Computer and network security is not a new concept by any stretch of the imagination—but perhaps that is the crux of the problem. The traditional security model and tools that companies have relied on for over a decade are showing their age and are simply not effective against innovative new attack techniques.
Despite defense in depth, companies are breached every day. In spite of stronger passwords and two-factor authentication, data is compromised every day. You can continue adding more tools or doubling down on the tools you have, but ultimately you end up wasting a lot of time, money, and effort for nominally better results.
Take a step back. Look at the big picture and try to understand what is broken about the existing security model. How are attackers able to bypass or compromise the controls you have, and what should you do differently to prevent that?
When it comes to identity and access management, the traditional approach is not providing adequate protection. Setting aside the fact that so many users continue to use ridiculously simple passwords year after year, even strong, complex passwords don’t seem to add much security. Attackers compromise user credentials through phishing scams and database hacks. When attackers infiltrate your network they are most often doing it using valid credentials from an authorized user, so simple identity and access management is not going to prevent the attack.
There are certainly draconian measures that could be put in place that would do a better job of preventing unauthorized access and protecting data. Those solutions would also get in the way of authorized users just trying to do their jobs, though. The trick is to find a solution that provides adequate protection while maintaining usability.
One solution is to view identity and access more holistically. Allowing access based on a username and password alone is a binary, black-and-white decision. Wrong username and password gets rejected. Correct username and password is granted access. But, what if it’s the correct username and password…being entered from a country half way around the world that the user in question has never been to? What if the correct username and password is entered from a system across town…while the actual user is already logged in at the office?
“Building stronger access controls starts with being able to identify the level of risk that a user presents at the moment of authentication,” stresses Travis Greene, Identity Solution Strategist for Micro Focus. “That risk can be calculated from information such as the location, time or device that is being used, or the sensitivity of information accessed.”
Greene adds that additional credentials or methods of authentication should only be used if necessary. It’s important to find the right balance between security and user convenience. If an increased risk is identified, a second or third factor of authentication can significantly reduce the risk that a user is not who he says he is. “Additional credentials may need to include more factors than just something you know (passwords or mother’s maiden name). A second factor could be something you have (e.g. a smart phone, a smart card or one-time password) or something you are (e.g. a fingerprint, voice or facial recognition).”
Rather than just considering the binary choice of authorized vs unauthorized, you need to apply some context to the identity and access equation. With risk-based authentication (RBA)—when you take the username and password, and view it with the benefit of additional context—you can rule out suspicious or impossible logins and provide better protection for your network and data.