A few posts ago we mentioned the survey we conducted in collaboration with SC Magazine, where we asked 500 senior IT leaders about their security practices regarding access control. One aspect we talked about were those organizations that are still trusting the password-only method and where CISOs see themselves a few years down the road. While their methodologies and future plans varied, many of those IT leaders are aware their security programs need to evolve into more sophisticated controls - and the common denominator in that vision is Adaptive Authentication.
So why is Adaptive Authentication becoming the gold standard in access control? One reason is that organizations are shifting their security focus, having accepted that breaches are somewhat inevitable. While the concept of blocking attackers from the network is ideal, the reality is that malicious actors are probably already inside - and if they're not now, they will be.
That means IT's former emphasis on protecting the network perimeter has to adapt. Today’s perimeter isn't what it used to be, expanding to include the cloud and other networks managed by partners and service providers. Flexible and permeable, the evolving perimeter has forced teams to revamp their approach - an approach that now often focuses on building tougher access and authentication barriers around data, applications and internal resources.
This shift poses an interesting new challenge for security teams: building a mature IT environment and effective security program while simultaneously recognizing that attackers are already inside the network. Teams must face the fact that as cybercriminals get stronger and more sophisticated every day, their security programs must evolve too; at the same time they know they'll never have unlimited time or budget to create a “perfect” security program.
Given the precarious nature of this balancing act, our survey asked how many CISOs feel they're pulling it off. This is what we found:
- 19 percent say they are “very confident” in their access and authentication security system. (This is up from 11 percent 2 years ago.)
- 39 percent say they “quite confident.” (Two years ago this was 39 percent.)
If you think those numbers sound reassuring, consider the flip side: nearly 40 percent don't feel all that confident in their security. And that's understandable give the challenges posed above. Knowing they need to defend a network that may already be compromised, a team’s first instinct might be to lock their data in a vault - but that’s hardly a practical solution, given that businesses need their data to be accessible, whether it's a doctor looking up patient medical history, a B2B salesperson checking a client’s account information or a retailer processing credit card numbers. There’s only one recommended way to protect confidential data while still using it: layered security. The password-only model might suffice in situations where convenience trumps security, but multifactor authentication is the only true effective choice at keeping data safe and in the right hands - specifically adaptive authentication.
Advances in Adaptive Authentication
Just as cybercrime has grown more sophisticated, Adaptive Authentication has grown more advanced, with security teams taking several approaches.
With the rise of mobile, the smartphone has become a security vulnerability. But it’s also serving as an authentication token for many IT teams. We all know the well-worn cliché that one phone today has more computing power than NASA did during the moon launch. Well, the point holds; today’s smartphone is indeed a mini-computer powerhouse, and when you add in all the unique components of each phone, their profiles can be as highly individual as a fingerprint or snowflake.
That might sound like a bold claim. But consider the myriad data points that make up each customized profile. The device can record such components as how the user moves their finger across the device, the pressure they place on it and how they hold the device, including at which angle. It can record their typical times of use. All of those elements and more can identify one user and differentiate them from another user, tokenizing the device. There’s no need for a password, no cumbersome additional steps; in short, there’s no user inconvenience.
But that’s not the only approach to Adaptive Authentication. The traditional USB-connected hardware token has intelligence built in; key fobs use a one-time code, like an additional password. Some CISOs still turn to these for email signing, disk or file encryption, one-time-only passwords and similar security applications. That said, while these tools can offer good security, they can also be costly to manage and maintain and manage.
Which brings us to SecureAuth IdP’s Adaptive Authentication. If you’re a customer, you know IdP is a customizable and budget-friendly solution that pairs secure access with a seamless user experience. And if you’re not a customer? You can see for yourself by requesting a demo or checking out how SecureAuth has helped other organizations with strong access control that goes beyond just passwords. Every IT leader should feel confident about their security – and confidence is just what SecureAuth IdP’s Adaptive Authentication delivers.