What is Adaptive Access Management?

Adaptive access management adjusts the level of access security based on the assessed risk at the time of access. While a mature access management infrastructure offers service delivery with authentication and authorization security, adaptive access management adjusts those safeguards to match the risk at hand. The decision criteria for these adjustments include contextual information such as whether users are accessing highly sensitive information:

• Using a known device or even managed
• Using a device never seen before
• While inside a secured facility
• From a remote location within a specified range or area
• From a remote that is far away or unexpected (IP range, geolocation, geofencing)

Different levels of risk can be deduced from each of these situations listed above. Someone accessing sensitive information from an unknown device never seen before from a far away and unexpected location is quite a bit different then accessing that same information from within a secured facility. Even access from a location that is remote yet familiar or expected incurs far less risk, especially from a managed device.

Familiarity can be extended beyond just context. Unusual access of information may indicate that the actual requester is not the one that was claimed at the point of authentication. Machine learning of behavioral analytics can be used to identify when a requestor (person or process) is interacting as expected or is diverging. Depending on the calculated risk the requested may be interrupted to respond to another authentication type to strengthen their claimed identity.

The defining deference between today’s adaptive access management infrastructure compared to traditional risk based authentication controls that gained popularity several years ago is that the requester’s contextual and behavioral information is gathered throughout the entire session rather than just when the initial request is made. Historically, risk-based access set the authentication and authorization requirements based on the context measured at the point of the request. Continuous authentication and authorization are the ability to measure risk throughout the entire session and invoke an action throughout it. For example, the requester may access higher sensitive information later in the session than he did initially. Or a behavioral analytics engine may calculate a low confidence rating of the requestor’s identity based on interactions and requests. Any of which could invoke the access management infrastructure to adapt to the calculated risk.

Why are organizations moving to an adaptive access management infrastructure?

Increasingly IT security teams realize that their traditional defenses, such as firewalls and static access policies, aren't very effective against today's advanced threats. Despite the tens of billions of dollars invested in security solutions, breach rates today are the same as they were a decade ago. And as these breach rates remain stubbornly high, the cost of each of them continues to rise. Beyond the rising costs of breaches, separately, organizations continue to consume more cloud-based services, relegating the role of their firewalls into insignificance. In the earliest years of the cloud, when organizations were purchasing infrastructure service (IaaS) solutions to offload systems management, it was common for them to channel communications to them through their firewalls. In other words, IaaS was an extension of their intranet. Today as organizations continue to transition their internal services into SaaS ones, that approach is far less common. Instead, administrators use federation technologies to extend their identity and entitlement repositories for cloud services that support them. Essentially, this means that identity is indeed the new perimeter.

While some organizations keep their most sensitive information in-house, it's more common today for them be consumed from a SaaS-based service. The challenge is that without the added protection of firewalls, static access management policies fall short. While it's possible with access policies to lock a digital environment down to a high-security state, it imposes damaging compromises. Restrictive policies frustrate users and drives down their productivity. For B2C/B2B/G2C services, restricitve policies quickly become a consumer inhibitor, pushing them to competing offerings. Conversely, environments that are too easy to move around and consume typically offer opportunities for bad actors to exploit. The better approach is dynamic access control that enables organizations to reduce friction when risk is low while responding to at-the-moment threats with raised security. Beyond the dramatic change in the way information is created and consumed, the volume of sensitive information that needs to be protected has become vast. This past decade's digital transformation has expanded the types of information, including regulated, that is both digital and connected. Adaptive access management allows this information to stay both connected and secure.