Protecting data and assets starts with the ability to identify with an acceptable level of certainty the people and devices requesting access to systems. Traditionally, identity has been established using a “secret handshake” (user ID and password) that gets the person or device through a gateway with access to permitted systems. Once through, few safeguards are in place to further confirm identity.
Now, organizations are starting to take a wider, more complex view of identity to authenticate and authorize people and devices to provide a much more reliable, context-based confirmation of identity than a user ID and password can. “[The idea is to] take identity from its current manual and pretty static state in terms of how we manage groups, policy, authentication and bring it more into the real-time world through intelligence,” says Andre Durand, CEO of Ping Identity.
That approach requires a more comprehensive look at other factors that determine identity, specifically behavior and environmental attributes. Understand everything you can about the customers, employees, and devices connecting to your systems, and you can build a unique profile for each one that would be extremely difficult for a hacker to copy.
Changing the way enterprises use identity to authenticate and authorize is also driving structural changes within the organization. The people who are responsible for identity have typically not been associated with security. That’s changing as security focuses more on identity as a front-line defensive concept, and it’s having a profound effect on both groups.
“Security absorbed identity, but identity is eating security,” says Durand. As organizations build security strategies that start with strong authentication, identity becomes the new perimeter.
Why identity management is changing
User IDs and passwords are now pointless. They can be easily hacked or bought. That’s why most enterprises with high-value data to protect have gone to at least two-factor authentication (2FA). Even 2FA is becoming less secure as tokens or smartphones can be compromised or stolen.
Not only are passwords ineffective, they annoy people. Consumer-facing businesses want to remove friction from customer interactions, and organizations want to do the same for their employees. Passwords generate a lot of friction.
The trend toward digitalizing business is also increasing demand for better identity management and strong authentication. “Digitalization is driving a lot of customer journeys that didn’t exist before,” says Jatin Maniar, vice president marketing and alliances for passwordless, universal authentication vendor Nok Nok Labs. Those journeys often force developers to make trade-offs between security and convenience. “Better user experience and security underpinnings lead to increased engagement and improved risk posture,” he says.
Part of that better user experience is to trend away from passwords, Maniar says. That trend extends to the corporate environment and B2C scenarios for eliminating passwords for customers, enterprise users and connected devices.
The march to digitalization goes hand-in-hand with the rise in mobile device usage, which in turn enables more intelligent identity technology like biometrics, says Maniar. “The good news is consumers are readily adopting and prefer biometrics as an authentication means with their mobile devices. Couple that with open authentication FIDO standards and we have never been closer to elimination of shared secrets and provide a solid foundation for stronger security for a digital world,” he adds.
“The reason identity is increasingly relevant to all security teams is because of the fact that the traditional perimeter-based approach to security has crumbled or dissolved away for many years now,” says Derick Townsend, vice president of product marketing at Ping. He cites a mobile workforce as one driver. “They’re not coming into the office, sitting at a desk, and plugging into a network,” he says.
Another factor is the proliferation of applications residing outside the enterprise. “These could be mobile apps. They could just be applications running in private clouds, or they could be SaaS-based apps,” says Townsend. “Then you’re left with coming up with a new paradigm to secure your resources. Identity is the best choice to do that.”
How identity management can spot imposters and bad actors
Every time you log onto a website or a corporate system, you generate a lot of signals that you are not aware of. Those signals might include your location, device IP address, or speed or cadence at which you type. If you use a mobile device, then even more signals are available such as how hard you tap your phone screen. Similarly, every device that connects has its own signals based on typical usage patterns.
Collecting and analyzing these signals allows some identity management systems to create unique profiles for every individual and device. You can then set certainty thresholds to indicate which levels of confidence are acceptable to allow access. From an authorization perspective, this allows you to grant or deny access with a much higher degree of accuracy.
Hackers will still try to get in, but intelligent identity management creates some big barriers. “Single-factor passwords are weak and burdensome,” says Chris Sullivan, CISO at SecureAuth + Core Security. “Two factor is stronger but more burdensome and has been consistently beaten. We can now verify 25 factors before asking users for anything. This is infinitely better."
On July 11, SecureAuth + Core Security announced Login for Windows and Login for Mac, what it calls “adaptive authentication” products that can process dozens of factors in the background. “By strongly authenticating a user at the initial login, we can trust that identity and eliminate ‘login friction’ from the rest of their day as they access other applications and systems,” said Keith Graham, CTO at SecureAuth + Core Security.
The concept of intelligent identity management is simple, but analyzing the data in real time requires sophisticated software and good integration with other systems. That’s why some identity vendors are turning to artificial intelligence (AI) and machine learning. “The idea is to leverage the data and both machine learning and AI to make the authentication experience better for end users with the ideal scenario being passwordless,” says Durand. “If we can recognize the user through any number of passive signals that we have access to, then let the user in — especially if the user is doing something deemed low risk. If we see anomalous behavior, then we should stop it or flag it or route it to someone for an authorization request.”
A person’s identity profile can also include normal network behavior. If someone makes it through the initial authentication process and then does something that person would not typically do, the identity management system can flag the activity, request further authentication, or stop the activity.
This helps defeat hackers who manage to get into the system, but it also detects potential insider threats—for example, employees accessing files that they do not need for their work or attempt to log in at odd times. Similarly, an intelligent identity system can detect abnormal behavior from authorized devices, which can help stop or minimize distributed denial of service (DDoS) attacks.
That covers the authentication side of identity management. On the authorization side, AI and machine learning can help manage permissions as well. “The vision here is to enable what I refer to as just in time, just enough access,” says Durand. “How can we achieve that? Grant access when necessary and shut it off when not necessary.”
“We also want to close the surface area people have access to. We want to make it as granular or as small as we can,” Durand adds. “It’s nice to have access to the internet and everything in it—it’s very coarse grained. It’s another thing to have access to an app, another thing to have access to a page in an app for a moment in time. That’s an example of just in time, just enough access.”
He cites the example of a large retailer with 100 admins that had email administration rights. They worried about the security risk that presented. They were hoping to find a better way to identify patterns of authorized admin actions versus unauthorized actions.
A new role for identity management
At the recent Identiverse event in Boston, Ping Identity announced PingIntelligence for APIs, the result of combining API traffic monitoring technology from its recent purchase of Elastic Beam with Ping’s identity technology.
API hacks are on the rise over the last few years with high-profile breaches at T-Mobile and the U.S. Internal Revenue Service (IRS). API vulnerabilities allow hackers to take over accounts and applications. That puts more stress on the network operations center (NOC). “You have all this [API] traffic going back and forth,” says Sarah Squire, senior technical architect at Ping Identity. “It’s too much data, more than one person can process.”
In response, Elastic Beam developed a platform to monitor activity within APIs. “It’s a really hard problem,” says Bernard Harguindeguy, founder of Elastic Beam and SVP, Intelligence at Ping Identity. “You may have tens of thousands of connections happening simultaneously on dozens and dozens of APIs. And a different end user device—mobile desktop, different apps, and you’re looking for a needle in the haystack.”
With what Harguindeguy calls a “really deep visibility engine,” the Elastic Beam product had the ability to recognize and automatically block threats. Positively identifying the source was another matter.
APIs are accessed through tokens using industry standard protocols like OAuth. That’s where Ping has enhanced Elastic Beam’s visibility engine. “Ping Access helps customers secure their APIs using OAuth tokens and can both mint and read those tokens to allow access to the APIs,” says Durand. API authentication presumes the right user has the token. What had been missing, Durand says, is a way to tell if a threat came from a compromised token or a known good actor turned bad. “There’s no one watching the henhouse once the user is in with that identity token. The identity security, the monitoring of the activity on the API after the fact is really what Elastic Beam brings to Ping.”
Prior to Ping, Elastic Beam didn’t have full access to the actual user identity. “With Ping, because we are both creating and reading the OAuth tokens, we now for the first time have the ability to tie the actual authenticated user to the API traffic and correlate the activity with a known and authenticated user,” says Durand.
Squire says that PingIntelligence for APIs is easy to set up, but it can take up to six months to establish a risk baseline. Once that’s in place, the product is capable of detecting and blocking DDoS attacks, insider threats, password spraying attacks, and compromised apps. It might also detect zero-day attacks on apps if the attack pushes anomalous traffic over the API.
What this means is drastically reduced time to identify attacks once an abnormality is detected. Ping partner Axway Software claims in Ping’s press release that attack identification time goes from months to minutes. Even if that’s only half true, it’s a meaningful improvement.
PingIntelligence for APIs needs to integrate well with an enterprise's existing reporting, NOC, and security infrastructure. It does so in two ways. It can operate in what Ping calls a sideband mode, where a copy of the traffic data is pushed to PingIntelligence for APIs. “Some organizations are understandably nervous about putting another proxy into their traffic flow,” says Townsend.
Actual blocking of a threat in sideband mode occurs outside of PingIntelligence for APIs. “When it finds an anomaly or attack, it pushes that information back up to another product. That could be an API gateway product, it could be Ping Access. That’s where the blocking of the attack will occur,” says Townsend.
The product can also run directly inline with the traffic flow, analyzing and acting on events in real time. PingIntelligence for APIs can block attacks directly in inline mode. “It’s important to have different options for how to deploy,” says Townsend. “Every IT shop will have their own biases about what’s used in their network topologies.”
How identity is changing security
As identity becomes the new perimeter, as Durand believes, identity as a security function is “becoming more and more valid with the idea of the hybrid cloud reality of most enterprises. They are redefining their borders around identity access management systems,” he says.
Historically, identity has not been a security function. For employees, the identity teams got identity data needed for authentication from human resources. Customers provided their own authentication data through a customer identity and access management (CIAM) system front-end. “If you play it back maybe two years ago, Ping’s customer champion reported into IT, into ops. In some cases, they had separate identity groups,” says Durand. “Today we’re seeing identity folded in under the CISO.”
That’s creating a management and skillset challenge. “[Identity professionals] have a different mindset, different DNA,” says Durand. “A hybrid mindset is rare. It has you falling into identity or security.”
The gap between identity and security in terms of understanding what the other side does is wide. The solution, Durand suggests, is a strong training program for both the identity and security professionals. Panelists at an Identiverse session titled “Should Identity Own Security?” (the unanimous response was “No!”), all emphasized the need for greater collaboration between identity and security groups.
Even if intelligent identity management systems meet their full potential, they might never be able to provide 100 percent accurate authentication. “There’s a difference between trusting and knowing,” says Durand. “Can you trust when you don’t know? You can’t survive without trusting. It’s hugely inconvenient and expensive not to trust. That’s why you need intelligent risk scores and access control.”