Ten years ago, when a user needed to access a corporate application, his or her usage was on a company-owned device and typically confined to company-owned networks. These applications were nicely tucked behind corporate firewalls, and managed by dedicated IT organizations. To identify themselves, users would often enter complex, lengthy passwords when accessing such resources, and if the company was security-conscious enough, they would require 2-factor authentication.
Fast forward to the introduction of a new generation of applications and services that were not managed/hosted by Enterprise IT (SaaS).
Soon after, users began to access such services from non-company owned devices that were not necessarily confined to corporate networks and from mobile applications that could be installed directly from third-party application stores.
This evolution of authentication and access requirements was fueled, in large part, by financial decision makers. These decision makers looked at the bottom line, and decided it was okay to pass on the ever-growing spending-line-item associated with getting their users that latest, greatest smartphone gadget to the users themselves: the introduction of Bring Your Own Device (BYOD). This ultimately meant users could install and access applications and services, from their own devices, from a variety of places, while connected to various non-corporate networks. In many instances, IT had no visibility into the health or security of these devices.
A Brave New Digital Consumer
Consumer services have also evolved, especially in terms of their notion of how to firmly assert who the user is, and how their users identify themselves. This has led to an ecosystem of diverse and distributed user identities and devices needing to be verified across a significantly larger number of services and systems than what was available ten years ago.
Integrating the Risk Factor into Digital Access Points
As this evolution of "digital usage" occurred, organizations continued to evolve their thinking around how to calculate the risk associated with allowing users to access their services.
A request coming from a company-owned device, on a constrained network would be given a very low risk score (not risky). Now that same user is provided the flexibility to access services from their own device, on diverse networks; and, by the way, the number of applications and services being accessed has increased significantly as well. Along with that, the risk associated with trusting the user has grown exponentially.
Earlier, we could determine a user's typing behavior on a keyboard; essentially by monitoring typing speed and typo recurrence patterns, and we could successfully associate the pattern to a specific user. However, device form factors constantly and rapidly evolve, along with changes in the user interface for data input, often too rapid to enable for muscle memory to form. This results in a system too random to determine behavioral usage patterns.
Sounds like the wild-wild west all over again, right? Well, maybe not. With all of this digitalization comes a great opportunity to reduce risk. The type of risk factors that were previously considered and measured have significantly expanded and evolved.
A decade ago, we had almost no knowledge about the user's exact or even approximate location and we had very little knowledge about the other devices in proximity of the user.
In addition, we couldn't observe the velocity by which users move around, i.e., how long it took for them to go from one location to the next. For example, it was impossible to know if the same user was requesting access from two different locations five miles apart when those requests came in a minute apart from each other. It looked "odd," to say the least.
Additionally, we knew very little about what constituted normal behavior from users.
Now though, our devices are equipped with accurate sensors, transmitters, and receivers that make location, proximity, and other contextual calculations possible. Additionally, the pace of change for smart phones and tablets has gradually reduced to the point where we can look at usage behavior, in terms of how people use their smartphones, tablets and "phablets."
The more context we can derive from the user's usage pattern, from their devices, their proximity to other devices, their velocity and, finally, their behavior, the more we can accurately assess the risk associated with the actions taken in this all-digital world. In a way, we have gone from being limited to less than a handful of inputs to determine and measure risk, to an environment where the number of factors we can use for risk assessment are practically infinite.
So, while all of this device/app/network democratization has led to increased complexity, that same multiplicity of locations, devices, and usage patterns can help us to significantly improve the level of knowledge about what is "normal" versus abnormal or risky.
This, of course, affects how we authenticate users, because we have so much more context about users than we did before. As users continue to interact with services, we learn more and more about them, and we actually improve authentication-related interactions over time.
So, as risk has evolved, how we identify users has evolved as well.
In a recently published white paper, we outlined this evolution from authentication, to what we call continuous identity assurance. A new paradigm where, both the number of interactions with users and the risk associated with their access is actually reduced by moving to an infinite-factor approach for determining risk, and in certain cases, could be accomplished with truly friction-less user identification, providing a much more positive user experience overall. In fact, RSA has been cognizant of this transformation, and has continued evolving the risk assessment capabilities within its authentication and identity assurance solutions, for both enterprise (RSA SecurID Access) and consumer-facing (RSA Adaptive Authentication) applications and services.
While the new "norm" looks like the wild-wild-west of devices, networks and services, those varying dynamics can be very helpful in making more informed risk assessments and ultimately, in knowing if the user is in fact who they claim to be. Learn more about the evolution towards identity assurance in my latest video interview here.
Author: Kayvan Alikhani
Category: RSA Fundamentals, Blog Post
Keywords: Authentication, Cybersecurity, Risk-Based Authentication