It’s the biggest threat surface and best enforcement point for enterprise security
Leslie K. Lambert
www.csoonline.com | Sep 12, 2017
Digital transformation projects are all about providing a frictionless and convenient user experience, reducing operational costs, delivering enriched application capabilities, while enforcing data privacy and protection standards. The latter, as we know, is easier said than done.
Especially since one of the cornerstone technologies of virtually every digital transformation initiative is mobility, namely anywhere, anytime access on any device. To complicate matters, many organizations allow their employees to access critical business applications using their personal (e.g. BYOD) devices.
Traditionally, mobile security has been focused on the device. Given the ubiquitous access mobile devices now have, including access to sensitive data and resources, this one dimensional approach is clearly no longer (and in my opinion has never been) sufficient. As in many areas of security, identity-based intelligence is being used to shore up defenses.
By combining device, identity and access data to risk-score activity, organizations can implement a mobile security perimeter.
For example, if a user with a low risk reputation initiates an applicationsession from a recognized location with a known device, this activity would produce a green (i.e. low) run-time risk score. The user could be granted (based on policy) pass-thru access without additional authentication.
If the same user then begins accessing unusual information or conducting anomalous transactions (e.g. transferring data to unknown locations), which represents abnormal behavior, the session’s real-time risk score would increase. When a user is classified in the red (i.e. high risk) zone, this could trigger two- or multi-factor authentication challenges, or the user could be locked out of the account. Alternatively, if the session’s score reaches the yellow (i.e. medium) zone, the application’s functionality and data access could be actively curtailed.
This holistic or unified approach to mobile security requires a “mash up” of data from a variety of sources that can include human resources management systems; Active Directory and identity and access management (for identity data); device registration data such as device id, configuration, allocation information, device type (corporate vs BYOD), etc.; applications provisioned to a device or user; application usage logs; and even security-related information like DLP or vulnerability scan results (from logs or SIEM).
Once this data is aggregated, device registration and usage data can be linked to the user’s identity. Using machine learning analytics, a baseline behavior profile based on usage patterns can be established for each identity. This can take several days or weeks depending on activity levels and the algorithms being used.
Once a baseline behavior profile is in place, all subsequent user sessions can be evaluated against multiple risk indicators such as deviation from the baseline, device type (corporate vs BYOD), location, application risk rating, access anomalies, etc. The resulting real-time risk score can then be used to enforce the appropriate authentication and access policies.
Unlike traditional mobile security implementations, this approach does not subject each user to a one-size-fits-all access screening regardless of their risk profile.
For example, most password based authentication systems provide just one level of access protection for every type of user. This model does not differentiate between low, medium and high risk users or activities — which can be frustrating to low risk users while providing insufficient protection for high risk users.
In a typical organization approximately 60% of users or activities are within the low risk category. With a risk-based approach, the majority of an organization’s users would experience a significant reduction in security friction during their day-to-day activities and increased efficiency. Meanwhile, data security and privacy would be maintained, and increased for high risk scenarios.
The journey of digital transformation is changing the way we think about operationalizing security and access policies. With the traditional network perimeter fading due to technologies such as mobility, cloud and BYOD, identity has emerged as the most ubiquitous threat surface in the enterprise. It’s also become one of the best vehicles for restoring a security perimeter.
Given IT’s current trajectory, organizations should be re-thinking traditional approaches to access for both mobile and enterprise-wide security.