The potential for unauthorised access to sensitive data and intellectual property presents a constant, pervasive threat to the brand equity, competitive posture and reputation of any enterprise. Many organisations are aware of the enemies lurking just outside their gates and Identity and Access Management (IAM) solutions have long been an integral element of any risk-mitigation or fraud-prevention strategy.
But with the threat landscape evolving and regulations pertaining to data protection in a transformational state, traditional, time-tested IAM technologies may no longer be sufficient. As a result, corporate leadership – including senior business executives, IT stakeholders, and board members – are rightly concerned about the potential impact an incident can have on the organisation, its business relationships, and customers.
Pressure is mounting on organisations to do whatever is required to not only detect, but more importantly, prevent threats before they affect critical business processes or sensitive data. Fortunately, help is on the horizon. Next-generation IAM solutions built around advanced risk-based authentication techniques promise to help companies effectively safeguard critical assets against today’s threats.
The availability of these mature solutions is a positive development. But to maximise the effectiveness of these new technologies, organisations must take steps to determine what implementation best aligns with their specific requirements. To this end, business and IT leaders must work together to analyse current IAM capabilities, understand the implications of various forms of risk, review available options, and adopt a new approach – one that lays the foundation for better security, both now and into the future.
Many organisations have already invested in an IAM infrastructure. Those in regulated industries have worked through regulations and requirements to build somewhat mature and holistic IAM systems. There are, however, many sectors where IAM implemented in an ad hoc manner and inconsistent across the enterprise.
IAM technology is fundamental to addressing various security risks and challenges, such as mobility, access to sensitive data, third party challenges, etc. As an illustrative example, Deloitte’s 2012 Global Security Study’s for the TMT and FSI industries found IAM being foundational and at the core of each of the top five security threats identified and among the top three initiatives for 2012.
Authentication methods must evolve to protect against emerging risks
Many businesses have grown accustomed to doing only what is required to meet audit and compliance requirements, but a key line of defence in protecting company data, business-critical systems, and corporate intellectual property is to confirm the identity of the information requestor using a formalised authentication methodology. Not only does this process have a direct impact on the organisation’s security posture, it is also instrumental in complying with a number of key regulations and standards, such as Sarbanes-Oxley (SOX, the Payment Card Industry Data Security Standard (PCI DSS) and Privacy legislation.
Yet all too often, the processes in place to monitor access – such as requesting and confirming the user’s login credentials – are inconsistent, manually centric and unreliable.
While this approach may have been adequate in the past, increasing regulatory scrutiny and highly sophisticated threats have rendered traditional authentication methods insufficient – leaving the organisation exposed to significant security threats. Due to the inherent weakness of basic username and password authentication, as well as the need to comply with such requirements as the Federal Financial Institutions Examination Council (FFIEC), some organisations have started implementing “strong” or “multi-factor” authentication techniques. While the approach may differ by organisation, the end-goal is the same: Confirm a user’s identity using two or more unique, hard-to-replicate criteria.
Advanced and evolving threats introduce a new era of risk
As discussed, newer, more sophisticated attacks have become increasingly successful at overcoming traditional security measures.
In particular, the rise of social media and the frequency with which personal information is readily shared online gives hackers better opportunities to understand the individual they are targeting and use this knowledge to guess the answers to password challenge questions. And once they pick the right answer, they are free to change the password and assume an individual’s identity. Add to this the fact that many users employ the same password across many systems, and a single, successful hacking attempt can quickly expand outward and affect a large number of applications and data.
And even though some companies have adopted more robust authentication techniques, such as those based around the use of security tokens, the risk of a breach remains. In fact, a recent compromise of security tokens required a widespread recovery response and forced some organisations to rethink their strategies for safeguarding sensitive information assets.
In light of the way today’s threat landscape is changing, and the inability of established controls to keep pace, one question remains: Do organisations know if and when an unauthorised individual is accessing their critical systems and information? The answer, more often than not, is “no.”
The future is now: risk-based authentication and authorisation
Although the sophistication of today’s threats may make it seem as though organisations have no effective means of defending themselves, new techniques designed to combat these attacks are emerging. Specifically, the strongest next-generation solutions will help organisations prevent illegitimate access by leveraging advanced risk-analytics techniques.
Such solutions do so by developing a risk score, which is used to measure the possibility that an access attempt is fraudulent. This score is then weighed against the relative level of risk tolerance assigned to a particular IT asset. This risk tolerance level for a particular IT asset is called a “risk-threshold”. If the risk score when attempting to access this asset is beyond this risk threshold, then authentication controls are automatically elevated to provide a higher level of authentication. Access is ultimately granted or denied based on whether or not the risk score associated with the access attempt exceeds the established threshold (and if it does, whether step up authentication needs are successfully passed).
For example, sensitive applications, such as financial systems, should receive a lower risk score threshold, denying access at the slightest hint of fraudulent activity. On the other hand, less critical resources, like a spreadsheet listing company holidays, would not be subject to the same level of scrutiny and so have a higher risk threshold.
The newest generation of risk analytics leverages various types of information and patterns to build a risk score. These include login trends, geographic location of previous login attempts, devices used in previous authentication attempts (device fingerprint), applications or data being accessed, IP address usage, login duration and usage context.
In addition to the information described in the above table, organisations should consider such additional data points as:
* Is the user typing around the same rate of speed he has in the past, or is it suddenly faster or slower?
* Is the user downloading large volumes of information, when his normal activities would involve looking at a limited number of records?
Based on the risk score derived from this data, the user’s current attempt may fall within a threshold that grants access to a less-sensitive system, but not one that is more critical in nature. Additionally, an organisation may elect to allow certain applications of lower importance to be accessed, despite a login attempt generating a high-risk score.
And to prevent legitimate individuals from being denied based on false positives – such as when a user tries to check e-mail using an unknown device during her vacation – offline communication channels can be utilised for a one-time confirmation. This could come in the form of a text message containing a single-use password granting the user the access she needs.
The way forward: What can I do to protect my organisation?
Implementing Role Based Access Governance (RBAG) as the context within which risk based access control is used strengthens the governance of the user life cycle. However, successful RBAG is only possible with excellent analysis of business and system roles, privileges, connection origins, user activity logs, nature of access, information resource classification and system type.
Advanced risk-based analytics (ARBA) represent an emerging and evolving solution set. Thus far, only those companies on the leading edge of RBAG adoption have implemented these technologies. This trend needs to change – and now. Many of these solutions are not yet mainstream and should not preclude organisations from researching what RBAG and ARBA solutions are currently available and choosing an option that best fits their needs.
One of the worthwhile advanced methods of risk-based analytics is the use of artificial neural networks like Self Organising Maps (SOMs) which can represent a high number of variables (dimensions) into a visual map where similar observations are plotted next to each other. Applying this type of artificial intelligence to the logs and incidents from your IAM data can generate insights that wouldn’t normally be obvious from a manual review of such data.
In order to ensure that critical applications and data, as well as brand reputation, are secured for the long term, executives must determine the organisation’s current level of risk exposure and the value that is provided by their existing IAM solutions. Meeting with the IT leaders in charge of these technologies to answer to the following questions is in order:
* Do we have the right metrics in place to identify risks around access and authentication?
* Can we recognise patterns around user access behaviour? If so, how are we currently using this information?
* What risk-mitigation techniques do we have in place to respond to these advanced threats?
* What is our timeframe for deploying an advanced risk-based authentication solution?
These questions are important to organisations that have already implemented IAM technologies, as they present opportunities to improve and optimise existing solutions. Organisations that do not currently have the most robust measures in place can use this conversation as a way to gain a competitive advantage over companies operating legacy risk profiles, and presents an opportunity to skip a generation of technology and get on board with what is fast becoming the new baseline.
Decisions should be made in a measured manner that considers a number of variables. However, the rapid proliferation of smartphones, tablets, and off-premise, cloud-based systems and infrastructures mean the need for robust trust and authentication measures have never been greater. As such, the earlier executives start having these conversations with IT leaders, the better suited they will be to gain an understanding of their existing risk profiles and current ability to handle threats.
Executives should challenge their teams to:
1. Assess: Determine your business need and where your applications stand towards supporting these. Build a strategy and prioritise applications by importance. Understanding the Business Value of a system and comparing this to its technical soundness can provide a strong indicator for systems that should be covered by the IAM.
2. Evaluate: Investigate the available solutions and determine how each can address the evolving threat landscape.
3. Pilot: Perform a pilot with the solution that best meets the needs based on the evaluation and confirm fit for the enterprise.
4. Expand: Apply lessons learned from the pilot and expand the solution to applications in a phased manner based on prioritisation.
Challenges – and their requisite solutions – vary from company to company, and there is no one-size-fits-all approach. The key is for business and IT leaders to work together to find the right fit for the organisation. While every solution must reflect operational and regulatory requirements, some standard approaches do apply:
* Smaller organisations with relatively low risk profiles may elect to move forward with the technologies available today, or implement additional layers of security as they wait for solutions to mature or become more economical.
* Larger institutions that carry a greater amount of risk may not be able to wait this long, and instead, should consider developing custom solutions that fit their needs.
Regardless of the size of the organisation or the approach it adopts, one thing remains clear: Decisive action must be taken before the enterprise is breached.
The basics of strong authentication
Typically, strong, multi-factor authentication presents two or more challenges to any individual requesting access to a specific resource. These are usually based around three fundamental areas:
1. Something they know – Such as a password or PIN.
2. Something they have – Such as a one-time key from a token or a security card.
3. Something they are – Such as a biometric check, including a retina or fingerprint scan.
Key terms
* Identity and Access Management − a group of services that support the management of users and their authorised access.
* Authentication − the methods used to verify a user’s identity prior to granting access to systems or data.
* Authorisation − an access-enablement methodology based upon an individual’s pre-approved access rights and other factors.
* Provisioning − the management of the user identity lifecycle, including granting and removing approved IT accounts and authorisations.
* Role-Based Access Governance (RBAG) − an enhanced approach to sustaining visibility of user roles across the enterprise thus enabling optimal enterprise-wide user and role life-cycle management.
* Role-Based Access Control (RBAC) − an enhanced provisioning process that utilises business language and roles to streamline the management of user access.
* Access Certification − the processes supporting the periodic review and confirmation of a user’s access rights to IT systems.
* Single Sign-On − a family of ease-of-use technologies that allow users to authenticate themselves without having to re-enter credentials for each system being accessed.
* Federation − solutions that authorise access for trusted, external business partners.
Source: Deloitte & Touche. A full copy of the white paper can be found at https://www.deloitte.com/assets/Dcom-SouthAfrica/Local%20Assets/Documents/enemy-at-the-gates.pdf, or use our short link: securitysa.com/*deloitte .
For more information contact Deloitte & Touche, +27 (0)11 806 5000, [email protected], www.deloitte.com
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version