Chances are high that your risk-based authentication implementation is half baked

by in Security

Although mass adoption of risk-based authentication (RBA) has been a fairly recent phenomenon, the technology has been around for long time. Although the RBA patent was submitted in 2006, I’m not sure who the first vendors were to adopt it. My first exposure to RBA was with at the RSA Security Conference. Since that time, it was only a few years ago that organizations have been leveraging RBA in earnest as part of their authentication solution, which is often part of their greater initiative to evolve their IAM environment to be more adaptive. And then COVID-19 supercharged the teleworker trend and elevated security team’s emphasis on securing remote workers’ access to sensitive information. 

The Crushing Weight of Rules

the power of Machine Learning for Authentication Larger organizations have gone beyond using RBA rules to enforce corporate policies, some of which may be built to enforce compliance to government mandates but have sought to use them to gain a more accurate assessment of risk. The problem is that the more breach scenarios that you try to protect against, the more complex and error prone that your rule sets become. Why is this a bad strategy?

  • RBA policies that requiring a hairball list of rules to enforce are prone to mistakes that either put unnecessary obstacles in front of legitimate users, or expose sensitive resources to nefarious outsiders
  • Authentication policies invariably have vulnerability blind spots, or unknown unknowns 

This is where behavioral analytics come in. Leveraging the power of machine learning allows organizations to rely on AI to identify outsider behavior which is a far better approach to building a library of authentication and access rules. For anyone who doesn’t know, the NetIQ platform has one – NetIQ Interset which is a plug-in to NetIQ Risk Service. Interset allows security teams to:

  • Use rules to simply enforce corporate access policies in a prescriptive manner
  • Let machine learning cover the security blind spots 

If you’re a NetIQ customer, why would you not have NetIQ Interset protecting your sensitive information? 

If you sell NetIQ solutions, why would you not be reaching out to every NetIQ customer letting them know that they can add machine learning analytics to their risk service? It’s a SaaS offering that is simple to turn on.  

Typical RBA Configurations Don’t Accurately Measure Total Risk

While user context and behavioral analytics are essential metrics for calculating risk at a point of time, their assessment omits the risk inherent with the resource (data, service, application, etc.) itself. So, while security teams are building rules mapping authentication and authorization to context centric risk scores, the policies that they’re enforcing are incomplete. Meaning that beyond just context, access control architects should be factoring in the risk posed to the business by a crippled or disabled service, or the loss of sensitive information. Without this added perspective, the risk scores used to decide when to impose another authentication request, restrict access, or even terminate the session is based on a partial picture. While it’s true that you can organize your access rules for different groups of services, it’s still an incomplete assessment to drive security levels and user experiences. 

Let’s take a close look at a few types of risk analysis exercises that IT and security teams often work through, but don’t include in their access management risk engines. 

Potential Impact of a disabled service

As CIOs analyze their network and services infrastructure, they’re ultimately trying to understand what parts of it are essential and require redundancy. Or, to put it another way, how many 9’s does each component and service need. Five nines, four nines, or far less? The answer is driven by the organization’s ability to run their business through a failure for each potential concrete failure point. It’s quite likely that this type of analysis has already been done and simply needs to be applied to risk base access. More on this later. 

Inherent cost of a breach

Let’s now focus on the cost when digital assets have been stolen. Here are common categories of expenses that Ponemon Institute measured in their 2020 worldwide breach study. Ponemon has been doing these types of studies for over a decade now: 

  • Detection and escalation – activities that enable a company to reasonably detect the breach (On average this makes up 29% of total cost)
    • Forensic and investigative activities
    • Assessment and audit services
    • Crisis management
    • Communications to executives and boards 
  • Notification – activities that enable the company to notify data subjects, data protection regulators and other third parties (On average this makes up 6% of total cost)
    • Emails, letters, outbound calls or general notice to data subjects
    • Determination of regulatory requirements
    • Communication with regulators
    • Engagement of outside experts 
  • Ex-post response – activities to help victims of a breach communicate with the company and redress activities to victims and regulators (On average this makes up 26% of total cost)
    • Help desk and inbound communications
    • Credit monitoring and identity protection services
    • Issuing new accounts or credit cards
    • Legal expenditures
    • Product discounts
    • Regulatory fines 
  • Lost business – activities that attempt to minimize the loss of customers, business disruption and revenue losses (On average this makes up 39% of total cost; lost business continues to be the largest single contributing factor)
    • Business disruption and revenue losses from system downtime
    • Cost of lost customers and acquiring new customers
    • Reputation losses and diminished goodwill 

Getting RBA Right

One of the most effective ways to bring together the complete picture when calculating risk at a point of time is to take a pentadic approach to access governance. Standard access reviews and recertification campaigns are an essential part of an overall identity governance program. They are valuable because they not only take into consideration the diverse personal persona. They also include the concrete criteria for assigning governance risk scores used to guide entitlement decisions. By bringing together context, behavioral, and governance scores into a centralized rules engine, you now have a holistic calculation that is much more effective in driving automated decisions. Keeping this in mine, here are some important points about the NetIQ portfolio to remember: 

  • The NetIQ Risk Service is designed to serve the entire platform, not just Access Manager. That means that it’s now easier for the portfolio products to feed as well as consume information to and from the Risk Service
  • The NetIQ Interset plug-in offers machine learning capabilities to identify unusual access patterns. The risk service can also receive risk scores from mobile system apps designed to monitor user behavior (https://www.neoeyed.com/)
  • NetIQ Identity Governance has the ability to feed its risk information to the Risk Service
  • NetIQ Advanced Authentication is tightly integrated with the Risk Service 

Organizations evaluating the full set of these NetIQ solutions will be hard pressed to find a better option to upgrade their access management to be an adaptive environment.

 

More information:

NetIQ provides security solutions that help organizations with workforce and consumer identity and access management at enterprise-scale. By providing secure access, effective governance, scalable automation, and actionable insight, NetIQ customers can achieve greater confidence in their IT security posture across cloud, mobile, and data platforms. 

Visit the NetIQ homepage to learn more. Watch video demos on our NetIQ Unplugged YouTube channel and go here to watch the Risk Service in action. 

NetIQ is part of CyberRes, a Micro Focus line of business. 

Join our Community | Access Manager User Discussion Forum | Tips & Info | Idea Exchange

Labels:

Identity & Access Mgmt
Anonymous
Parents Comment Children
No Data