Shifting demographics and digital transformation are reshaping the face of the global workforce, creating new and challenging risks. Organizations need ways to authenticate users that minimize those risks – and, at the same time, satisfy the diverse workstyle preferences of today's workers. To that end, there are several innovative approaches to authentication and access emerging today. For example, the Gartner Top Security and Risk Management Trends1 research note says that "Passwordless authentication is starting to achieve real market traction due to both supply and demand." Let's look at how workforce transformation is increasing the risk associated with protecting access to critical resources and data and consider some innovative ways to combat the challenges that have emerged in this exciting and challenging time.
Managing risk associated with your workforce isn't particularly new. For decades, you've had to manage physical access to restricted areas like office buildings and other facilities. More recently, you've also had to manage employee access to your digital footprint – specifically how they access networks, applications and data. However, two things have changed dramatically to introduce greater risk: the demographic composition of your workforce, and the size and scope of your digital footprint.
Shifting Workforce Demographics Risk
Companies are increasingly turning to gig workers to quickly onboard people with hard-to-find skills for supporting both short and medium-term projects. In fact, according to Gallup, 36 percent of all U.S. workers participate in the gig economy in some capacity – that's 57 million people, including a quarter of all full-time workers and half of all part-time workers.
Onboarding so many transient workers generates a revolving door of joiners, movers and leavers for organizations to deal with. This constant churn challenges IT and identity and access management teams to ensure these gig workers have the appropriate levels of access required to do their jobs, and that the corresponding rights and entitlements are automatically terminated when they leave. Moreover, these temporary workers may not be screened as thoroughly as permanent employees, which can lead to uncertainty and risk about who they are.
Digital Transformation Risk
Organizations today are rapidly adopting many new digital technologies that allow them to pursue new opportunities and meet diverse workforce needs. While cloud applications, mobile devices, IoT devices, AI and other advanced technologies benefit organizations by enabling increased innovation, greater efficiencies and superior customer experiences, they also create an exponentially larger attack surface for bad actors to exploit.
It's not just the number of devices and apps that increases risk; it's also the continued hyperconnectivity between them and the lack of basic security protections on many of them. And even when they are well-protected, these technologies often have conflicting requirements for security, support and user experience, making them harder for IT to manage.
While understanding who has access to what is essential, understanding the interlocking risks associated with access and knowing what workers are doing once they are logged in are just as critical to preventing the next generation of credential-based attacks and insider threats. Organizations need to go beyond traditional authentication and authorization methodologies to minimize the risk posed by this dynamic group of users and their rapidly evolving digital workspaces.
Going Beyond Access Rights and Entitlements
Understanding what users have access to and what they can do with their access are table stakes for any effective workforce risk management program. However, given the growing number and increased velocity of access requests created by the new revolving-door workplace, organizations need a better understanding of how access risks can negatively affect their business. Using identity analytics will give them deep visibility into user entitlements, along with insights into how risks such as segregation-of-duties violations and over-privileges can negatively impact their security and compliance posture.
Risk can stem from something as simple as someone having the rights to approve their own business expenses. Or, better yet, take the case of a one-time process technician at an automotive factory. The employee leaked large amounts of highly sensitive data, including information about the company's financials, manufacturing process and materials usage. But from a risk management perspective, why was a process technician able to gain access to sensitive financial records in the first place?
This story reminds us that organizations must carefully plan for, and thoughtfully consider how they will equip themselves for effective governance of access to information, especially information in the form of unstructured data (documents, spreadsheets, images, media files, etc.). In the Gartner research note1 cited at the beginning of this article, Gartner states that "data security must include other technologies beyond traditional data security technologies. A strong identity and access management program is a critical component to help understand user context and track data access, especially in the case of responding to issues of compromised credentials." The report1 also states that "UEBA [user and entity behavior analytics] solutions use analytics to build the standard profiles and behaviors of users and entities (hosts, applications, network traffic and data repositories) across time and peer group horizons. Activity that is anomalous to these standard baselines is presented as suspicious, and packaged analytics applied on these anomalies can help discover malicious insiders and external attackers."
RSA recommends organizations correlate access management and user analytics with integrated risk management data – like application sensitivity, data classification and regulatory compliance requirements – to better protect highly vulnerable data sets and be able to assess the risks associated with their usage.
Getting Past the Password
In this age of cloud and mobile technologies, there seems to be an app and a corresponding password for just about everything. Passwords have become our tickets into cyberspace for work, shopping and entertainment. At the same time, though, the more difficult it is to manage passwords, the more of an annoyance they become. After all, what user hasn't been frustrated by complicated requirements around capital letters, special characters, numbers and so forth? Digital adventurers will be glad to hear the guidance for passwords is changing. Recently updated digital identity guidelines from the National Institute of Standards and Technology (NIST) reject the idea of overly complex, frequently changed passwords in favor of passwords that are easy to remember and can be kept for longer periods.
But why stop at passwords that are easier to use? What if we simply didn't have passwords at all? We referred earlier in this post to the statement in the Gartner research note,1 "Passwordless authentication is starting to achieve real market traction due to both supply and demand." With regard to supply, there is in fact a growing ecosystem of built-in technologies that supports going passwordless. As an example, Microsoft Windows Hello for Business lets organizations replace static passwords with PINs or biometric gestures for logging into Windows 10 devices. Another good example of eliminating passwords is with Windows Server 2019, which enables organizations using Microsoft Active Directory Federation Services (AD FS) to use multi-factor authentication as the primary authentication method for AD-protected resources. Demand for these and other similar technology developments comes from organizations looking for ways to embrace workforce diversity and mobility with personalized and consumer-simple work experiences, yet still be secure.
So, what is passwordless authentication anyway? At the most fundamental level, it's simply about replacing the often frustrating, sometimes insecure words, passphrases or PINs that have been around for more than 50 years with another kind of credential like a hardware token, phone or biometric modality. These credentials can be combined to increase security, and they can be augmented with "signals" like behavioral biometrics, location, device ID, and even indicators of compromise (IOC), fraud intelligence and threat intelligence.
Entering the Post-Authentication Era
The previously cited Gartner research note1 refers to a CARTA approach to security: "In a CARTA-inspired architecture, security controls are always monitoring, assessing, learning and adapting based on the relative levels of business risk, threat intelligence and trust that is actually observed." This contrasts with organizations relying solely on the traditional approach of granting access based on a one-time authentication event involving a password or other mechanism.
In practice, organizations can go beyond using traditional markers of risk and begin to incorporate UEBA, along with threat and fraud intelligence for making real-time access decisions to thwart attacks in progress. They can also look at using automation and orchestration tools to adapt access controls based on ongoing changing workforce needs and actual behaviors.
A good place to start is connecting UEBA with a multi-factor authentication solution. This way, your authentication solution can be alerted in real time to suspicious user activity and, in response, block or challenge users as appropriate. Further, sharing authentication logs with your SIEM or SOC teams will enable them to craft automated playbooks and even predict future security events, based on authentication history. Further still, organizations should look at incorporating application and device vulnerability data and known fraud intelligence into access decisions as well. Would you take the risk of allowing legitimate users access to sensitive applications that have known critical vulnerabilities or fraud patterns?
What does the future of dynamic workforce risk management look like? Will passwords finally become a thing of the past? Will one-time authentication events be a dim memory? While there is no shortage of opinions, one thing is certain: As the world becomes increasingly connected, we must have a high level of assurance that users are who they say they are, their access is in line with their responsibilities and what they are doing with that access is appropriate and doesn't put an organization at added risk.
1 Gartner Top Security and Risk Management Trends, Peter Firstbrook, Brian Reed, Sam Olyaei, Gorka Sadowski, David Mahdi, Prateek Bhajanka, Earl Perkins, Published 31 January 2019
# # #
For more RSA perspectives on top trends in security and risk management, listen in to a webinar hosted by Ben Desjardins, vice president of product marketing for RSA, and a panel of expert guests as they present their perspectives on the Gartner Top Security and Risk Management Trends research note.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity