Calculate the risk of the user requesting access and adapt your authentication accordingly
No organization, including yours, is immune from the effects of cybercrime. From healthcare to financial services to consumer goods, etc., there isn't an industry today left untouched by cybercriminals. Unauthorized access to sensitive data presents a pervasive threat to an organization's brand equity, competitive posture, and reputation. Given today's evolving threat landscape, traditional identity and access management technologies no longer suffice. Corporate leaders are justifiably concerned about the impact of a security incident, and pressure is mounting to not only detect but, more importantly, prevent threats. Whether their goal is to disrupt, embarrass, or profit from private information, the growing cadence of breaches illustrates the need to raise the level of security across the environment. Fortunately, the next-generation identity and access management solutions employ advanced risk-based authentication techniques that adapts to match the risk at hand.
Breaches point to lack of authentication
The need for a higher level of identity verification is illustrated by the continual stream of breaches announced each week. Recognizable brand names such as Sony, Target, Home Depot, NP Morgan Chase, Anthem, etc. reminds us how close we all are to risking customer trust and financial loss.
Compared to the traditional use of credentials, risk-based authentication (also known as adaptive authentication) is a dynamic level of identity verification. It's intelligent in that it leverages the user's behavior and other distinctive attributes to decide if additional steps are needed to verify that the user is who he claims to be. Those characteristics include properties like location, time of access, whether the device is known, as well as the type of asset being accessed. Not all internal information sensitive not does it create the same level of risk. Access Manager's® risk-based authentication engine can process all that context and more to determine if another level of identity validation is needed.
What are some good identity indicators?
It comes down to elements that identify known characteristics as well as personal routine behavior:
Location of access contributes to the risk score of access:
- Is the user in the office or remote?
- If remote, is it at an expected location?
- Is time of access typical or out of bounds?
Login parameters contribute to the risk score of access:
- Has this same device been used to access protected information before?
- What level of verification is this device?
Risk of information or services:
- How much risk is associated with the information or service?
- Has this same user accessed this piece of information before?
Once you understand at a higher level how you want to measure your risk, it's time to create policies to protect accordingly. A key advantage of Access Manager is that unlike many of the more robust solutions on the market, you don't need a team of developers or specialists to configure and deploy risk-based authentication.
- Create a list of applications, services, internal information and other resources that you want to protect.
- Identity the parameters (metrics) that you want assessed when time of access, or if you're requiring an initial login what parameters do you want measured. Note: you also can assess the potential risk of a device, for example is it known, at the time of initial contact with Access Manager before authentication.
- Give each parameter a weight as to how much that variable adds to the risk. You'll have to do some planning to ensure that you cover the various situations. For example, you may decide that there is certain information that will require a two-factor authentication if it is accessed out of the country, or perhaps even remotely
- You can define as many risk levels as you like, which will be accompanied by an action. For general purpose corporate information, you may allow straight access for Intranet users while requiring authentication for remote users. You may define remote access of all financial and engineering documents require two factor authentication; whatever matches your business.
- For devices that you don't recognize or not approved, you may choose to prevent remote access from certain geolocations altogether for specific types of assets.
- You can record details of the risk assessment for each application or services accesses for analysis later if desired
This dynamic approach to step-up authentication to just the right level is an essential component to upgrading the security of your organization's digital environment, but it can also be used to increase customer convenience and employee productivity. When you're able to narrow the situations where user verification is warranted, you have the flexibility to limit when a single, second, or strong authentication is invoked. This means that with Access Manager you can measure the risk posed by the data and the users and deliver unfettered access as often as possible while your organization can manage risk where it matters most.
The payoff of risk-based authentication
The payoff of risk-based authentication is especially high for organizations needing to optimize their customers experience and encourage additional engagement. Access Manager's risk-based authentication can also be used to allow users to use their social credentials as often as possible and only upgrade to a verified account when performing a sensitive operation like a financial transaction or accessing regulated information. The same is true with partners that need access to your product and inventory information. Lower risk information can be provided if the device is known or authentication occurred earlier in the day, but require an additional step of identity verification once more sensitive information is requested, making it easier for your partner to do business with you.