The need to secure your business information, systems and access is more critical than ever. At the same time, you must balance the need for enhanced security against the accessibility and productivity needs of your employees. Get the balance right and you can provide secure, authenticated access in a way that works for everyone—get it wrong, and you could cause frustration and inefficiency in your workforce. One way to optimize security against accessibility is through using adaptive, risk-based authentication. We’ll explore what it does, and how your organization can take advantage.
What is adaptive, risk-based authentication?
Adaptive, risk-based authentication is an approach to security that requires certain identity assurance levels of authentication depending on the user, the systems they are trying to access, and other factors. It’s helpful to break down each term to understand it further:
- Adaptive—this security approach adapts to the right level of security depending on predefined policies set by IT. Algorithms detect certain things about the user, system, device, location and other factors to decide on what they can access.
- Risk-based—the security system will use the risk of unauthorized access to define the authentication protocols a user will need to meet. For example, if they are accessing highly-sensitive employee personnel data versus simply a call center report, they may have to provide extra authentication (i.e., a step-up authentication.)
- Authentication—finally, the system will choose the right types of authentication factors it will accept for users to authorize and prove who they are to the system.
How does adaptive, risk-based authentication work?
These authentication systems use machine learning and algorithms to analyze user behavior. They then combine this with the security policies and protocols set by your security team to define when additional authentication is needed. The rules and algorithms can be tweaked to provide the right balance of security and accessibility.
How does it differ from “regular” authentication?
Regular authentication typically has a one size fits all approach. In other words, a user would similarly access business systems and information, each time they log in. This might be with just a login and password, or it could involve two-factor or multi-factor authentication. Although this can be a reasonable approach for some types of access, it doesn’t take into account the various sensitivity of specific systems and data—meaning this type of login could be more than enough for some systems but is inadequate for others.
What areas impact the authentication a user would need to provide?
There are various aspects of user behavior that adaptive, risk-based authentication can look at. These include:
- User role—does this user’s role typically allow them to access this system?
- User identity—does this specific user often access this system and do they always require access?
- System sensitivity—how sensitive is the data and information stored on the system, or the system itself?
- Device used—what type of device is the user accessing the system from?
- Location—where is the user located? Are they onsite or off?
- Date and time—when is the user trying to access the system? Is it outside regular work hours?
- Historic behavior—what is the history of this user’s access, not just for this system, but other access attempts across the organization?
These are just some of the aspects the machine learning algorithm can consider. Security teams can set up complex rules to ensure appropriate access, all of which will be transparent to the end user until they need to authenticate.
How can a user authenticate themselves?
The system can insist on certain levels of authentication from simply allowing the person into a system (assuming they have already used single sign-on that day) to requiring extra authentication in the form of a secure token or a biometric.
How does adaptive, risk-based authentication integrate with other systems?
Adaptive, risk-based authentication can integrate with your critical systems, services and data repositories across your IT ecosystem. It also works well with single sign-on, two-factor or multi-factor authentication, including biometrics.
If you need to balance security and accessibility in your organization, adaptive, risk-based authentication could be exactly the solution you need.
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.