Why do we need a risk-based approach to authentication?
20 years ago, everyone worked at a desktop workstation hardwired into an office building. This made network security simple and organizations felt they could depend on the time-tested method of the trusted perimeter. Firewalls were relied on to keep out external threats, and anything within the network was considered secure and safe.
Today, however, the number of variables has skyrocketed. The move to the cloud, BYOD, and increased use of outside contractors means a legitimate user could now be logging into the network from anywhere in the world, at any time, and from a vast array of devices.
The idea of the trusted perimeter has become increasingly untenable and users routinely bypass the corporate network altogether with cloud-based applications. This has been further complicated by most users having two or three devices, as well as the increasing presence of IoT-enabled devices on the network. It’s also clear that cyber attackers have long since moved beyond the secure perimeter; if they gain access to the network through an employee’s credentials they can often move about unrestricted.
But where there are challenges, there is also tremendous opportunity.
On the leading edge of the “zero trust” movement is Google’s BeyondCorp framework. This is a security model designed to grant access to applications based on the trustworthiness of the user and the device. The user needs to have an endpoint that has been inspected for security vulnerabilities and then must pass authentication requests.
Accounting for risk
The biggest challenge for an enterprise seeking to adopt a more nuanced approach to authentication is the sheer number of variables that must be accounted for in each and every request. As a result, we’ve seen a shift in demand towards risk-based, adaptive authentication, which is able to account for all these variables and apply a customised access policy based on each situation.
In some cases, risk levels and the resulting access policies are obvious: an access request for customer records outside of business hours made by an unknown device in Jakarta (where the enterprise doesn’t operate) is clearly suspicious and should be presented with very strict policies.
This means that the older static, rules-based approach to authentication is no longer feasible, and organizations cannot simply work in absolutes of allowing access or blocking the user entirely.
Instead, we need to look at the attributes of the user; what system they’re accessing and device they’re using, and what they’re doing, and make an authentication decision based on these attributes.
Depending on the risk profile, organizations could add an additional authentication method, or a more secure one, before allowing access.
Balancing automation and control
The biggest challenge for an enterprise seeking to take on adaptive authentication is from an administrative perspective. Enterprises need to be able to ensure that all the disparate policies are applied and enforced accurately and smoothly if they are to make a BeyondCorp-style perimeter-less strategy work.
As with many other areas of IT security, automation provides a solution to the problem here. Having a system that is able to create a unique access policy for each user profile based on their specific attributes and presents appropriate authentication requirements will ensure that legitimate users are able to fulfil their needs quickly and won’t be needlessly locked out.
However, there is a tendency to rely too heavily on the automated approach, which can be risky because it takes the ability to make granular decisions away from the administrator. Reducing accessibility for admins can make them less likely to use the tools, because they don’t have the chance to get to grips with how they work. Similarly, if end users feel too restricted by an automated system they will be more likely to find workarounds, which increases the risk of a security incident.
Instead, we believe there needs to be a balance between automation, granular control for admins, and usability for end users. Also, providing the right level of granularity for administrators while automating the simple mundane tasks means they can focus on higher value activities.
Authentication, and security more broadly, need to be designed for and managed by humans, but also smart enough to adapt to risk profiles automatically, empowering employees to use what they want and get on with their jobs.
By finding this equilibrium, enterprises can use advanced authentication to meet the growing demand for a perimeter-less workplace, without exposing their organization to a security breach. By taking this approach, cybersecurity will be seen as an ally to businesses rather than a barrier.