Identity eats security: How identity management is driving security

Not only are passwords ineffective, they annoy people. Consumer-facing businesses want to remove friction from customer interactions, and organizations want to do the same for their employees. Passwords generate a lot of friction.

The trend toward digitalizing business is also increasing demand for better identity management and strong authentication. “Digitalization is driving a lot of customer journeys that didn’t exist before,” says Jatin Maniar, vice president marketing and alliances for passwordless, universal authentication vendor Nok Nok Labs. Those journeys often force developers to make trade-offs between security and convenience. “Better user experience and security underpinnings lead to increased engagement and improved risk posture,” he says.

Part of that better user experience is to trend away from passwords, Maniar says. That trend extends to the corporate environment and B2C scenarios for eliminating passwords for customers, enterprise users and connected devices.

The march to digitalization goes hand-in-hand with the rise in mobile device usage, which in turn enables more intelligent identity technology like biometrics, says Maniar. “The good news is consumers are readily adopting and prefer biometrics as an authentication means with their mobile devices. Couple that with open authentication FIDO standards and we have never been closer to elimination of shared secrets and provide a solid foundation for stronger security for a digital world,” he adds.

“The reason identity is increasingly relevant to all security teams is because of the fact that the traditional perimeter-based approach to security has crumbled or dissolved away for many years now,” says Derick Townsend, vice president of product marketing at Ping. He cites the cloud combined with a mobile workforce as one driver. “They’re not coming into the office, sitting at a desk, and plugging into a network,” he says.

Another factor is the proliferation of applications residing outside the enterprise. “These could be mobile apps. They could just be applications running in private clouds, or they could be SaaS-based apps,” says Townsend. “Then you’re left with coming up with a new paradigm to secure your resources. Identity is the best choice to do that.”

How identity management can spot imposters and bad actors

Every time you log onto a website or a corporate system, you generate a lot of signals that you are not aware of. Those signals might include your location, device IP address, or speed or cadence at which you type. If you use a mobile device, then even more signals are available such as how hard you tap your phone screen. Similarly, every device that connects has its own signals based on typical usage patterns.

Collecting and analyzing these signals allows some identity management systems to create unique profiles for every individual and device. You can then set certainty thresholds to indicate which levels of confidence are acceptable to allow access. From an authorization perspective, this allows you to grant or deny access with a much higher degree of accuracy.

Hackers will still try to get in, but intelligent identity management creates some big barriers. “Single-factor passwords are weak and burdensome,” says Chris Sullivan, CISO at SecureAuth + Core Security. “Two factor is stronger but more burdensome and has been consistently beaten. We can now verify 25 factors before asking users for anything. This is infinitely better.”

On July 11, SecureAuth + Core Security announced Login for Windows and Login for Mac, what it calls “adaptive authentication” products that can process dozens of factors in the background. “By strongly authenticating a user at the initial login, we can trust that identity and eliminate ‘login friction’ from the rest of their day as they access other applications and systems,” said Keith Graham, CTO at SecureAuth + Core Security.

The idea of using intelligent identity management to achieve real-time access control and a better user authentication experience is simple, but the large amount of data that needs to be processed makes implementation hard. “We are looking to leverage data, machine learning and AI to make the authentication experience better for end users with the ideal scenario being passwordless,” says Durand. “If we can recognize the user through any number of passive signals that we have access to, then let the user in, especially if the user is doing something deemed low risk, that’s a great user experience. If we see anomalous behavior, then we should stop it, flag it, require step-up authentication or route it to someone for authorization.”

A person’s identity profile can also include normal network behavior. If someone makes it through the initial authentication process and then does something that person would not typically do, the identity management system can flag the activity, request further authentication, or stop the activity.

This helps defeat hackers who manage to get into the system, but it also detects potential insider threats—for example, employees accessing files that they do not need for their work or attempt to log in at odd times. Similarly, an intelligent identity system can detect abnormal behavior from authorized devices, which can help stop or minimize distributed denial of service (DDoS) attacks.

That covers the authentication side of identity management. On the authorization side, AI and machine learning can help manage permissions as well. “The vision here is to enable what I refer to as just in time, just enough access,” says Durand. “How can we grant access only when necessary and shut it off when it’s not necessary?”

“We also want to close the surface area people have access to. We want to make it as granular or as small as we can,” Durand adds. “It’s a nice idea to have broad access to the internet and everything in it, but that’s not practical in a world we need finer control over who sees what when. Granting access to an app, or even a restricted or limited access section of or field within an app for just a moment is hard. That’s an example of just in time, just enough access.”

He cites the example of a large retailer with 100 admins that had long-lived email administration rights. They worried about the security risk that presented. Using Ping, they were better able to identify patterns of authorized actions versus unauthorized actions.

A new role for identity management

At the recent Identiverse event in Boston, Ping Identity announced PingIntelligence for APIs, the result of combining API traffic monitoring technology from its recent purchase of Elastic Beam with Ping’s identity technology.  

API hacks are on the rise over the last few years with high-profile breaches at T-Mobile and the U.S. Internal Revenue Service (IRS). API vulnerabilities allow hackers to take over accounts and applications. That puts more stress on the network operations center (NOC). “You have all this [API] traffic going back and forth,” says Sarah Squire, senior technical architect at Ping Identity. “It’s too much data, more than one person can process.”

In response, Elastic Beam developed a platform to deliver a deep understanding of what’s happening with a customer’s APIs — from discovering active APIs automatically and delivering visibility into transactions, to recognizing misuse and cyberattacks on APIs. “It’s a really hard problem, because at the end of the day it’s a big data problem,” says Bernard Harguindeguy, founder of Elastic Beam and SVP, Intelligence at Ping Identity. “You may have tens of thousands of connections happening simultaneously on dozens and dozens of APIs, all happening at different velocity, from different end-user devices—browsers, mobile apps, desktop apps, etc. You’re looking for a needle in the haystack.”

With what Harguindeguy calls a “an API cybersecurity engine,” the Elastic Beam product had the ability to recognize and automatically block threats. Positively identifying the source was another matter.

APIs are today secured through tokens using industry standard protocols like OAuth. That’s where Ping has enhanced Elastic Beam’s visibility engine. “PingAccess [another Ping product] helps customers secure their APIs using OAuth,” says Durand. This security model presumes the token hasn’t been stolen or hijacked, or that a user has legitimately been granted access isn’t doing something malicious. “There’s no one watching the store once the user is behind the identity gates. By monitoring activity on APIs after a user is granted access, Elastic Beam brings a whole new level of security and threat detection to the enterprise.”

Prior to Ping, Elastic Beam didn’t have access to the actual user identity profile within the tokens. “With Ping, because we are both creating and reading the OAuth tokens, we now, for the first time, have the ability to tie the actual authenticated user identity to the API traffic and correlate the activity with a known and authenticated user,” says Durand.

Squire says that PingIntelligence for APIs is easy to set up. Once a risk baseline is established, the product is capable of detecting and blocking DDoS attacks, insider threats, password spraying attacks, attacks with stolen credentials and attacks on data and applications. It can also detect zero-day attacks on apps if the attack pushes anomalous traffic over the API, given that the detection is not rule-based and is not dependent on knowing the attack pattern or signature.

What this means is drastically reduced time to identify attacks once an abnormality is detected. Ping partner Axway Software claims in Ping’s press release that attack identification time goes from months to minutes. Even if that’s only half true, it’s a meaningful improvement.

PingIntelligence for APIs needs to integrate well with an enterprise’s existing reporting, NOC, and security infrastructure. It does so in two ways. It can operate in what Ping calls a sideband mode, where a copy of the traffic data is pushed to PingIntelligence for APIs. “Some organizations are understandably nervous about putting another proxy into their traffic flow,” says Townsend.

Actual blocking of a threat in sideband mode occurs outside of PingIntelligence for APIs. “When it finds an anomaly or attack, it pushes that information back up to another product. That could be an API gateway product, it could be Ping Access. That’s where the blocking of the attack will occur,” says Townsend.

The product can also run directly inline with the traffic flow, analyzing and acting on events in real time. PingIntelligence for APIs can block attacks directly in inline mode. “It’s important to have different options for how to deploy,” says Townsend. “Every IT shop will have their own biases about what’s used in their network topologies. We can support multiple options or combinations of options.”

How identity is changing security

As identity becomes the new perimeter, as Durand believes, identity as a security function is “becoming more and more valid with the idea of the hybrid cloud reality of most enterprises. They are redefining their borders around identity access management systems,” he says.

Historically, identity has not been the responsibility of the security teams. “If you play it back a few years, Ping’s champions reported into IT,” says Durand. “Today we’re seeing identity report to the CISO.”

That’s creating a management and skillset challenge. “I often find that Identity professionals and security professionals have a different mindset,” says Durand. “Finding people who live in two mental spaces simultaneously, Identity for connecting things and security for defending things, is rare. Most of the time people fall into one category or the other, but that is beginning to change.”

The gap between identity and security in terms of understanding what the other one does has historically been pretty wide. The solution, Durand suggests, is a strong training program for both identity and security professionals. Panelists at an Identiverse session titled “Should Identity Own Security?” (the unanimous response was “No!”), all emphasized the need for greater collaboration between identity and security groups.

Even if intelligent identity management systems meet their full potential, they might never provide 100 percent accurate recognition of users. “There’s a difference between trusting and knowing,” says Durand. “In life, we’re forced to trust when we don’t or can’t know something for certain, and most things in life are either too inconvenient or too expensive to know for certain. For example, how many times have you arrived at a new restaurant and handed the keys to your new car to an 18-year-old stranger wearing what appears to be a valet t-shirt? You’ve made a conscious decision to trust because you’ve decided it’s too inconvenient to park three blocks away. In identity, as in life, it’s many times too hard or too expensive to know anything for certain. This is why we need intelligent systems to help us determine risk and make more intelligent decisions around access control.”