Achieving Ubiquitous and Continuous Trust in Identities on the Web
At RSA, we have a legacy of authentication innovation from multifactor to risk-based, heuristic authentication. We challenged ourselves with “What’s Next?” As an industry we continue to conceive more usable yet stronger authentication but we have a bigger mandate to meet a need that has gone unmet for a long time.
How do we achieve ubiquitous and continuous trust in identities on the Internet? How can we make the Internet pervasively identity-aware? How can we extend the trust we gain in identities at the time of authentication throughout the user’s interaction with the Internet? What if we can create a new trust index that is a composite of who the user is and how they interact with the Internet?
The last question led RSA to Zscaler and we found ways to answer these questions which led to the collaboration that we announced at RSA Conference this week. RSA’s Cloud Trust Authority (CTA) is a set of security services spanning identity and access, data protection and compliance. The identity and access capability of the RSA Cloud Trust Authority (currently in beta) is a cloud-based service that authenticates users dynamically based on a variety of risk-based criteria and uses standards-based identity federation to enable users to get where they want to in the cloud. Zscaler’s inline security gateway monitors the user’s web session continually and protects the user’s session against infection that can lead to session hijack and loss of trust in the identity. The marriage of the two will enable something bigger than the sum of the parts – a cloud-based solution for establishing and sustaining trust in identities in the cloud.
Here’s how we do it – both, the RSA CTA and the Zscaler are cloud-based services. Zscaler’s global cloud is used as an inline Internet security gateway that is available ubiquitously. When users attempt to access the Internet, Zscaler transparently redirect them to the RSA CTA. RSA CTA determines the risk posture of the user based on the location they are coming from (geo IP), the device they are using (whether known or unknown), the time and pattern of access, etc. to compute a risk score. This score dynamically drives the strength of authentication of the user. If a user is coming in from their usual office location and computing device and if they are logged into their corporate network (e.g., Microsoft Windows network), they don’t have to provide any additional authentication.
If the user is coming in from an unexpected location or unexpected device at an unexpected time, the RSA Adaptive Authentication risk engine dynamically adjusts the risk level and prompts the user for additional authentication. The strength of the authentication is commensurate with the level of risk. Once the user is authenticated, CTA sends the user back to Zscaler with an indication of the trust level of the user based on the facts and circumstances. Zscaler dynamically alters where the user can go in the Internet based on this trust level. Zscaler also monitors the user session for risky behavior that might lead to infection. For example, if Zscaler sees signs of a bot on the user’s device that points to a potential session hijack, it redirects the user back to CTA for verification that the user behind the device is still the one that had authenticated at the CTA.
Further, Zscaler can randomly redirect users back to the CTA for authentication throughout the session. If the environment in which the user is accessing the Internet has not changed, the user does not even notice anything as they are redirected right back to Zscaler. If something has changed, the CTA will challenge the user to ensure that the trust in the identity is maintained. Lastly, Zscaler will feed rich information about the user’s web access behavior to the RSA risk engine so that RSA can factor that into the risk level of the user and authenticate the user appropriately.
This notion of applying concepts of authentication and identity verification throughout the user’s interaction with the Internet and the composite risk posture determined by factoring the user’s environment and the user’s web browsing behavior will enable us to start delivering ubiquitous and continuous trust in identities.
Beyond this, we can imagine what we can achieve if every Internet request carries a dynamic trust index that can be consumed by any Internet destination. ‘It will take an ecosystem’. Zscaler and RSA have laid the foundation. Stay tuned for more.
