A layered approach to modern identity

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

modern identityThe way we work is evolving. Traditional desktop computers and laptops are slowly giving way to the mobile device. From smartphones to tablets, a growing number of employees are embracing the flexibility that accompanies such devices. In fact, 55 percent of all email was opened on mobile devices from May 2017 to April 2017 – up from just 29 percent in 2012.

In addition to keeping tabs on the office, consumers have come to rely upon mobile devices for a whole host of capabilities, including mobile banking, shopping and even payments. Today, Americans spend an average of 5 hours per day on mobile devices – a 20 percent increase compared to 2015.

With this shift towards mobile access at work, home and everywhere in between, comes a shift in both user expectations and behaviors. Instant access to information – anytime, anywhere – is the norm, which means our tolerance for friction has greatly diminished. This new attitude allows employees to be more productive and responsive, and even make more informed decisions. However, this digital era consumers have grown accustomed to is built on a house of cards from a security perspective. The apps consumers access at the touch of an icon or the imprint of a finger are all protected with passwords – and with more and more work and personal data moving online, hackers are having a heyday circumventing passwords to get at this information.

Implementing more rigorous security seems like an easy next step, but many organizations are slow to adopt new security approaches due to the presumed negative impact on user experience. Dealing with password resets and multiple login IDs just doesn’t make sense anymore. The answer, it would seem, may be right in our hands – using our mobile device as the foundation to a modern digital identity. Whether working from laptops or accessing applications straight from mobile devices, modern digital identity can be virtually transparent or, at most, require a quick touch of a button to provide instant access while keeping hackers at bay.

While using mobile devices for authentication is not entirely new, most implementations such as SMS codes do little to remove user friction or address more advanced security issues. The answer lies in a layered approach to intelligent identity – one that blends a number of technologies, so security remains in the background and only involves minimal effort from the user when absolutely necessary.

1. Device reputation

The first step to creating a trusted identity is vetting the device itself. The more information enterprises can gather on a device and its activity across the internet, the better. Spot a history of fraud or malware? That may be enough to raise concerns over the integrity of a smartphone or tablet.

Similarly, devices that are modified in a way that circumvents native controls – such as jailbroken iPhones – may face an increased risk of fraud. Carefully review any and all changes to a device as well as its history to ensure the device is worth trusting both before provisioning a credential and maybe once a week or so to keep tabs on device reputation.

2. User identity proofing

Once a device’s reputation is confirmed, an authorized user of that device must be established. Validate a user’s identity during enrollment using secure registration email links or out of band codes from IT methods, coupled with identity vetting questions. If you’re looking to add an extra layer of security, conduct a biometric check of a potential user. By simply taking a selfie or providing a fingerprint, users can give you the opportunity to compare biometrics to those on file and ultimately bind trusted devices to specific employees.

OPIS

3. Provision a secure credential

With a credible device and user in place, the next step is to create a trusted identity foundation using a mobile smart credential. As the strongest credential-based security you can deploy, a mobile smart credential helps authenticate employees as they interact with different portals, applications and VPNs. And since the authentication process takes place in the background, employees don’t have to worry about logging in each time they need to access sensitive information. This extra layer of transparency helps set the stage for a secure and convenient user experience.

4. Adaptive authentication

From how they type and swipe to where they’re located to what they are transacting, each employee works differently. By comparing behavioral analytics across sessions, adaptive authentication can provide greater insight into whether a device is being operated by the correct user. With monitoring constantly occurring in the background, you can rest assured that anomalies in behavioral biometrics or transactions will not go unnoticed. If a recognized pattern is broken, the user can either be denied access or challenged with step up authentication.

5. Step up user authentication

As the final layer of protection, step up user authentication brings in the user for explicit acknowledgement. Anomalies in contextual information gathered as part of adaptive authentication trigger a security challenge that typically only takes an instant to complete. For example, a fingerprint or facial recognition may be required to proceed. By using step up user authentication to quickly collect a biometric point combined with the sign-on credential on the device to validate a user’s identity or even a transaction with minimal impact to the user experience.

The growing importance of mobile devices – both inside and outside of the office – has sparked the need and opportunity for a modern security strategy. From identity proofing to adaptive authentication, cater to the fast-changing lifestyles of today’s workforce using a layered approach that improves security without sacrificing convenience.