Identity sprawl is a growing concern for most enterprises, as they move beyond historical boundaries across the spectrum of cloud computing, consumer devices, office locations and core work hours. At one point in time, these identities were well contained. They were often managed by a single directory or identity provider. That was sufficient to hold bad actors at bay while ensuring legitimate users received access. That time is long gone.
Now, as the digital world continues to explode, enterprises find themselves managing a rapidly expanding number of identities across an increasingly difficult-to-manage number of applications, devices and directories.
Consider how many applications, tools, accounts and devices each employee utilizes in a given day. Different departments now adopt their own SaaS applications, and organizations have rolled out bring-your-own-device (BYOD) policies. Employees often blend personal use applications and social media accounts with their work tasks on the job. In other words, users don’t just have one identity that authenticates against a single datastore—they authenticate against a variety of datastores. IT decision makers must find a way to rein in this multitude of identities.
So, how do you deal with identity sprawl?
The Insecurity of Identity Sprawl
Let’s say a marketing employee starts their work day by signing on to their work laptop. They authenticate using Active Directory credentials. Using a cell phone—which is connected to the company network—they check their personal email, then sign on to their Facebook account. Next, they return to their laptop, log into a marketing automation cloud service, then bring up the company social media accounts to begin promoting a new product. All of this happens with the first hour of the work day. Our marketing employee is not alone, as many employees do the exact same thing all over the company—illuminating the hundreds of identities that security teams must manage.
Identity and access management was never a cakewalk, but it was arguably easier in the days before the modern enterprise had to juggle a rising tide of applications, devices and directories. Collectively, this increased attack surface adds up to a broadening threat from cybercriminals who are looking to steal credentials, phish employees and slip into company systems to steal assets.
Traditionally, security practitioners have had a few options. They limited or outright restricted access, or they banned personal devices and application use. These draconian practices are somewhat effective in keeping malicious actors out, but they can also hamper productivity and hurt morale.
Managing Identity Sprawl Safely
A more effective solution involves using adaptive authentication to evaluate users to help ensure only legitimate users can access company systems. Whether an application or device is company approved is now irrelevant. Instead, the focus is only on whether the user is who they say they are. Adaptive authentication examines how, where and when the user is signing on to see if those attributes match expected patterns. If not, the user is asked to complete another level of verification, such as a strong multi-factor authentication push to accept requests secured by a biometric.
Even if a criminal has stolen credentials that work, adaptive authentication can drive a stronger security posture in several ways:
- Identify an unfamiliar device. The user’s device fingerprints are registered, so that an attacker using the same password to sign on from a different device will be stopped and asked to complete a second-factor authentication step.
- Uncover malicious activity. Attributes such as the IP address of the transaction can be evaluated for signs of previous threat actor activity, or a desire to mask the true source of the authentication via an anonymity network. The geolocation can be analyzed for risk via techniques such as geovelocity, to determine if an improbable travel event has occurred.
- Detect unusual behavior. Logical behavior such as hours of activity or previously visited resources are modeled, along with physical behaviors such as keystroke dynamics or mouse movements. Deviations from those behaviors can then be detected because an attacker can’t easily duplicate these behaviors.
- Evaluate user entitlement risk. Employees with access to employee personal data, customer accounts or organizational funds would have a higher risk score, possibly requiring additional risk checks, as opposed to a receptionist needing access to an executive’s calendar.
In addition, adaptive authentication offers a number of benefits that you don’t often see in security solutions:
- Improve user experience. Because adaptive authentication can lower friction for users to get access to resources, users aren’t as tempted to share passwords or find other workarounds that can put the company at risk.
- Free up IT staff to do more meaningful work by reducing helpdesk calls. Self-service password reset options and other self-service capabilities can increase productivity, reduce frustration and free up IT staff to focus on more important security tasks.
- Eliminate the cost and complexity of having multiple security solutions. By deploying in the cloud, on-prem or a hybrid of the two, adaptive authentication can banish the uneven security playing field and install smoother and stronger security across the organization.
Identity sprawl will continue. Instead of applying old safeguards to modern challenges, teams can use adaptive authentication to stop attacks and better protect identity—no matter when or where a user signs on.