Managing risk is an important and critical function for every organization and an absolute business requirement. I’m certain most of us would agree that not all risk is the same. Driving in the Daytona 500 seems to carry a lot more risk to me than driving down to the local grocery store. In an effort to get a bit more insight on the perception of risk, I did an online synonym search for ‘Risk’ and think these three results were interesting: danger, threat, possibility. Two of the three certainly carry a negative connotation but the third, possibility, hints at the potential for something good. And Merriam-Webster shared this entry next to its list of ‘risk’ synonyms – mountain climbing is a risk, but the thrill and challenge are worth it. So when it comes to measuring risk, we need to assess and determine what we are willing to chance as a trade-off for a potential positive return. But I’d argue in the business world we don’t want to leave our results to chance.
Evaluating Risk for Identity Access Management
Every request submitted by a user to gain access to valuable company assets inherently has some level of risk. And just because you recognize the user-name and password doesn’t necessarily mean the individual behind the credentials is the actual user. Identity theft is rampant and bad actors are leveraging compromised credentials more than ever to gain access to corporate resources. The 2020 Verizon DBIR noted that over 80% of breaches within Hacking involve Brute force or the Use of lost or stolen credentials. And while protecting the business is essential, maintaining business continuity and a good user experience is just as important for the overall health of the business.
The challenge for Security and Risk professionals is building a model to efficiently and effectively assess the risk each access request presents. And implementing a process that is user friendly (i.e. little to no user friction) thereby limiting the amount of frustration a valued customer, partner, or associate encounters. Risk Scoring provides a pragmatic approach to assessing the risk of each access request without introducing unnecessary friction to the user experience. By moving beyond user-name and password access to multi-factor authentication and contextual risk checks, Security and Risk professionals can implement unique workflows to support different types of users or user groups as well as creating security policies based on the resources (i.e. financial applications, email, sales tools, etc.) being requested. With comprehensive risk scoring, organizations can effectively protect the business by increasing security without deprecating the user experience.
Why Evaluation is Important
Back in 2019, Verizon stated the following as part of their DBIR report – 2FA everything. Use strong authentication on your customer facing applications, any remote access, and any cloud-based email. The underlying message being that simple username and password is not enough to secure valuable resources. Multi-factor authentication (or 2FA) should be considered table stakes as we roll into the 2nd half of 2020. Simply put, multi-factor authentication is a security system that verifies a user’s identity by requiring multiple credentials (or factors) in order to gain access to resources. For example, in addition to a user-name and password you will also be required to provide a second factor such as a PIN # that is sent to you via email or SMS to verify your identity. Depending on the circumstances or use case, a variety of second factor options are available such as push-to-accept or symbol-to-accept for users to verify their identity without unnecessary friction.
What are some shortcomings of popular 2FA methods? One-time passcodes which are probably the most popular method used today are no longer recommended by the National Institute of Standards and Technology (NIST) because of known vulnerabilities. Hard tokens, probably the 2nd most popular method, have proven to also be vulnerable and sophisticated attackers have devised ways to get around them. KBAs are susceptible to social engineering and should really not be considered a 2nd factor option because KBAs, like passwords, are “something you know” rather than “something you are” or “something you have”. And push-to-accept is often falsely acknowledged as users simply push ‘accept’ to get the notification off their phone screen. Any of these methods on their own truly do not provide adequate protection to prevent a determined bad actor from breaching your environment. If someone wants to gain access to your data, systems and resources…. they’re going to.
Adaptive authentication or Risk Based Authentication provides the highest level of security and user verification when deployed in-conjunction with multi-factor authentication. The contextual risk-checks are conducted in the background before access is ever granted and are essentially invisible to the user enabling Security and Risk professionals to gain a thorough assessment of an access request. Some examples of contextual risk-checks include behavior/pattern analysis, device recognition, and IP address assessment.
These contextual risk checks find the anomalies.
- Why is Suzy trying to login at 3am…
- The laptop Larry is using to request access is not a recognized device associated with him…
- The IP address associated with Mary’s access request is not the normal address…
- Miguel never requests access on a Saturday morning…
- Why is Alissa tying to login 6x her normal attempts in the past hour…
And based on results from the contextual risk-checks, the appropriate actions can be triggered based on the workflow policies enabled. In some instances, the risk checks will not detect any unusual patterns or behaviors and the user will simply provide a second authentication factor and be granted access to the requested resources. But in the event of an unusual login time, an unrecognized device, an unknown IP address, or an unexpected access request over the weekend the detected anomaly will trigger specific predefined policies to further assess the user – such as a stepped up authentication request or perhaps immediate access denial.
The following diagram depicts the spread of risk scores across one week for active users requesting access to corporate resources. What I find interesting in the diagram are the “High” risk scores captured on 7/18 and 7/19 because those dates are a Saturday and Sunday. My immediate interpretation of the data with respect to those dates is bad actors do not take a day off. When compared to the “Low” and “Medium” risk scores over the same days, the “High” risk scores on the weekend really do not tail off.
Enabling risk scoring as part of the authentication process exponentially increases an organizations security profile. The ability to create unique ‘next-step’ workflows allows an access management security team the flexibility to build appropriate user journeys aligned to their established risk threshold or tolerance levels based on things like the user’s profile and/or the actual resources being requested to access. And of course the contextual analysis of a users’ patterns and behavior help guide how or if any Adaptive Authentication methods are introduced to the user to verify their identity and ultimately grant or deny access.
The following table provides examples of potential workflow actions related to Adaptive Authentication services as part of a layered security approach to verify and authenticate a user identity:
Benefits of Adaptive Authentication
There is no silver bullet when it comes to securing valuable business assets. Bad actors will continue to search for new ways to compromise organizations while still leveraging tried and true tactics like brute force, password spraying, and credential stuffing attacks. In today’s modern perimeter-less environments, a best practice is to utilize a layered approach to access management to enable the greatest protection without compromising the user experience.
With a modern identity and access management solution, Security and Risk leaders can integrate Adaptive Authentication into their authentication policies and workflows to better protect assets, data, resources, applications, and users. By layering the capabilities and functionality of multi-factor authentication with contextual risk-checks, organizations can deploy and administer a highly flexible set of authentication tools to properly identify and evaluate the risk each unique user request presents and subsequently avoid or minimize any potential danger or threat. The possibilities for improved protection and an enhanced user experience are unquestionable with a modern access management solution to help drive an organization’s digital innovation initiatives and ultimately business outcomes.
Learn more about SecureAuth Identity and Access Management.