to identity attribution information, an organisation can take control of their security without compromising the user experience.