modern authentication – turn a losing battle into a winning strategy, robert block, svp, identity...
TRANSCRIPT
Modern Authentication: Turn a Losing Battle into a Winning Strategy
Robert Block | SVP, Identity StrategySecureAuth + Core Security – Better Together
Why are we here?Organizations are losing the Battle
81%
“81% of hacking-‐related breaches leveraged either stolen and/or weak passwords.”
2017 Verizon Data Breach Investigations Report
Passwords have layers of problems+ +COMPLEXITY COSTSHYGIENE
Credits:Adrian ZumbrunenWakefield Password SurveyCIAM 2017 Flanagan keynote
2FA has layers of problems+ +
=
Disruptive UX Limited Deployment
Vulnerable
Credits:Scott AdamsWakefield 2fa survey
Do you want this? For this?
How did we get here
Authentication in the Beginning…•Physically protected
•No remote connectivity
•Limited number of users
•One system
•Life was good.
Today’s Authentication ToolkitAnyDevice
Any ID Type Any VPN Any
ID Store Any MFA
PASSWORDS 2FA/MFA SSO IDENTITY PROVIDER
• Complex passwords
• Self-‐service password reset
• Password vaulting
• Password generators
• Hard/soft tokens
• OPT via email, text, phone
• CAC/PIV
• Biometrics
• Certificates
• Device recognition
• Behavioral biometrics
• SAML
• Oauth
• WS-‐Fed
• WS-‐Trust
• OpenID
• Directory connector
• User self-‐service
• REST API
Organizations are losing the Battle
Authentication Security is falling behind
COMPUTING
AUTHENTICATION
1961First password developed
1946
The first commercial computer
1979Data Encryption Standard (DES) developed
1996Advanced Encryption Standard (AES) developed1995
First patent filed for two-‐factor authentication
2002SAML standard developed
1993Hardware token –SecurID -‐developed
1970
The first modern computer
1973
The first ethernet cable
1974Internet
1990HTML
1998Google
2007The first iPhone
2013First smartwatch: Pebble
2013• FIDO launched• Touch ID launched
Organizations are losing the Battle
2009LTE Introduced
2008First Android phones launched
2018• Face recognition• Iris recognition
2018Mobile as desktop replacement
IAM Solution Drivers
63
59
55
50
46
45
41
41
0 10 20 30 40 50 60 70 80 90 100
Strengthening identity and access security
Meeting compliance and regulatory stds
Improving ability to detect insider threats
Simplifying user access
Ability to integrate with present IAM solutions
Keeping within budgets
Making admin easier
Reducing admin costs
What are IAM professionals looking for?Organizations are losing the Battle
Average Driver Importance On 0-‐100 Scale
Why do security professionals invest in IT security?
63
57
32
20
19
17
17
15
10
9
9
0 10 20 30 40 50 60 70 80 90 100
Protection of sensitive data
Regulatory compliance
Reducing incidents and breaches
Protection of intellectual property
Alignment with organizational and IT strategic …
Protecting brand reputation
Reducing attack surface
Improving visibility into security operations
New, advanced threats and techniques
End user education and awareness
Improving incident response
What are security professionals looking for?Organizations are losing the Battle
1. Adaptable user experience2. Authentication appropriate
to risk 3. Invisible analysis4. Authentication is flexibly
deployed and contributes outside of authentication
A Winning StrategyModern Authentication
• A common misconception has been propagated by security professionals, and it needs to be dispelled. • End users are not lazy. • End users are empowered to participate. • End users want more control than ever before
• End User Choice must be a fundamental component. • Choice of endpoint• Choice of interaction experience • Choice of Identity Provider • Choice of additional factor when required
A Winning Strategy1. Adaptable User Experience
Authentication has far too long been thought of as a binary event.MFA approach suffers from a binary authentication event approach.
Modern authentication views authentication as a risk score. Risk is not static; it is dynamic and changes throughout a user's session.
A Winning Strategy
2. Authentication Appropriate to Risk
Risk mitigation by authentication challenges∑
(Probability of compromise) x (impact)
=
• Risk-‐based authentication needs to be a fundamental component of modern authentication.
• Risk-‐based authentication measures attributes of the activity that a user is performing and calculates a risk score.
A Winning Strategy
3. Invisible Analysis
Advantages of this approach include:
• Analysis is invisible to end-‐user• More layers = more security• Maximize both usability and security
Risk checks done behind the scenes
A Winning Strategy4. Flexibly deployed and integrates across ecosystem
Cloud
SIEM
Hybrid
On-‐prem
PAM UEBA
EMMIGA
CSA
Machine learning driven Adaptive Authentication
3rd Party Risk
Analysis
Location Risk
Analysis CredentialRisk
Analysis
Device Security Risk
Analysis
Data Access Risk
Analysis
Application Access Risk Analysis
Event Risk Analysis
SecureAuth Modern Authentication Solution
Risk based analytics = modern technology
+ Challenge with MFA+ Accept Access+ Deny Access+ Redirect Access
+ Contain identity+ Revoke granted access+ Initiate Certification
+ Increase alert fidelity+ Decrease event noiseSECUREAUTH
Machine learning driven Adaptive Authentication
3rd Party Risk
Analysis
Location Risk Analysis
CredentialRisk
Analysis
Device Security Risk
Analysis
Data Access Risk Analysis
Application Access Risk Analysis
Event Risk Analysis
DETECT
PROTECT
ORCHESTRATE
SecureAuth Modern Authentication Solution
Modern Authentication: putting it all together
Modern Authentication in practice
Low
Medium Medium Medium Medium Medium
Medium High High
Standard Usage Allowable Deviation Unclear Deviation Suspicious Activity Malicious Activity
AllowMFA Step
Deny
AllowMFA Step
Deny
Allow
Deny
***********[email protected]
***********[email protected]
**********
**********
Device Recognition
Threat Service
Directory Lookup
Geo-‐Location
Geo-‐Velocity
Geo-‐Fencing
Phone Number Fraud Prevention
Behavioral Biometrics
Identity Governance
User & Entity Behavior Analytics
AllowMFA Step
Deny
Redirect Redirect Redirect Redirect
MFA Step
SecureAuth Modern Authentication Solution
AllowMFA Step
Deny
Redirect
Low
Modern Authentication
There are numerous considerations that need to be weighed and navigated as part of modern authentication R/evolution
Next steps require reframing your believes and culture, change what you ask for, and how you ask for it
Considerations & Next Steps
+ What authentication infrastructure is in place today – how does a modern solution provider complement / replace this solution
+ What additional cyber security investments do I have that my modern solution provider can make more effective
+ What API’s and Standards to I care about most and why
+ What applications do I own and what do I own within them
Technical Considerations
+ What do I need to consider in modernizing my risk tolerance and guidance
+ Which factors are we willing to embrace from a security perspective and why
Security Considerations
+ What is appropriate friction in each user category
+ Document use cases per category
+ % of Smartphone enabled categories
+ What are they willing to share with my organization
End User Considerations
• The definitions for Authentication were born in a different 'day' and based upon technology and approaches that are 20 years old
• Passwords are the internets version of Asbestos
• Modern Authentication must balance security & end user experience
• Modern Authentication must be measurable against credential use (translation = the Breach)
• Modern authentication has the following key tenants:
1. Adaptable user experience2. Authentication appropriate to risk 3. Invisible analysis4. Flexibly deployed and integrates across infrastructure
Modern Authentication A Winning Strategy
Conclusion
Q & A
THANK YOU