SecureAuth on Adaptive Authentication
Part 1: The benefits of adaptive authentication: The KuppingerCole Leadership Compass Report
Part 2: Evaluating adaptive authentication for your organization
Part 3: Adaptive authentication during an attack
Part 4: Best practices for adaptive authentication
This is Part 4 in a series of four posts on adaptive authentication and the KuppingerCole Leadership Compass Report.
Let’s review best practices for adaptive authentication. In our series on the KuppingerCole Leadership Compass for Adaptive Authentication 2018 report we’ve talked about the benefits of adaptive authentication, evaluating solutions for your organization, and how adaptive authentication functions during an attack. We’ve also recently talked about why SecureAuth was named a market leader for SecureAuth IAM, which the report called a “compelling product with their broad support of authenticators, granular risk engine, and threat intelligence utilization.”
Hopefully by now you realize how much adaptive authentication can be an asset to your organization’s security. Today we want to share some adaptive authentication best practices to ensure you get the most from your solution.
Adaptive authentication best practices guide
The point of adaptive authentication is to provide seamless access to legitimate users while blocking malicious users, using context-based workflows that include risk analysis. Adopting the right risk checks is vital, but keep in mind that these checks should also be quite imperceptible, providing for a frictionless user experience.
With that in mind, consider these best practices for adaptive authentication for cloud and on-prem apps:
- Balance verification with user convenience. Context is king. Your employees might not be prompted for credentials when using their laptop in the company facility, but need to complete multi-factor authentication (MFA) the first time they work from home. Adaptive authentication can recognize their home network and allow them to skip MFA after that.
- Use adaptive authentication across the enterprise and eliminate multiple security solutions. Adopting a patchwork approach to adaptive authentication will only increase both cost and complexity. Instead, consider dispensing with multiple disparate solutions. You’ll simplify the user experience and reduce password fatigue, while cutting costs.
- Use a solution that can detect authentication attempts from command and control (C2) servers and botnets. According to the 2015 Verizon Data Breach Report, 84.13% of crimeware or malware uses C2 infrastructure. In fact, 15.87% of ALL attacks involved C2. By identifying authentication attempts from these servers, you can escalate workflow requirements and block a large percentage of malicious users.
- Use your threat service to detect and mitigate anonymity networks. A SecureAuth study found 94.59% of all attacks involve anonymity networks such as Tor, and are repeat offenders. Using a threat service to detect and mitigate attacks from anonymity networks inhibits attackers.
- Optimize risk evaluation order for your environment. This requires a bit of knowledge of your network topology and the threats you may be facing. A consumer facing portal may be facing a lot of anonymous and bot traffic, so putting threat service checks first eliminates them from being considered by other risk evaluation immediately. This may reduce overhead on other resources, such as your data store.
- Use entitlement risk for vigilance around highly privileged credentials. Another way to calculate user risk is considering their level of access, a concept known as entitlement risk. A financial services manager might have a high entitlement risk score based on their access to customer funds, while a marketing assistant could have a low entitlement risk score. If the assistant’s account was given access to customer funds, the software would escalate to a higher entitlement risk score, which you could use to step up authentication requirements or deny access.
If you’re curious about our best practice recommendations for SecureAuth in particular, we’ve created the Best Practices Guide for Adaptive Authentication that explains how specific adaptive authentication risk checks are implemented in SecureAuth Cloud IAM. We also provide our recommendations for configuring them in Adaptive Authentication Risk Checks starting on page 4.
Identity-related breaches webinar
If you want more details on how adaptive authentication can strengthen your security, watch a webinar with John Tolbert of KuppingerCole titled Mitigate Identity-Related Breaches in the Era of Digital Transformation.