Getting to know you: How continuous identity and access management transforms secure access

Better access decisions come from authentication solutions that work constantly to get to know users and resources better and better over time.

donuts primary
Kim Steele

Every morning, like thousands of other people, I pick up a coffee at my local Dunkin’ Donuts on the way to the office. And every morning, I order the same thing, using the mobile app: a medium cup of French Vanilla, regular cream. They’ve gotten so used to my order, they don’t even ask me who I am when I walk in. Instead, my coffee is waiting for me on the counter, so I can just quickly grab it and go on my way.

But one day last week, something different happened. I was headed in for an early-morning meeting with a couple of other RSA folks, so I ordered three coffees—one for each of us. When I got there, as I looked around for my order on the counter, the store manager waved me over. “Jim?” he said, a little warily. “Did you order three coffees?” And when I confirmed I had, he reached under the counter and handed me a cardboard carrier with three piping hot coffees in it. “I just wanted to be sure,” he explained, “since you usually only order one.”

Now, you may be wondering what in the world all this talk about coffee has to do with identity and access management. But that’s exactly the subject that leapt to my mind on that anomalous three-coffee day. After all, what happened is a perfect example of what I want to explore here now: the idea of continuous identity and access management—specifically, continuous authentication. “Continuous” is the third of the three characteristics of authentication (along with “pervasive” and “connected”) that are needed to transform secure access to meet modern workforce requirements.

Continuous authentication requires constantly taking in and learning from connected systems

Continuous authentication is all about the ongoing, uninterrupted gathering of information that a modern authentication solution can learn from over time and use to deliver smart, secure access. It’s a far cry from the days when every request for access was a one-time event that happened in isolation, forcing the user to do the equivalent of repeating his coffee order every time he walks in to pick up the coffee—because there’s no other way to be sure the person really is who he claims to be. With continuous authentication, a user only has to provide additional assurance when an unexpected event or other indication of risk warrants it.

An identity and access management system capable of continuous authentication is one that constantly gathers intelligence about users and their behavior so that it eventually knows enough to authenticate and grant access based on that knowledge—just like the Dunkin’ Donuts manager. Because of what he had come to recognize as my normal behavior, it was only when I strayed from that behavior that he felt compelled to double-check and be sure I had really placed that order. In much the same way, an identity solution that’s capable of continuous authentication takes in information about the user (and the resources the user wants to access); learns from that information what’s normal and what’s an anomaly; and then responds appropriately to access requests.

For example, if a user logs in from the same device and location every morning, and requests access to the same apps every day, the system comes to recognize that behavior and minimize friction for the user, requiring little additional assurance that the user is who they claim to be. But if the user does the equivalent of placing an unexpected coffee order—by logging in from a device never logged in from before, or requesting access to an app they’ve never used—the system can ask for additional authentication to confirm identity before handing over the order, so to speak.

Continuous authentication relies on identity insights, threat intelligence and business context

The key to continuous authentication is the ability to connect your authentication solution with other sources of information for access decisions, in order to acquire comprehensive information for decision-making. In the very first post I wrote for this series, I talked about identity insights, threat intelligence and business context being the three types of information that form the foundation for transforming secure access. They come from different sources and, together, they provide knowledge that is collectively the basis for continuous authentication.

Identity insights include user-profile information from the identity and access management system—the kind of behavioral information in my Dunkin’ Donuts analogy. Threat intelligence is suspicious-activity information from threat detection systems, which the identity and access management system can take into account to make informed decisions about requiring users to prove they’re who they claim to be. And business context includes essential data, often from integrated risk management systems, about the degree of risk associated with various applications and data. This last category of information in particular is as likely to affect identity governance and lifecycle decisions as it is to affect authentication decisions, as I explain next.

Connected systems provide information for continuous decision making beyond authentication

The intelligence that enables continuous authentication can also inform ongoing decisions related to identity and lifecycle governance. For example, identity governance teams armed with a view of risk across users and applications can use application criticality and usage data to inform certification reviews and policy decisions. This enables organizations to focus on the access that poses the greatest risk, and it provides insights to reviewers about application usage that can help improve the effectiveness of certifications.

There’s also one other advantage to having connected systems that enable continuous authentication that goes beyond responding to access requests: An identity and access management solution that exchanges information with other systems can use that information to trigger action against a high-risk user after that user has gained access. For example, if threat intelligence indicates a problem with a user after the user has connected to the VPN, that information can prompt the identity solution to disconnect the user from the network. It’s as if the Dunkin’ Donuts manager had the ability to recognize that the person trying to walk off with my coffee wasn’t really me—and also had a security guard at the door to stop him from getting any further.

Whether the goal is more effective authentication, better governance or improved threat response, the need is the same: to constantly acquire input to improve the decisions you make about access. That’s why “continuous” is an essential quality for the secure access transformation organizations must undertake to meet tough security challenges today.

Copyright © 2018 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline