intelligent identity
TRANSCRIPT
WHITE PAPER
INTELLIGENT IDENTITY New Approaches to Optimize Security and User
Convenience for the Digital Enterprise
Intelligent IdentityWHITE PAPER
2
TABLE OF CONTENTS
Introduction
How Intelligent Identity Works
How Intelligent Identity Evaluates Cybersecurity Risks
How Intelligent Identity Evaluates User and Device Context
How Intelligent Identity Integrates Learning, Risk and Context with Policy
Leverage Intelligent Identity for Digital Transformation Success
03
08
04
09
05
11
Intelligent IdentityWHITE PAPER
3
Today’s customers demand that their interactions across all channels be personalized,
private and secure. At the same time, the modern workforce needs to be productive
from anywhere, on any device, with access to all enterprise resources on demand.
Requirements like these have ignited dramatic shifts in the way businesses operate
across the globe. In response, enterprises are adding more resources, people and
devices to ensure the success of their digital transformation initiatives. All with the
goal of keeping up with the rising tide of these customer and workforce expectations.
While these shifts are driving improvements in productivity and experience, they
also come with higher risk. The increased frequency and severity of large-scale data
breaches over the past decade is evidence of this.
To maintain an accelerated path of transformation without sacrificing security,
many enterprises are choosing a Zero Trust approach. Zero Trust is a security
concept that addresses the realities of digital transformation and provides a
framework to increase security in an increasingly open and connected world. Zero
Trust asserts that no user, system or service can be automatically trusted, whether
inside or outside the traditional security perimeter and that anyone or anything
must be verified before granting access to resources.
Those organizations that are already moving toward Zero Trust are realizing
firsthand the advantages of putting identity at the center of security, while
leveraging artificial intelligence (AI) and machine learning (ML) technologies
to make security smarter. A recent CapGemini global survey of 850 technology
executives found that 73% are testing AI use cases for cybersecurity, while 65% are
using AI for identity and access security. 2
An intelligent identity platform that leverages Zero Trust principles and AI to provide continuous validation of user identities can enable
enterprises to not just maintain, but accelerate digital transformation efforts to win in the new digital economy. In its 2019 Magic Quadrant for
Access Management, Gartner echoes this sentiment and predicts that “by 2022, 60% of access management implementations will leverage user
and entity behavior analytics capabilities and other controls to provide continuous authentication, authorization and online fraud detection, up
from less than 10% today.”
1 Holmes, Aaron. “Biggest hacks and data breaches of the last decade: 2010 through 2019.” Business Insider. November 13, 2019.
2 Tolido, Ron, Geert van der Linden, Luis Delabarre, Jeff Theisler, Yashwardhan Khemka, Anne-Laure Thieullent, Allan Frank, Jerome Buvat and Sumit Cherian.
“Reinventing Cybersecurity with Artificial Intelligence: The new frontier in digital security.” CapGemini Research Institute. July 11, 2019.
3 Kelley, Michael, Abhyuday Data and Henrique Teixeira. Magic Quadrant for Access Management. Gartner. August 12, 2019.
INTRODUCTION
The 2010s were the worst
decade on record for hacks and
data breaches… adding up to
nearly 4 billion records stolen in
total over the past 10 years.1
“
“
By 2022, 60% of access
management implementations will
leverage user and entity behavior
analytics capabilities and other
controls to provide continuous
authentication, authorization and
online fraud detection, up from
less than 10% today.3
““
Intelligent IdentityWHITE PAPER
4
HOW INTELLIGENT IDENTITY WORKS
Figure 1: Intelligent identity evaluates risk, context and policy alongside machine learning to determine a tailored security outcome.
An intelligent identity solution helps you strike the ideal balance of security and user convenience. Capable of analyzing a wide range of
data—including the cybersecurity risks associated with a user, the context in which they’re requesting access, as well as the device from
which they’re requesting access—an intelligent identity solution leverages adaptive security policies alongside machine learning to determine
the appropriate next steps with the least amount of friction for the user. By tailoring security outcomes based on risk, an intelligent identity
solution makes it possible to provide both seamless and secure access for users.
Tailored Security Outcomes: Striking a Balance Between Security & ExperienceA tailored security outcome leveraging cybersecurity risk signals, user and device
contexts and anomaly detection based on learned patterns provides a superior experience
for any type of user. A sampling of the outcomes that can be delivered include:
• Allow access: grants a user access to requested resources, transactions or data.
• Deny access: denies a user access based on one or more cybersecurity risks,
contexts or policies.
• Allow reduced access: reduces a user’s access to certain URLs or transaction types
based on one or more cybersecurity risks, contexts or policies.
• Re-authenticate: requires a user to log in again after a certain type of behavior is
observed or a high-risk request is made.
• Step-up authentication: requires an additional form of authentication to verify user
identity, such as a biometric or FIDO security key, before granting access to the
requested resource.
• Force password reset: requires a user to reset their password after a certain type of
behavior or after an event such as a compromised credential has been recognized.
• Force MFA enrollment: requires a user to enroll in and successfully complete a multi-factor authentication challenge when requesting
access to a sensitive resource.
• Passwordless authentication: prompts the user for a more convenient method of logging in, such as TouchID or FaceID, instead of a
username and password.
By customizing the next best step based on a range of criteria and learned patterns, an intelligent identity solution is able to maximize
security while minimizing user friction.
Pursue passwordless
authentication: Replacing
a password with biometric
authentication can improve
both usability and security,
a combination not frequently
observed among security
and IAM tools.4
“
“
4 Ruddy, Mary, Mark Diodati, Paul Rabinovich and Paul Mezzera. “2020 Planning Guide for Identity and Access Management.” Gartner Research. October 7, 2019.
User Action Tailored SecurityOutcome
IntelligentIdentity
Intelligent IdentityWHITE PAPER
5
Intelligent identity solutions are able to evaluate risks identified as non-starters for accessing your businesses applications and data.
Non-starters are those actions or behaviors that an organization has determined automatically disqualify users from accessing resources.
In the case of customer access, these risks typically indicate fraudulent activity. For employees, both fraudulent activity and other factors
that may expose the organization to unnecessary risk are taken into account.
The user, device, resource, location and network risk categories shown in Figure 2 denote specific risk signals that can be leveraged in
security decision making, most often as indicators of when to block access or request a higher level of assurance that the user is who they
say they are.
User Risk: Abnormal User BehaviorAn abnormal user behavior risk is generated when a user’s behavior in a specific instance varies from the baseline of what’s considered normal for
that user or their organization. For example, if a user attempts to login at an unusual time based on their past logins, an intelligent identity solution
can enforce multi-factor authentication before providing access. If a higher risk scenario is detected, like a user attempting access with a browser
language setting that hasn’t been previously used by that user or anyone else in their group or organization, it can deny access completely.
HOW INTELLIGENT IDENTITY EVALUATES CYBERSECURITY RISKS
Figure 2: The types of security risks that an intelligent identity solution is capable of analyzing.
Figure 3: An intelligent identity solution is able to compare a user’s current behavior to past behavior to evaluate access risk.
User Device Resource Location NetworkAbnormal User
BehaviorBad DeviceReputation
Anomalous APISequence
ImpossibleTravel Velocity
Bad IPReputation
Abnormal login time for this user
Abnormal language setting for this group
Intelligent IdentityWHITE PAPER
6
Device Risk: Bad Device Reputation This risk signal is generated by analyzing thousands of attributes to accurately recognize a device, identify fraud patterns and uncover evasion
detection tactics, such as the use of proxy servers and TOR networks. For example, if a device accesses multiple accounts assigned to different
users within an extremely short window of time, an intelligent identity solution can block access or require a stronger form of authentication.
Resource Risk: Abnormal API SequenceAn abnormal API sequence is generated by leveraging AI and ML to compare the normal and expected usage patterns of APIs with an individual’s
use of those same APIs. APIs are commonly accessed in a logical flow presented to users within a web interface. For example, in an online
banking portal, a user will commonly login, view their account balances, then make payments. If these steps are skipped, it could indicate
that a bad actor is attempting to access certain APIs outside of the web application. In this case, the intelligent identity solution can step up
authentication, block further access or take other actions.
Figure 4: An intelligent identity solution is able to analyze thousands of attributes to detect fraud and evasion tactics.
Figure 5: An intelligent identity solution is able to compare API usage against typical patterns to identify anomalies.
History of fraud?
Evading detection?
Botnet detected?
Login API Accounts API Payments API
Intelligent IdentityWHITE PAPER
7
Login: 8:00am
Login: 9:00am
Location Risk: Impossible Travel Velocity This risk signal is generated by comparing location data between authentication events for a single user. If the travel time between a user’s current
login location and their previous login location is not possible in the time since their previous login, an event can be triggered. For example, if a
user logs in from New York and then attempts to log in from Moscow an hour later, the user could be denied access.
Network Risk: IP Reputation An IP reputation risk signal is generated when an IP address is associated with fraudulent and other malicious activities. IP reputations can
present different levels of risk. An intelligent identity solution can use threat intelligence data to evaluate IP reputation and determine the
appropriate security outcome for the user. For example, if a user logs in from an IP address where significant bot traffic has originated, they may
be required to provide a stronger method of authentication. Similarly, a user logging in from an IP address where a large volume of online fraud
has been traced may be denied access completely.
Figure 6: An intelligent identity solution is able to compare location data between authentication events for a single user to detect potentially fraudulent access attempts.
Figure 7: An intelligent identity solution is able to utilize threat intelligence data to evaluate IP reputation.
Risk Score
High
Medium
Low
Deny
Biometric
Approve
Action
Intelligent IdentityWHITE PAPER
8
The need to enable access to resources from anywhere has greatly expanded
the contexts and use cases security teams must consider. The proliferation of
consumer devices and expansion of BYOD programs has further complicated
the matter, with users often needing to gain access from a range of devices with
starkly different security postures.
Similar to cybersecurity risks, an intelligent identity solution can evaluate a range
of user and device context risks as shown in Figure 8 to determine the appropriate
security outcome.
User Context: Geo-LocationGeo-location refers to the physical location of the device from which the user is requesting access. A physical presence in certain
locations, such as an end user’s home or within a corporate office, may be considered safe for accessing certain resources. For example,
an intelligent identity solution can set less restrictive security outcomes, such as passwordless authentication, when users are in certain
geo-locations. Similarly, it can mandate multi-factor authentication when they’re outside these geo-locations.
User Context: Recent Login from IPThis user context is provided by data from the user’s previous login attempt. Similar to the example above, if a user has recently
authenticated from a trusted IP address while trying to access a sensitive resource, a lower friction method of authentication and
authorization can be applied. On the other hand, if an hour, day or week (as determined by the organization) has passed since the user last
authenticated from this IP, a more secure method can be applied.
Device Context: New DeviceThis context is provided by comparing information about the device requesting access to the device on file. If the device is recognized as
new, the user can be required to register the device using the existing device on file or through other secure methods. Subsequently, the
user can authorize the requesting device as a trusted device for future login and access requests.
Device Context: Device Posture & ManagementThis device context can be provided directly from the device itself or by a mobile device management solution in workforce use cases.
An intelligent identity solution can use a variety of device attributes to detect if a device has been rooted or jailbroken, has screen lock
enabled, or is compliant with corporate policies. This data can then be used to determine if a user can access, what they can access and
what security steps must be overcome to gain access.
HOW INTELLIGENT IDENTITY EVALUATES USER AND DEVICE CONTEXT
Figure 8: Types of user and device context that can be evaluated by an intelligent identity solution.
User Context Device Context
Geo-location
Recent Login from IP
New Device
Device Posture & Management
Intelligent IdentityWHITE PAPER
9
The ways in which users interact digitally, even within the context of a single organization, carry a wide variety of risks. These risks
are presented through a combination of the resource to which the user is requesting access and the action taken by the user with that
resource. As such, organizations leverage risk, context and policies alongside learning to take resource and user action into account. This
is illustrated in the online banking scenario in Figure 9, in which a user has access to two banking resources, with the ability to conduct
three distinct actions within each resource.
Different combinations of resources and associated actions result in varying levels of risk to the organization. A simplified categorization
of these risks may look something like:
• Low Risk: A Card Rewards account is accessed to Review Reward Points
• Medium Risk: A Bank Account is accessed to View Account Balance
• High Risk: A Bank Account is accessed to Initiate a Wire Transfer
User-based policies based on combinations of resource and user action related risks can be defined by the organization. Policies should
also take into account cybersecurity risks, as well as user and device context.
HOW INTELLIGENT IDENTITY INTEGRATES LEARNING, RISK AND CONTEXT WITH POLICY
Figure 9: An intelligent identity solution defines policies based on resources and user actions.
Online Banking User
User ActionBanking Resources
Bank Account
Review Reward Points
Card Rewards
View Account Balance
Initiate Wire Transfer
Intelligent IdentityWHITE PAPER
10
Attribute-based Access Control Policies may consider the attributes of a user stored in their user profile. A common way to enable attribute-based policy control is
evaluating a “group” attribute and defining which application(s) that group’s members can access. Beyond group membership evaluation,
the options are limitless. Attributes such as age, premium member status or virtually any other criteria can be evaluated to approve or
deny access, as well as to determine which authentication mechanisms are required to attain the appropriate level of assurance.
Resource-based Access Control The resource being accessed—from the application down to the specific URL or API—can be evaluated alongside user context, device
context and cybersecurity risks during authorization. These authorization policy rules can be built around one or more resources, allowing
only specific groups or users with certain attributes access to certain resources, transactions and data.
Figure 10: Various user attributes can be evaluated to determine if access should be granted.
Figure 11: Policies can be established that allow only certain users access to resources.
User
Policy
Permit
Deny
Environment
Authorization Engine
Information
Level of Access Level of Access Level of Access
Ping Identity is pioneering Intelligent Identity. We help enterprises achieve Zero Trust identity-defined security and more personalized, streamlined user experiences. The Ping Intelligent IdentityTM platform provides customers, employees, partners and, increasingly, IoT, with access to cloud, mobile, SaaS and on-premises applications and APIs, while also managing identity and profile data at scale. Over half of the Fortune 100 choose us for our identity expertise, open standards leadership, and partnership with companies including Microsoft and Amazon. We provide flexible options to extend hybrid IT environments and accelerate digital business initiatives with multi-factor authentication, single sign-on, access management, intelligent API security, directory and data governance capabilities. Visit www.pingidentity.com. #3481 | 02.20 | v06
11
LEVERAGE INTELLIGENT IDENTITY FOR DIGITAL TRANSFORMATION SUCCESS
There is no limit to how far enterprises can take their digital transformation efforts. As these initiatives persist long into the future, AI and ML
will become foundational to providing the optimal balance of security and user experience. Built on these principles, intelligent identity will
provide the tools for enterprises to compete in an on-demand world where people want anywhere, anytime, any device access.
With the great cloud migration in full swing, combined with mobile experiences and public APIs driving new sources of revenue, the enterprise
attack surface has expanded significantly. Combine these trends with expanding partner ecosystems, remote access, BYOD, IoT adoption and
others, and it’s easy to see why an intelligent identity solution is needed to secure tomorrow’s enterprises.
Aligning with a security provider whose product strategy and roadmap are always one step ahead and pushing the boundaries of innovation is
the key to future-proofing your security infrastructure.
To learn how the Ping Intelligent Identity™ Platform can support your digital transformation by improving security and engagement across
your digital business, visit www.pingidentity.com.