Last week, we discussed the potential problems businesses run into when it comes to identity sprawl. Now, this idea is not limited to just identities, but also the many devices each individual user has and could potentially bring on your network.
So here comes the question – if some restrictions aren't met, but the majority are (e.g. correct user, correct location, correct request to resources, but not a known phone or computer); do you block access entirely or just demand a higher level of authentication (perhaps a 2nd-factor challenge) before they can move forward? Simply blocking access is the most straight-forward method, but can lead to false positives blocking a user from gaining access to something they legitimately need to use.
How Adaptive Authentication Helps
What's needed is a way to determine where and when the user is logging in, and even if there is an apparent discrepancy, is it because the user is on vacation or otherwise legitimate but slightly different than expected. That’s not it though, you will need to be able to deal with new devices by legitimate employees on-demand and ensure traveling employees can gain access from different physical locations. Further, you need to do all of it without compromising company security no matter what.
Providers of Adaptive Authentication - like SecureAuth - are designed to do exactly that. Before the user even supplies a username, you can determine where they appear to be coming in from; or if they're purposely obscuring that location by using TOR and other tools. Additionally, is the device they're trying to log in from known to the security platform, or is it a cloned phone, new laptop, etc.? Once the user ID is given, does that user have access to whatever it is they're trying to log into? Are they in the right Active Directory group, or subscribe to the services in question?
More importantly, you need to be able to configure the system to automatically handle what to do when any of these conditions are not met. If the user has legitimately changed phones, you may want to put the user under additional security but not block them outright. If they're coming in from a TOR browser or anonymizing their location and identity; you might want to re-direct them to a "honeypot" system to see what they were trying to do while blocking them from the real corporate assets. All of this needs to be invisible to the end-user - either because you want them to feel like "this is easy enough that I'm willing to do it" or because you want to lead an attacker into a trap seamlessly.
Finally, you want to make the experience easy for legitimate users. Compliance is a constant problem when employees feel that they have to jump through too many hoops to get their jobs done. Centralized portals that single-sign-on to multiple other tools and sites is one great way. Integration into 3rd-Party cloud services so that even if the end-user goes directly to the site, they end up going through the appropriate security measures anyway is even better. Make it easy for the end-user and they will make it easy for you to maintain company security.
Protecting the business while dealing with identity sprawl is a key factor in data and system security; and will be for quite some time to come. Finding a way to shield your critical resources and data while not alienating your users into non-compliance is the key.