A different type of defence must be implemented to adapt to the new normal of BYOD and multiple mobile interfaces, and secure a borderless enterprise from an ever-changing threat landscape.
More specifically, as organisations' employees become the front line of cyber attacks, IT departments today need a system of identity access management (IAM) that is more dynamic, agile, intelligent and risk-aware: in short, adaptive IAM.
In the next few years, next generation authentications and identity management systems will pivot on a new capability: adaptive IAM.
Adaptive IAM
Whereas traditional IAM approaches guarded stationary perimeters around data largely in one, centralised location, adaptive IAM creates a dynamic "situational perimeter" that patrols and safeguards against attacks by enforcing security wherever users interact with corporate data and resources – not only across various devices and platforms, but throughout the entire process of interaction.
Adaptive IAM systems draw on data from hundreds, or even thousands, of sources to conduct risk assessments of user behaviour and access requests.
When suspicious activities are detected, next generation IAM solutions stop users in their tracks with "stepped up" authentication or authorisation requirements that users must satisfy before they can continue.
Today's advanced threats and multi-vector attacks (the different methods in which employees can be targeted i.e. through malicious emails, accessing wireless networks on smart phones, chatting on social network sites etc,) can strike at any moment during the user experience, and many of today's IAM solutions are too primitive to spot suspicious behaviour.
IAM systems today assume that users providing correct credentials at first log-in can be trusted, but establishing trust cannot just be a one-time thing. In order to stay relevant in security, IAM needs to be reinvented. As peoples identities become the front line of attack, IAM systems must become the front line of defence.
A new age of authentication
While convenience must be placed at the centre of the operations, users are acclimating to the idea of signing onto multiple websites when using online "passports", such as their Facebook ID, Google sign-in or Microsoft account.
It's just a matter of time before people expect similar or even greater levels of integration when signing into corporate IT services. As organisations expand their use of enterprise applications and cloud services, traditional IAM systems cannot easily integrate these disparate repositories.
Traditional IAM assumes that users providing the right credentials can be trusted after their initial authentication. Unfortunately trust cannot be established solely on the basis of a successful login; trust must be continually verified. In order to do this, traditional IAM systems will need to integrate advanced capabilities in data analytics.
So how do we achieve this new level of responsive, adaptive, intelligent security? The concept rests on four basic principles:
- Creating rich user profiles drawn from many attributes that can independently corroborate the trustworthiness of users and their activities in real-time against a historical baseline, with significant deviations from "normal" behaviour signalling security problems.
- Providing intelligence through big data analytics that can assess risk, detect problems and interrupt users attempting unsafe activities.
- Monitoring and risk-based intervention should be implemented to keep track of what users do after initial authentication, and adjust access controls to measured risk levels.
- Consumer-level convenience must always be top of mind, meaning identity controls and risk assessments must occur behind the scenes, intruding upon corporate end users only when necessary. IAM systems are morphing to make identity controls and analytics invisible to corporate end users.
While these principles are fairly straightforward, the path to adaptive IAM will not necessarily be a quick or easy one. Companies must rethink the way they think about security to take into account the way their employees are interacting with company data.
Employees are no longer accessing information on one central server from the PC; they are interacting with it at home, on the go and from a pool of devices that grows every day.
In reality, we are likely a few years from this IAM ideal, but progress is being made and more importantly, the charge has been set forth. IAM solutions must adapt as fast as the rapidly changing threat scenarios they protect against.
By implementing an IAM solution that is adaptable, intelligent and dynamic, we can establish effective, situational perimeters around the borderless enterprise and arm ourselves for the front lines of today's cyber security battle.
- Rashmi Knowles is Chief Security Architect EMEA, RSA
