When a company is attacked using compromised network credentials, the debate centres around case-specific vulnerabilities and the challenge of detecting an intrusion. Rarely, if ever, do we consider that maybe our concept of identity is flawed - that we might have done more to stop a person accessing an account they weren't supposed to in the first instance.
It's more or less universally accepted in IT security that upfront proof of identity is enough to know a person is who they say they are. The industry still takes for granted that verifying identity is a one-time occurrence - a person is authenticated at the start of a session and that's it. The process is completed until the next log-in.
In reality, if a stranger entered the office with somebody else's ID, it wouldn't be long before the ruse is rumbled. Yet, virtually they can wander around unchallenged.
Recognition – once is not enough
The secret of successful access management is recognition. So, how would a recognition-based solution work? The answer is pretty simple - it takes into account the context in which the user makes his or her claims, and it does this on a transaction-by-transaction basis.
There are lots of factors that could be used as context: IP address, operating system, presence or absence of antivirus software, location, and time of day. All of these attributes offer evidence that might be used to determine whether somebody is who they say they are, or whether they ought to be trusted. The more parameters in play the better, every single item of data expands the system's scope to make informed decisions. Think again of the information you use to recognize a person in the real world: their appearance, their clothing, the sound of their voice and their vocabulary, and any number of behavioural attributes. A recognition-based approach uses this principle.
It's important to note that recognition, unlike upfront proof of identity, is not a binary proposition. The system might concede that although a person is attempting to carry out a transaction using a device it's never seen before, the rest of their story checks out well enough to grant access.
As for the degree of leeway the system should allow, this depends on the value of the transaction. If a user wants to open a low-risk document, it can afford to give them more flexibility in terms of device, operating system and IP address than if they were requesting access to highly confidential financial data, or looking to move a few thousand dollars.
To bring an end to today's data breach epidemic, the IT security industry needs to use recognition, rather than identity, as the foundation of access management. If this process can happen in the real world, is there any reason that it shouldn't happen on a corporate network?
Jamie Bodley-Scott will be presenting a seminar titled 'Recognition Rather than Identity as the Foundation for Access Management' at Cyber Security EXPO Europe. The seminar is scheduled at 11.40 in the Identity and Data Centric Security Theatre on Wednesday 8 October. To find out more about Crytpzone, and its solutions, talk to its technology team at stand AA13. Register now!
Jamie Bodley-Scott technical product manager at IAM