Fighting Identity Sprawl with Adaptive Authentication
Identity sprawl is a growing concern for most enterprises, as they move beyond historical boundaries across the spectrum of cloud computing, consumer devices, office locations and core work hours. At one point in time, these identities were well contained. They were often managed by a single directory or identity provider. That was sufficient to hold bad actors at bay while ensuring legitimate users received access. That time is long gone.
Now, as the digital world continues to explode, enterprises find themselves managing a rapidly expanding number of identities across an increasingly difficult-to-manage number of applications, devices and directories.
Consider how many applications, tools, accounts and devices each employee utilizes in a given day. Different departments now adopt their own SaaS applications, and organizations have rolled out bring-your-own-device (BYOD) policies. Employees often blend personal use applications and social media accounts with their work tasks on the job. In other words, users don’t just have one identity that authenticates against a single datastore—they authenticate against a variety of datastores. IT decision makers must find a way to rein in this multitude of identities.
So, how do you deal with identity sprawl?
The Insecurity of Identity Sprawl
Let’s say a marketing employee starts their work day by signing on to their work laptop. They authenticate using Active Directory credentials. Using a cell phone—which is connected to the company network—they check their personal email, then sign on to their Facebook account. Next, they return to their laptop, log into a marketing automation cloud service, then bring up the company social media accounts to begin promoting a new product. All of this happens with the first hour of the work day. Our marketing employee is not alone, as many employees do the exact same thing all over the company—illuminating the hundreds of identities that security teams must manage.
Identity and access management was never a cakewalk, but it was arguably easier in the days before the modern enterprise had to juggle a rising tide of applications, devices and directories. Collectively, this increased attack surface adds up to a broadening threat from cybercriminals who are looking to steal credentials, phish employees and slip into company systems to steal assets.
Traditionally, security practitioners have had a few options. They limited or outright restricted access, or they banned personal devices and application use. These draconian practices are somewhat effective in keeping malicious actors out, but they can also hamper productivity and hurt morale.
Managing Identity Sprawl Safely
A more effective solution involves using adaptive authentication to evaluate users to help ensure only legitimate users can access company systems. Whether an application or device is company approved is now irrelevant. Instead, the focus is only on whether the user is who they say they are. Adaptive authentication examines how, where and when the user is signing on to see if those attributes match expected patterns. If not, the user is asked to complete another level of verification, such as a strong multi-factor authentication push to accept requests secured by a biometric.
Even if a criminal has stolen credentials that work, adaptive authentication can drive a stronger security posture in several ways:
In addition, adaptive authentication offers a number of benefits that you don’t often see in security solutions:
Identity sprawl will continue. Instead of applying old safeguards to modern challenges, teams can use adaptive authentication to stop attacks and better protect identity—no matter when or where a user signs on.View More Posts