Earlier this year, many enterprises saw their once-bustling offices go quiet as company-wide work from home policies went into effect around the world. The shift to remote work has magnified the cracks in the traditional network approach to enterprise security. Once able to make access decisions based on whether employees are in the office or not, organizations can no longer rely on this binary process of workforce authentication decision making when all employees are working off premises.
To ensure that remote employees can securely access required resources, enterprises are evolving their security strategies to an identity-centric, Zero Trust approach. Zero Trust is grounded in the philosophy that you should never trust and always verify, meaning there should be no implicit trust in a corporate network.
As users and devices go mobile and apps move to the cloud, you must build networks on the assumption that anyone could be on the network at any time. As such, you deny open access to corporate resources residing inside those networks and instead ensure a user's identity is always verified before accessing any resource. To accomplish this, risk signals are continuously monitored to determine the level of assurance that users are who they claim to be.
Using Risk Signals for Adaptive Workforce Authentication
Because the traditional network perimeter is no longer sufficient to grant access to resources, enterprises are leveraging risk signals to analyze context and user behavior to make intelligent authentication decisions. By continuously gathering contextual user information in the background to understand the level of risk posed, you can make real-time decisions about the level of authentication required to access a resource.
Depending on the level of risk, a user can be:
required to provide a stronger method of (or step up) authentication
Adaptive authentication lets you prompt a user to authenticate only when a certain level of risk has been identified, rather than every time a resource is accessed. Essentially, it makes security invisible to—and access seamless for—the user until the risk level is high enough to warrant additional authentication.
The risk signals that can be analyzed to influence authentication decisions is ever increasing. As the number of signals grows, you can strengthen your security posture and gain greater confidence that users are who they claim to be by using intelligence-based policies that rely on advanced analytics and machine learning.
Make Intelligent Authentication Decisions with Ping Identity
To address the growing number of risk signals, we recently released new risk management features to deploy alongside PingID, our cloud-based multi-factor authentication (MFA) solution. These new features make it possible to analyze additional risk signals and detect anomalous behavior to make intelligent authentication decisions. Read on to learn about these four new risk management features and how they enable continuous adaptive authentication.
1. User and Entity Behavior Analytics (UEBA)
Legitimate login attempts from employees and partners tend to follow predictable patterns, while login attempts from bad actors or hackers tend to deviate from the norm. Distinguishing typical login behavior from atypical behavior can help an organization identify the level of risk in an authentication attempt and block access to a malicious actor if needed.
To get the insight needed to distinguish between normal and anomalous behavior requires recording and connecting multiple data points about every authentication attempt in an organization. User and entity behavior analytics (UEBA) help you analyze requests to learn user behavior. These analytics can then be used to create intelligence-based policies and make smarter authentication decisions.
“By 2022, 60% of access management implementations will leverage user and entity behavior analytics capabilities and other controls to provide continuous authentication, authorization and online fraud detection.”
Authentication policies created using UEBA leverage machine learning models that continuously analyze user activity to determine if the behavior is anomalous. These models take into account multiple variables of a user’s behavior to determine the level of risk the requester poses to the organization, including:
Device type, operating system and version
Browser type and version
Date, time and location of authentication
If the risk level exceeds a certain threshold, malicious activity may be indicated. To block a potential attack, Ping customers can configure the policy to either step up authentication or deny access in this situation. Before applying the policy to the authentication flow for all users—and potentially introducing unnecessary friction—you can also use UEBA in evaluation mode to see the output of the machine learning model and adjust the policy rules as needed to deliver the right balance of security.
2. Anonymous Network Detection
Bad actors will typically rely on anonymous networks, such as unknown VPNs, TOR and proxies, to mask their IP address when attempting to breach protected, corporate resources. Historically, this incognito method has proven somewhat successful as it allows potential attackers to be untraceable when implementing an attack.
To prevent hackers or bad actors from using anonymous networks to gain entry to corporate systems, Ping customers can now apply a policy to analyze data from multiple sources about the address of the user requesting resources. If it’s determined that the user requesting access is coming from an anonymous network, you can apply a policy that requires the user to either re-authenticate or be denied access.
3. IP Reputation
Rogue actors often reuse IP addresses when conducting malicious actions like launching DDoS attacks or spam bots. So it stands to reason that if a user is requesting access to a resource using an IP address previously associated with suspicious activity, they may have malicious intent.
Using identity intelligence to analyze threat data, Ping customers can now evaluate the reputation of an IP address to better understand the risk associated with giving access, as well as determine the appropriate security action. For example, if a user logs in from an IP address where significant bot traffic has originated, they may be required to provide a stronger method of authentication. On the other hand, a user logging in from an IP address associated with online fraud might be denied access completely.
4. Impossible Travel
One way to identify potential malicious or fraudulent activity is to analyze changes in a user’s location. But in a dynamic and global business environment, users might log into services and applications from different countries in the course of a day.
Ping customers can now detect impossible travel situations by analyzing location data between logins and calculating the time it would take for the user to travel between the two locations. If the travel time is impossible, then a policy can be applied that requires the user to re-authenticate or be denied access. For example, if a user logs into an application in New York and then attempts to log in from Moscow an hour later, they can be prompted to provide a stronger authentication method or be denied access altogether, depending on how the policy is configured.
Looking Ahead for Workforce Authentication Risk Management
Available for immediate deployment, these powerful new risk management features are just the beginning of Ping’s commitment to providing customers with advanced capabilities to manage evolving risks and use contextual data to make intelligent authentication decisions. In the coming months, we’ll be announcing even more risk management features that can be integrated with other Ping products to provide deeper insights into the risks within your organization.