twobee - Fotolia

Identity, authentication and authorisation becoming risk-led

Identity management, and authentication and authorisation governance are shifting away from being purely IT initiatives, according to RSA

Traditionally, initiatives around identity, authentication and authorisation have been about becoming more efficient and enabling faster provisioning.

“But we are seeing a shift towards such initiatives being part of a clear directional effort to address risk,” said Prashant Darisi, senior director, identity governance and lifecycle products at RSA.

This starts with assessing risk, identifying risk objectives and determining an organisation’s real risk appetite, he told Computer Weekly.

“When we look at Target, Sony or any of the other companies that have been breached, the reputational costs are now higher than ever,” said Darisi.

As a result, responsibility for assessing and mitigating breach-related risk is shifting in many businesses from the chief information security officer (CISO) to the chief information officer (CIO).

Organisations want to ensure that business risk is informed by the risk associated with matters such as orphan accounts and toxic combinations of entitlements.

The business is also concerned about the gap between IT and the business increasing through the adoption of cloud services by various business units without going through IT.

“While this so-called ‘shadow IT’ gives the business tremendous agility, it also often means that commercially sensitive data is sitting in the cloud,” said Darisi.

“This results in an increasing ‘gap of grief’ between the business’s need for agility and the need for security from the IT perspective.”

There needs to be a way for organisations to ensure that both of these needs are met by balancing security and convenience, said Darisi.

Key to enabling this, he said, is achieving continuous identity assurance through a system that automatically challenges users to authenticate when anomalies are detected.

Read more about identity management

But it is important that users are challenged only when necessary and that an appropriate level of authentication is required depending on context, he said.

To provide organisations with continuous identity assurance that is easy for employees to use, Darisi said RSA has added a cloud-based authentication-as-a-service option to the RSA SecurID Access product.

The aim, he said, is to deliver seamless access to both on-premise and cloud-based resources and systems through an additional dynamic, risk scoring functionality and support for a variety of multi-factor authentication options because the definition of convenience is different for different people.

“One person may choose OTP tokens, while someone else prefers fingerprint scans or proximity locking and unlocking, so we have to accommodate all of them so that people can authenticate in the way they feel is the most convenient,” said Darisi. In part, he said, this is enabled by RSA’s 400 partners that have developed authentication agents for a wide range of available methods of authentication.

A risk-led approach means organisations can automatically adjust the number of authentication factors required between one and seven, depending on the context and in line with best practice guidelines.

In addition to continuous identity assurance and user authentication their way, RSA is also addressing organisations’ need to secure legacy applications.

“By putting SecurID on a unified platform, businesses can access cloud applications and on-premise applications in the same place with the convenience of a single sign-on, but without using [the dangerous approach of] synchronising identities in the cloud,” said Darisi.

“We provide a 360-degree view of an individual’s identity through our portal – of the person’s role, location and devices - but we do not merge the identity stores,” he said.

Easier to implement and use

According to Darisi, this approach makes SecurID easier and simpler for organisations to implement and easier for employees to use, which is often overlooked, with the emphasis typically being on the technology and its features. It also eliminates the risk of a single, merged cloud-based identity store being breached.

RSA has focused on making the technology easier to adopt and deploy as well as making it easier to integrate with, and use, technologies already in an organisation’s IT environment, he said.

“Organisations are also now able to choose whether they want a cloud implementation, an on-premise implementation, or a hybrid implementation,” he said, adding that RSA is one of the few identity services suppliers that offer all three.

RSA has also recognised the importance of protecting unstructured data as much as applications. “Organisations are increasingly storing critical information on SharePoint, for example, and businesses need to protect those assets as much as they protect applications,” said Darisi.

But it is important to understand that identity platforms do not define an organisation’s risk appetite, he said. Therefore, they need to be used in conjunction with governance, risk and compliance products which are specifically designed to define and manage risk.

“That is why we have to exchange that rich metadata,” said Darisi, “and why interoperability is also extremely important in the context of risk-led identify, authentication and authorisation.”

Finally, he said that in the light of the increasing number of identity-related tasks that organisations are being face with as IT environments become more complex, identity and access management systems need to become more streamlined and automated.

“Identity products have to reduce the volume of data to improve through automation, and surface only what is most meaningful using a risk-led approach to identify when reviews are essential only when something has changed or to identify things such as outliers, anomalous behaviour, unauthorised changes and rogue access, to reduce risk by providing continuous identity assurance,” said Darisi.

Read more on Identity and access management products