b Passwords are proving more attractive as an attack vector with every passing year, according to statistics from the latest Verizon Data Breach Investigations Report. Despite the growing number of threats and the increasing sophistication of attacks, not much has changed about the way we secure access to critical resources. And that’s what has to change now, if we want to be more successful at thwarting credentials-based attacks.
Of course, identity and access management solutions have evolved over time to address the growing use of cloud, SaaS applications and mobile computing. But they haven’t really changed in any meaningful way to address the security gaps created by cloud and mobile access; they’ve just been adapted to work in these new types of environments. Web single sign-on (SSO) solutions have become cloud SSO solutions, and password synchronization has given way to password vaults—but make no mistake, everyone’s still relying heavily on passwords to protect their most critical applications and other information assets. Even when stronger authentication methods like two-factor authentication are used to augment passwords, the fundamental approach to securing access has remained basically the same.
It’s time to seriously consider how we can achieve truly transformational change in the identity and access space—the kind of deep-seated change that renders credentials-based attacks ineffective and unattractive to attackers.
The foundation: 3 essentials for transforming secure access
How do you establish an access environment based on identity assurance—an environment that consistently welcomes those who have the right to be there (assuming high identity assurance) and reliably turns away those who don’t? Creating such an environment for secure access demands change at a fundamental level. Building that new foundation requires three key elements: identity insights, threat intelligence and business context.
1. Identity insights: Essential user profiles to help determine access risk
If you think back even just a decade ago, access managers had very little information about or insight into the person who was actually accessing their resources—usually no more than their username and password. Today, there’s a wealth of data to help build a user profile that can serve as the basis for making confident decisions about granting access. Data points that provide access context today include geolocation, network and device information, and a user’s role within the organization, among others. It’s also possible now to leverage machine learning and advanced analytics to establish user behavior norms and detect deviations. All these rich, multi-dimensional insights provide the basis for a holistic view of the user and the associated environment. It’s a view that can reveal much more about users and the access risks they pose.
2. Threat intelligence: Essential information about risk factors beyond identity
As vital as identity insights are to transforming secure access, it’s also important to recognize how much more powerful they are when combined with visibility into other risk factors. Endpoint solutions can identify potential malware, and network forensic tools can identify suspicious traffic from a particular device. If you have access to the list of devices or users that your threat platforms are investigating as potentially compromised, you can leverage that information in your identity and access systems to adapt your controls. You can, for example, block access to suspect resources until they are patched or otherwise mitigated. Or, you can require more proof that a user who’s attempting access from a suspect device is actually who he or she claims to be, using authentication methods that are difficult to compromise and difficult for an attacker to exploit. (This benefit can also work in reverse, through the ability to share authentication data from logs with threat intelligence systems, giving those systems valuable information about users.)
3. Business context: Essential data about the risk associated with applications, data, users
The third essential element of a foundation for secure access is business context, which revolves around understanding the level of exposure that applications, data and users create. For example, is a particular application a potential gateway to other applications and resources for an attacker? Or, is it safely walled off in a separate segment of the network? (In other words, how profound is the potential impact if someone gains access to the application when they shouldn’t?) Is the data that someone is attempting to access sensitive personal data—or just this week’s cafeteria menu? If it’s the latter, the stakes are low. Finally, what permissions and entitlements does the user have? It makes sense for a CFO to want to see P&L statements, but it should raise some flags if someone who appears to be a third-party roofing contractor wants access to them.
This three-part foundation can make it possible as never before to get a clear picture of who your user is, where the threats to legitimate user access lie, and what levels of exposure your applications and data are creating for the organization. When identity assurance is high and business risk is low, the user experience can be utterly seamless. When identity assurance is low, or business risk is high, it’s important to be able to take context into account and apply step-up authentication using another, stronger form of validation, perhaps from a secondary device. Step-up authentication options include biometrics, tokens, OTP, SMS and push notification.
The goal: secure access that’s pervasive, connected and continuous
Once you have a solid foundation for secure access in place, the next step is building on that foundation to achieve access that’s secure because it’s:
- Pervasive everywhere, stretching across all applications, devices and users at all access points from ground to cloud
- Connected, with capabilities for sharing information among identity governance, access management and threat intelligence systems to help prevent attacks
- Continuous, with non-stop monitoring activity that collects and analyzes data and learns from it over time, enabling complex risk decisions to be made without the need for human intervention
These defining characteristics of secure access can change the game entirely, replacing ineffective, disjointed efforts at securing access with a powerful, proactive approach. The transformation begins with a foundation built on insights into the identities of those accessing our applications and information; information about the threats lurking within our environment; and risk-based business context. Using this information, we can truly transform how we secure access within the modern enterprise.