Authentication and Business Context: Answering the “Who? What? And Where?

Traditional authentication solutions require a trade-off between security and usability, often deployed with a “one-size-fits-most” strategy. But today there’s a whole lot more at stake, so enterprises need more to effectively protect critical applications when delivering access in a world without boundaries. That “more” comes by way of risk mitigation.

By applying a risk-based approach to your authentication strategy with identity assurance, you can go beyond simple authentication approaches. You can deliver both security and convenience without sacrifice. Risk-based identity assurance is transforming multi-factor authentication from a simple yes/no decision or step-up process by adding intelligence to the decision of which access is granted in which situations.

Identity assurance helps to quantify two very important issues: How sure am I that this user is who he or she claims to be? And how sure do I need to be based on the information being accessed?

There are several key considerations when creating an identity assurance strategy. One of the most critical is the ability to leverage business context in the authentication process.

Business context is the information we can seamlessly gather to help form baseline assumptions about an access request. A good way to look at business context is to break it down into three fundamental pieces:

1.      The data

2.      The person

3.      The environment

The Data: What Is Being Accessed?

Often when multi-factor (and two-factor) authentication solutions are put in place, they protect data that resides in the company’s data center. However, due to the massive expansion of enterprise SaaS applications and hosted data centers, more and more sensitive data is stored in the cloud instead of a corporate data center.

Unfortunately, as needs evolve, authentication does not always ensure that the most sensitive data is protected appropriately, no matter where it resides. As a result, companies are left with a multitude of applications, each containing a set of user identities with different, disjointed authentication requirements. All too often these authentication requirements don’t align to the sensitivity of the information contained in them.

Regardless of the data location, the fundamental question is, “How sensitive is the data being accessed?” Is this resource storing company intellectual property or the company holiday calendar? It’s important that we treat this data appropriately, especially given that the alternative is either too little security for the sensitive information or unacceptable user experience for information that should be easily accessible. When we treat data appropriately, based on its sensitivity, we can then apply a single solution to ensure an appropriate and consistent experience.

The Person: Who Is Requesting Access to the Data?

The access a specific user has within that application is equally important. Is this user an IT administrator with nearly limitless access or is this person an end user with limited access? We need to view these users specific to their different levels of assurance to gain access. We have information available about the user in potentially multiple identity repositories. We must be able to leverage the available data from all of these sources to adequately ensure the appropriate security is applied.

The Environment: What Is the Session Context of the Request?

The last piece of business context is the environment of the data request. The first component of the environment is the user’s device. Here we need to know if it’s registered, known for this user or managed by the company. Beyond device, we look at other session context attributes such as trusted networks, trusted locations, blacklisted locations and IP addresses. Each of these types of attributes can impact the decision to allow access to the resource, not to mention what level of additional assurance a user must provide to gain access.

Putting It All Together

Taken together, these three business context fundamentals (data, person and environment) allow us to build policies to ensure the authentication required is appropriate for each access request. When evaluating multi-factor authentication solutions to provide identity assurance, make sure the solution fully leverages business context to create powerful policies. It is equally important that these components are configurable in an easy-to-understand way so an administrator can have confidence in who they are allowing access and what authentication will be required.

Learn more about identity assurance and how business context impacts authentication decisions in this video.