As we come to the end of 2018, it’s difficult to see what meaningful progress has been made in cyber security. There has been a creeping shift in awareness. Executives and politicians are getting the message, however muffled, that cyber is not going away nor will it not get any easier to manage risks. The DHS’s decision to upgrade cybersecurity to its own agency is a welcome step. Still, the epic Marriott breach felt like the perfect end to a year when few seemed to have learned much about the cyber threat facing the United States and the world at large.
New products and ventures are taking on bigger challenges, raising the stakes and declaring that the status quo will no longer suffice.
Signs are on the horizon, though, that big changes are on the way. New products and ventures are taking on bigger challenges, raising the stakes and declaring that the status quo will no longer suffice. This spirit is in evidence with Acceptto, an early stage company that just emerged from stealth mode. Acceptto is one of several companies driving paradigmatic changes in the area of identity and access management.
It’s a very timely and worthwhile effort. Having spent 2018 looking at an exhausting series of data breaches and cyber defense meltdowns, I can say with some confidence that the issue of identity is at the heart of most serious risk exposure. It’s not the only factor, of course, but if you can’t be sure of who is who and whether a user is authorized to access a particular digital asset, you’ll never be truly secure. This is the founding premise of Acceptto.
Acceptto’s approach is to remove reliance on binary methods of authentication such as username/password. Such two-factor authentication (2FA) and even more complex multi-factor (MFA) methods are simply not strong enough anymore on their own. “They give you a yes or no without context,” said Shahrokh Shahidzadeh, CEO of Acceptto. “It’s imperative to have smarter auth. Existing 2FA and MFA systems are too easily fooled.”
Instead, Acceptto offers a continuous, cognitive method of authentication. The solution blends AI and machine learning to distinguish good users from threat actors. It analyzes access requests along multiple, behavioral dimensions to determine if a user is legitimate. For example, if a user logs into a corporate VPN from the same zip code 100 times using an iPhone during business hours, but then tries to log in from a foreign country at 2:00AM using an Android device, this anomaly will trigger the system to throw up barriers to access.
The standard MFA solution to this problem is to issue a verification code via SMS or a comparable step. This can be hacked, however. More in-depth countermeasures are needed.
“Our goal is to reduce friction,” Shahidzadeh added. “We create a derived credential from many different data points about the user and his or her access patterns. We call this a dynamic Level of Assurance or LOA. We can go without a password for the best users. They get through with almost no interference. Bad actors get shut out.”
“We create a derived credential from many different data points about the user and his or her access patterns. We call this a dynamic Level of Assurance or LOA.”
Acceptto then follows the user through their session, continuously re-checking their authentication status. “One of the big problems we have in security is the ‘all-you-can-eat’ mindset of many access control frameworks. Once you’re in, you’re in. That is not a wise way to mitigate risk, especially when you consider how malicious actors move across networks into places they’re not supposed to be.”
If a user normally accesses a certain set of digital assets, but then diverges and goes elsewhere in the network, Acceptto flags this behavior. It may be nothing, but it’s a good practice to know where users are going. Once flagged, a suspicious user can be subjected to a variety of MFA techniques for further verification. The level of verification depends on the perceived level of risk. Acceptto runs in parallel with most major IAM solutions. These include LDAP, Microsoft Active Directory, Palo Alto VPN and others.