intelligent identity

WHITE PAPER

INTELLIGENT IDENTITY New Approaches to Optimize Security and User

Convenience for the Digital Enterprise

Intelligent IdentityWHITE PAPER

2

TABLE OF CONTENTS

Introduction

How Intelligent Identity Works

How Intelligent Identity Evaluates Cybersecurity Risks

How Intelligent Identity Evaluates User and Device Context

How Intelligent Identity Integrates Learning, Risk and Context with Policy

Leverage Intelligent Identity for Digital Transformation Success

03

08

04

09

05

11


3

Today’s customers demand that their interactions across all channels be personalized,

private and secure. At the same time, the modern workforce needs to be productive

from anywhere, on any device, with access to all enterprise resources on demand.

Requirements like these have ignited dramatic shifts in the way businesses operate

across the globe. In response, enterprises are adding more resources, people and

devices to ensure the success of their digital transformation initiatives. All with the

goal of keeping up with the rising tide of these customer and workforce expectations.

While these shifts are driving improvements in productivity and experience, they

also come with higher risk. The increased frequency and severity of large-scale data

breaches over the past decade is evidence of this.

To maintain an accelerated path of transformation without sacrificing security,

many enterprises are choosing a Zero Trust approach. Zero Trust is a security

concept that addresses the realities of digital transformation and provides a

framework to increase security in an increasingly open and connected world. Zero

Trust asserts that no user, system or service can be automatically trusted, whether

inside or outside the traditional security perimeter and that anyone or anything

must be verified before granting access to resources.

Those organizations that are already moving toward Zero Trust are realizing

firsthand the advantages of putting identity at the center of security, while

leveraging artificial intelligence (AI) and machine learning (ML) technologies

to make security smarter. A recent CapGemini global survey of 850 technology

executives found that 73% are testing AI use cases for cybersecurity, while 65% are

using AI for identity and access security. 2

An intelligent identity platform that leverages Zero Trust principles and AI to provide continuous validation of user identities can enable

enterprises to not just maintain, but accelerate digital transformation efforts to win in the new digital economy. In its 2019 Magic Quadrant for

Access Management, Gartner echoes this sentiment and predicts that “by 2022, 60% of access management implementations will leverage user

and entity behavior analytics capabilities and other controls to provide continuous authentication, authorization and online fraud detection, up

from less than 10% today.”

1 Holmes, Aaron. “Biggest hacks and data breaches of the last decade: 2010 through 2019.” Business Insider. November 13, 2019.

2 Tolido, Ron, Geert van der Linden, Luis Delabarre, Jeff Theisler, Yashwardhan Khemka, Anne-Laure Thieullent, Allan Frank, Jerome Buvat and Sumit Cherian.

“Reinventing Cybersecurity with Artificial Intelligence: The new frontier in digital security.” CapGemini Research Institute. July 11, 2019.

3 Kelley, Michael, Abhyuday Data and Henrique Teixeira. Magic Quadrant for Access Management. Gartner. August 12, 2019.

INTRODUCTION

The 2010s were the worst

decade on record for hacks and

data breaches… adding up to

nearly 4 billion records stolen in

total over the past 10 years.1

“

“

By 2022, 60% of access

management implementations will

leverage user and entity behavior

analytics capabilities and other

controls to provide continuous

authentication, authorization and

online fraud detection, up from

less than 10% today.3

““

https://www.capgemini.com/wp-content/uploads/2019/07/AI-in-Cybersecurity_Report_20190711_V06.pdf


4

HOW INTELLIGENT IDENTITY WORKS

Figure 1: Intelligent identity evaluates risk, context and policy alongside machine learning to determine a tailored security outcome.

An intelligent identity solution helps you strike the ideal balance of security and user convenience. Capable of analyzing a wide range of

data—including the cybersecurity risks associated with a user, the context in which they’re requesting access, as well as the device from

which they’re requesting access—an intelligent identity solution leverages adaptive security policies alongside machine learning to determine

the appropriate next steps with the least amount of friction for the user. By tailoring security outcomes based on risk, an intelligent identity

solution makes it possible to provide both seamless and secure access for users.

Tailored Security Outcomes: Striking a Balance Between Security & ExperienceA tailored security outcome leveraging cybersecurity risk signals, user and device

contexts and anomaly detection based on learned patterns provides a superior experience

for any type of user. A sampling of the outcomes that can be delivered include:

• Allow access: grants a user access to requested resources, transactions or data.

• Deny access: denies a user access based on one or more cybersecurity risks,

contexts or policies.

• Allow reduced access: reduces a user’s access to certain URLs or transaction types

based on one or more cybersecurity risks, contexts or policies.

• Re-authenticate: requires a user to log in again after a certain type of behavior is

observed or a high-risk request is made.

• Step-up authentication: requires an additional form of authentication to verify user

identity, such as a biometric or FIDO security key, before granting access to the

requested resource.

• Force password reset: requires a user to reset their password after a certain type of

behavior or after an event such as a compromised credential has been recognized.

• Force MFA enrollment: requires a user to enroll in and successfully complete a multi-factor authentication challenge when requesting

access to a sensitive resource.

• Passwordless authentication: prompts the user for a more convenient method of logging in, such as TouchID or FaceID, instead of a

username and password.

By customizing the next best step based on a range of criteria and learned patterns, an intelligent identity solution is able to maximize

security while minimizing user friction.

Pursue passwordless

authentication: Replacing

a password with biometric

authentication can improve

both usability and security,

a combination not frequently

observed among security

and IAM tools.4

“

“

4 Ruddy, Mary, Mark Diodati, Paul Rabinovich and Paul Mezzera. “2020 Planning Guide for Identity and Access Management.” Gartner Research. October 7, 2019.

User Action Tailored SecurityOutcome

IntelligentIdentity


5

Intelligent identity solutions are able to evaluate risks identified as non-starters for accessing your businesses applications and data.

Non-starters are those actions or behaviors that an organization has determined automatically disqualify users from accessing resources.

In the case of customer access, these risks typically indicate fraudulent activity. For employees, both fraudulent activity and other factors

that may expose the organization to unnecessary risk are taken into account.

The user, device, resource, location and network risk categories shown in Figure 2 denote specific risk signals that can be leveraged in

security decision making, most often as indicators of when to block access or request a higher level of assurance that the user is who they

say they are.

User Risk: Abnormal User BehaviorAn abnormal user behavior risk is generated when a user’s behavior in a specific instance varies from the baseline of what’s considered normal for

that user or their organization. For example, if a user attempts to login at an unusual time based on their past logins, an intelligent identity solution

can enforce multi-factor authentication before providing access. If a higher risk scenario is detected, like a user attempting access with a browser

language setting that hasn’t been previously used by that user or anyone else in their group or organization, it can deny access completely.

HOW INTELLIGENT IDENTITY EVALUATES CYBERSECURITY RISKS

Figure 2: The types of security risks that an intelligent identity solution is capable of analyzing.

Figure 3: An intelligent identity solution is able to compare a user’s current behavior to past behavior to evaluate access risk.

User Device Resource Location NetworkAbnormal User

BehaviorBad DeviceReputation

Anomalous APISequence

ImpossibleTravel Velocity

Bad IPReputation

Abnormal login time for this user

Abnormal language setting for this group


6

Device Risk: Bad Device Reputation This risk signal is generated by analyzing thousands of attributes to accurately recognize a device, identify fraud patterns and uncover evasion

detection tactics, such as the use of proxy servers and TOR networks. For example, if a device accesses multiple accounts assigned to different

users within an extremely short window of time, an intelligent identity solution can block access or require a stronger form of authentication.

Resource Risk: Abnormal API SequenceAn abnormal API sequence is generated by leveraging AI and ML to compare the normal and expected usage patterns of APIs with an individual’s

use of those same APIs. APIs are commonly accessed in a logical flow presented to users within a web interface. For example, in an online

banking portal, a user will commonly login, view their account balances, then make payments. If these steps are skipped, it could indicate

that a bad actor is attempting to access certain APIs outside of the web application. In this case, the intelligent identity solution can step up

authentication, block further access or take other actions.

Figure 4: An intelligent identity solution is able to analyze thousands of attributes to detect fraud and evasion tactics.

Figure 5: An intelligent identity solution is able to compare API usage against typical patterns to identify anomalies.

History of fraud?

Evading detection?

Botnet detected?

Login API Accounts API Payments API


7

Login: 8:00am

Login: 9:00am

Location Risk: Impossible Travel Velocity This risk signal is generated by comparing location data between authentication events for a single user. If the travel time between a user’s current

login location and their previous login location is not possible in the time since their previous login, an event can be triggered. For example, if a

user logs in from New York and then attempts to log in from Moscow an hour later, the user could be denied access.

Network Risk: IP Reputation An IP reputation risk signal is generated when an IP address is associated with fraudulent and other malicious activities. IP reputations can

present different levels of risk. An intelligent identity solution can use threat intelligence data to evaluate IP reputation and determine the

appropriate security outcome for the user. For example, if a user logs in from an IP address where significant bot traffic has originated, they may

be required to provide a stronger method of authentication. Similarly, a user logging in from an IP address where a large volume of online fraud

has been traced may be denied access completely.

Figure 6: An intelligent identity solution is able to compare location data between authentication events for a single user to detect potentially fraudulent access attempts.

Figure 7: An intelligent identity solution is able to utilize threat intelligence data to evaluate IP reputation.

Risk Score

High

Medium

Low

Deny

Biometric

Approve

Action


8

The need to enable access to resources from anywhere has greatly expanded

the contexts and use cases security teams must consider. The proliferation of

consumer devices and expansion of BYOD programs has further complicated

the matter, with users often needing to gain access from a range of devices with

starkly different security postures.

Similar to cybersecurity risks, an intelligent identity solution can evaluate a range

of user and device context risks as shown in Figure 8 to determine the appropriate

security outcome.

User Context: Geo-LocationGeo-location refers to the physical location of the device from which the user is requesting access. A physical presence in certain

locations, such as an end user’s home or within a corporate office, may be considered safe for accessing certain resources. For example,

an intelligent identity solution can set less restrictive security outcomes, such as passwordless authentication, when users are in certain

geo-locations. Similarly, it can mandate multi-factor authentication when they’re outside these geo-locations.

User Context: Recent Login from IPThis user context is provided by data from the user’s previous login attempt. Similar to the example above, if a user has recently

authenticated from a trusted IP address while trying to access a sensitive resource, a lower friction method of authentication and

authorization can be applied. On the other hand, if an hour, day or week (as determined by the organization) has passed since the user last

authenticated from this IP, a more secure method can be applied.

Device Context: New DeviceThis context is provided by comparing information about the device requesting access to the device on file. If the device is recognized as

new, the user can be required to register the device using the existing device on file or through other secure methods. Subsequently, the

user can authorize the requesting device as a trusted device for future login and access requests.

Device Context: Device Posture & ManagementThis device context can be provided directly from the device itself or by a mobile device management solution in workforce use cases.

An intelligent identity solution can use a variety of device attributes to detect if a device has been rooted or jailbroken, has screen lock

enabled, or is compliant with corporate policies. This data can then be used to determine if a user can access, what they can access and

what security steps must be overcome to gain access.

HOW INTELLIGENT IDENTITY EVALUATES USER AND DEVICE CONTEXT

Figure 8: Types of user and device context that can be evaluated by an intelligent identity solution.

User Context Device Context

Geo-location

Recent Login from IP

New Device

Device Posture & Management


9

The ways in which users interact digitally, even within the context of a single organization, carry a wide variety of risks. These risks

are presented through a combination of the resource to which the user is requesting access and the action taken by the user with that

resource. As such, organizations leverage risk, context and policies alongside learning to take resource and user action into account. This

is illustrated in the online banking scenario in Figure 9, in which a user has access to two banking resources, with the ability to conduct

three distinct actions within each resource.

Different combinations of resources and associated actions result in varying levels of risk to the organization. A simplified categorization

of these risks may look something like:

• Low Risk: A Card Rewards account is accessed to Review Reward Points

• Medium Risk: A Bank Account is accessed to View Account Balance

• High Risk: A Bank Account is accessed to Initiate a Wire Transfer

User-based policies based on combinations of resource and user action related risks can be defined by the organization. Policies should

also take into account cybersecurity risks, as well as user and device context.

HOW INTELLIGENT IDENTITY INTEGRATES LEARNING, RISK AND CONTEXT WITH POLICY

Figure 9: An intelligent identity solution defines policies based on resources and user actions.

Online Banking User

User ActionBanking Resources

Bank Account

Review Reward Points

Card Rewards

View Account Balance

Initiate Wire Transfer


10

Attribute-based Access Control Policies may consider the attributes of a user stored in their user profile. A common way to enable attribute-based policy control is

evaluating a “group” attribute and defining which application(s) that group’s members can access. Beyond group membership evaluation,

the options are limitless. Attributes such as age, premium member status or virtually any other criteria can be evaluated to approve or

deny access, as well as to determine which authentication mechanisms are required to attain the appropriate level of assurance.

Resource-based Access Control The resource being accessed—from the application down to the specific URL or API—can be evaluated alongside user context, device

context and cybersecurity risks during authorization. These authorization policy rules can be built around one or more resources, allowing

only specific groups or users with certain attributes access to certain resources, transactions and data.

Figure 10: Various user attributes can be evaluated to determine if access should be granted.

Figure 11: Policies can be established that allow only certain users access to resources.

User

Policy

Permit

Deny

Environment

Authorization Engine

Information

Level of Access Level of Access Level of Access

Ping Identity is pioneering Intelligent Identity. We help enterprises achieve Zero Trust identity-defined security and more personalized, streamlined user experiences. The Ping Intelligent IdentityTM platform provides customers, employees, partners and, increasingly, IoT, with access to cloud, mobile, SaaS and on-premises applications and APIs, while also managing identity and profile data at scale. Over half of the Fortune 100 choose us for our identity expertise, open standards leadership, and partnership with companies including Microsoft and Amazon. We provide flexible options to extend hybrid IT environments and accelerate digital business initiatives with multi-factor authentication, single sign-on, access management, intelligent API security, directory and data governance capabilities. Visit www.pingidentity.com. #3481 | 02.20 | v06

11

LEVERAGE INTELLIGENT IDENTITY FOR DIGITAL TRANSFORMATION SUCCESS

There is no limit to how far enterprises can take their digital transformation efforts. As these initiatives persist long into the future, AI and ML

will become foundational to providing the optimal balance of security and user experience. Built on these principles, intelligent identity will

provide the tools for enterprises to compete in an on-demand world where people want anywhere, anytime, any device access.

With the great cloud migration in full swing, combined with mobile experiences and public APIs driving new sources of revenue, the enterprise

attack surface has expanded significantly. Combine these trends with expanding partner ecosystems, remote access, BYOD, IoT adoption and

others, and it’s easy to see why an intelligent identity solution is needed to secure tomorrow’s enterprises.

Aligning with a security provider whose product strategy and roadmap are always one step ahead and pushing the boundaries of innovation is

the key to future-proofing your security infrastructure.

To learn how the Ping Intelligent Identity™ Platform can support your digital transformation by improving security and engagement across

your digital business, visit www.pingidentity.com.

http://www.pingidentity.com

https://www.pingidentity.com/en/platform/platform-overview.html

intelligent identity

Documents