Earlier in this blog series, we discussed anomaly detection and machine learning focusing primarily on examples that included information you could expect to be available from the system that provides your identity assurance. It’s likely, however, that there is much more data that can be leveraged for making system access decisions in your current IT ecosystem. Your threat detection system, Cloud Access Security Brokers (CASB), enterprise mobility management tool, and physical security system all have data that can provide insight into your identity assurance system and impact your strategy.
When building out your identity assurance strategy, be sure to look at the active system management and security tools and ask yourself a simple question: What information from these existing tools do I wish our identity system knew?
How would this work? Let’s review a few common examples.
Threat Detection (including SIEM, CASB)
Threat detection and identity assurance systems should be a two-way street. Identity assurance systems have log information that should feed threat detection. Failed and successful logins and locked out accounts should be part of the data analyzed to identify potential threats. This gets even more compelling if we reverse the data flow from threat detection to identity system. When the threat detection system receives an alert, the identity system should be able to respond. Let’s look at a couple of situations:
- Threat alert for a user. When an alert is raised for a specific user, identity assurance should adjust to either require multi-factor authentication for all access for the user or, if the threat is significant enough, block access for the user until this alert is cleared.
- Threat alert for a resource. For alerts on a resource, anyone attempting access to that resource should be required to provide a higher level of assurance to gain access. Again, in extreme cases, possibly all access to a resource should be blocked.
The key to both of these is that the correct alerts are triggering the appropriate additional access security in real time. In addition to real-time threats, many of these tools also have additional risk analytics. When this risk analytics data is available, it should work with the risk analytics of the identity assurance system to raise or lower confidence in a user’s identity, impacting the authentication requirements.
Enterprise Mobility Management (EMM)
Another widely-deployed tool in the enterprise is EMM. Devices managed through a corporate EMM have an increased amount of device data available which can be used to create stronger identity assurance. This device information can provide additional context for both static rules, such as policies allowing easier access to users with corporate managed devices, or additional analytics insights fed to the identity risk engine.
Physical Security Systems
Building access can also help us gain confidence that a user is who he or she claims to be. By integrating data from these physical access systems into the identity risk engine, we can extend our insight. If a user just badged into an office in San Francisco, and soon after is attempting a login from London, that’s something that should impact our risk assessment. Conversely, if the user just entered their normal building and, following their normal pattern, accessed their Office 365 account moments later, we can consider this behavior in determining if additional authentication is required.
Putting It All Together
These are not the only systems where additional data about anomalies, normal behavior or other information can help feed behavioral recognition and static policy rules. You should be looking throughout your organization for systems that contain data that may help to improve access security and reduce end user friction. What is important in your identity assurance strategy is not only that you have systems containing these types of access-relevant data, but that there is real-time response within your identity system.
We have spent a lot of time talking about gathering the data required to identify the correct authentication requirement for each situation. In the final blogs of this series we will cover the two final key components to a successful identity assurance strategy and they are all about the end user. Until then, take just 15 minutes to learn how RSA SecurID® Access is enabling access to the modern enterprise with identity assurance in this on-demand webinar.