If you’re a fan of TV crime dramas, you’ve no doubt seen one of those episodes where the bad guy gets away with something because the local police department doesn’t have a key piece of information about him that the FBI does (or vice-versa). Meanwhile, there’s usually a subplot going on at the same time, in which a perfectly innocent person is detained by the cops even though he didn’t do anything wrong. Not only is he detained for no good reason, but by the time they figure it out and let him go on his way, the real criminal has done even more damage. If only they’d had access to the data that would have placed the innocent party in another place at the time of the crime, they could have stopped wasting their (and his) time and focused instead on catching the actual bad guys.
I don’t know about you, but all this reminds me of today’s identity and access challenges. You can have a robust identity and access management system with authentication capabilities that enable you to confidently distinguish legitimate users from cybercriminals—but it would be even better if you could share different types of intelligence with other systems. This is the connected aspect of transforming secure access that I mentioned earlier while describing a path to modern authentication that’s pervasive, connected and continuous.
Just as authentication needs to be pervasive, in the sense of being everywhere users may be and everywhere applications may live, it also needs to be connected to every relevant system engaged in the mission to stop cybercrime. By connecting identity, threat and risk information across the IT infrastructure and business operations, security teams can be assured of having visibility into the information and intelligence they need to meet today’s demands. Let’s look at how identity and access management can connect with threat detection and response, as well as with GRC and risk management, to deliver the intelligence to transform secure access.
Leveraging threat detection and response information for better access decisions (and vice-versa)
By correlating identity and access information with threat and vulnerability data from the Security Operations Center (SOC), identity teams can respond proactively to require additional authentication when the potential user threat or application criticality warrants it. For example, when a threat detection and response solution detects suspicious activity from a user or device, that information can prompt the multi-factor authentication solution to confirm the user’s identity, raising the level of assurance that they are who they claim to be.
Similarly, the SOC team overseeing threat detection and response may become aware that a device is potentially compromised based on network traffic routed by a next-generation firewall. That awareness can be automatically shared with the identity team to prompt them to be on the alert for access attempts from that device, so additional authentication can be provided before access is granted.
It’s important to note that while additional authentication is required when the threat detection system provides context that warrants it, it’s also not required when context points instead to a legitimate access attempt. In this way, the connected systems are working together not only to keep the bad guys out, but also to let the good guys in without undue inconvenience and delay. Using context in this way reduces the risk of a high rate of time-wasting false positives.
Information-sharing between these two types of systems is a two-way street; in the other direction, sharing identity and authentication information with threat monitoring systems enables the latter— whether a security incident and event monitoring (SIEM) system, an endpoint detection solution or a next-generation firewall—to spot, investigate and respond to credentials-based attacks faster.
Connecting access management and identity governance with GRC to manage access risk
Just as having more threat information can lead to better access decisions, having more information about the organization’s risk posture can lead to better risk management by both identity teams and GRC teams. Authentication and identity governance solutions typically don’t have insights into information about an organization’s overall GRC controls and policies. But when they’re connected with GRC systems, they can acquire more business context and risk information to manage access risk better. Consider these examples:
- Once an organization has used GRC to catalog information, quantify risks and create policies to address them, an identity governance solution can enforce those policies through access certification. The identity governance solution can specifically use application criticality data and data classification information from the GRC system to prioritize access decisions based on the most critical access violations.
- GRC data can also reveal when a targeted server or other asset contains sensitive HR information, valuable intellectual property or other critical data and alert the authentication solution to require a higher level of assurance that the user is who they claim to be.
- When a third party requests access to an application, the authentication system can detect if the request doesn’t comply with established access policies and send that information back to the data governance solution to take another look at the third party’s risk profile.
- Information-sharing is as much a two-way street when GRC systems are involved as when threat detection and response systems play a role: GRC systems can leverage access-related information to better understand the security risk an application presents, based on the number of orphaned accounts or entitlement anomalies associated with it, and then use that information to set risk management priorities.
Those are just some of the ways sharing intelligence through connected systems can benefit identity, threat detection and GRC teams. Next time, we’ll move from “connected” to “continuous,” to take a close look at how pervasive and connected authentication results in continuous authentication, and to examine why this is more effective than a series of one-time events at the point of access. Together, the three characteristics of modern authentication—pervasive, connected, continuous—enable the secure access transformation that will make it possible to meet the security challenges posed by today’s access environment.