Now that IT can no longer depend on the devices being agent managed, new approaches are needed to maintain security across today's vast landscape of access. The key point being that you can no longer rely on a couple of static criteria for granting access. Instead, you will need to gather evidence of a user's request for access and use it as a metric for calculating the risk. Common metrics that can be used to verify a person's identity include:
- What level of risk does the location denote: “Office or home? Recurring or new? Local or remote?”
- Has the device being used previously been tied to a verified user?
- What level of risk does the artifact or service pose to the organization – general information, or private and sensitive?
Even with today's pace of breaches, graduating to a dynamic authentication environment is often a hard pill to swallow, especially for organizations that don't work in a regulated industry. IT's shortlist of projects that get funded is short enough that making the cut isn't easy. Here's a reminder of how to get your projects off the ground and keep them going. It's a list that you've seen before:
- Start small and target early wins. If you've gone shopping for risk-based authentication they can get complicated quickly. Don't do it. Target assets that need the most protection for sensitivity and frequency of remote access. And target metrics that are simple to gather and deliver worthwhile gains over traditional credentials.
- Over-communicate with the business. It's not IT's job to lock information and services down so tight that business slows down. It's just as important to look for access situations that allow for single sign-on access as it is for ones where it's wise to require a step-up authentication. Make sure the business stakeholders are clear that dynamic authentication is all about making access to everything quick, limiting step-up authentication to the resources that need it.
- The balancing speed of access with security will be a continuously iterative process. One where as you add metrics to your risk engine as they make sense.The obvious payoff being that both user convenience and business security are maximized.
Of course, for the situations where step-up authentication is warranted, having an authentication solution that supports a wide range of authentication methods becomes a necessity. You may want to allow most of your users to two-factor authenticate with their smartphones while allowing specialized tokens or biometric authentication for subsets of users. Remember that having a single framework with a single set of policies keeps overhead to a minimum and authentication consistent.
Identity-Powered Access solutions from MicroFocus can help organizations manage the complexities of authentication in today's cloud and mobile world.
- Access Manager is an exceptional web access solution to use across your organization – it supports standards-based federation and single sign-on to cloud-based services such as Microsoft 365, as well as access management for traditional and complex internal environments. It’s also recently been updated with a mobile SDK so that organizations can deliver SSO to their mobile apps.
- Advanced Authentication is well-equipped to be the single authentication framework for all your needs. It supports a broad range of authentication methods and applications, yet is quick to deploy. This latest release offers scalability to the largest environments while staying simple for the smaller ones.