New Approaches to IAM

Much of cybersecurity rests on the answers to few simple questions: Who is trying to get access? Is this person who he or she claims to be? What digital assets does he or she have authorization to see or modify? A vast category of Identity and Access Management (IAM) solutions addresses the challenges inherent in answering these questions. As the intensifying threat landscape reveals gaps and vulnerabilities in existing IAM practices, new solutions are emerging to address the increasingly complex and challenging work of identity and access control. Here are some notable examples.

Jumio: Video Self-Authentication

Jumio, which offers a number of different identity verification solutions, is adding a new video self-authentication capability to its portfolio. According to Dean Nicolls, Jumio’s Global Head of Marketing, there was a need to step up the accuracy of user authentication due to the availability of personal information the dark web. “Until pretty recently, we could use a credit bureau’s information on you to perform an automated identity verification,” he said. “For example, an application could ask you if you lived at one of three addresses. That no longer works. That data is almost certainly available to hackers now.”

The new Jumio solution asks the user to take pics of the front and back of his or her driver’s license. The app then asks for a selfie. The software is then able to compare the images and ascertain if the user is the same person shown on the license.

This sounds simple. It isn’t. The technology has to be sophisticated enough to detect if the user is  wearing a mask or spoofing the process in other ways.

This sounds simple. It isn’t. The technology has to be sophisticated enough to detect if the user is  wearing a mask or spoofing the process in other ways. The facial matching itself involves creating a 3D facemap. The system is also able to adapt to different types of licenses from multiple states, embedded watermarks and so forth. To make this work, Jumio uses Artificial Intelligence (AI) and Machine Learning (ML).

Jumio is now deploying the solution to financial services companies as well as dating sites. The goal is to protect users from fraudsters and bots creating accounts. Typical use cases include password resets and large fund transfers.

Plain ID: Improving Authorization

PlainID is sharpening another well-understood but often poorly-executed aspect of IAM, the matter of authorization. Who is allowed to do what? Authorization is challenging to implement and maintain. This is particularly true in large, geographically distributed organizations. Throw in factors like contractor and vendor access to digital asserts and strong authorization policies can become nearly impossible to sustain.

According to Gal Helemsi, Co-Founder of PlainId, a number of problems plague the management of authorization. “There’s been a focus on the user, but not so much on the role,” she said. “This is a mistake. When you try to assign authorizations to individual users, you can get overwhelmed.” From her perspective, this problem is then compounded by rigid and opaque systems for defining and enforcing authorization policy.

The PlainID solution tries to address this difficulty by concentrating on administration of authorization policy. It offers the ability to visualize authorization as a way to make the admin decision easier. Admins can see, in graphical form, the connections between the user role and the digital assets he or she wants to access. The solution also uses an analytical decision engine to help admins decide who gets to see what.

“It’s not effective to expect all authorization policy enforcement to flow through one technology.”

The solution also enables business users to decide on authorization for their employees and contractors. This is a sensible approach, given that the business user often has a better idea of why someone might need access to a digital asset than an IT staffer who knows neither the employee in question nor the business context. It also speeds up the authorization process by taking IT out of the loop.

PlainID, which maps to the identity store (e.g. Active Directory) creates an authorization lifecycle to aid in auth admin. The system also lets users take advantage of multiple enforcement mechanisms. These include technologies like OAuth, SAML and others. “It’s not effective to expect all authorization policy enforcement to flow through one technology,” Helemsi explained.

Duo: Pushing MFA to the Device

Duo is taking on an authentication and authorization challenge that’s arisen with the increased use of cloud computing and mobility. Sean Frazier, Duo’s Advisory CISO for their Federal business, explained it this way: “The government, through NIST frameworks, now uses smart cards for auth in many cases. This is great, but smartcards don’t work well in cloud and mobile. You still have a challenge authenticating users on mobile devices.”

“The government, through NIST frameworks, now uses smart cards for auth in many cases. This is great, but smartcards don’t work well in cloud and mobile. You still have a challenge authenticating users on mobile devices.”

Under NIST 800-63 identity policy, government agencies need to use smartcards or a username and password combination. One difficulty with this approach, according to Frazier, is simple operational slowdowns. “After the government shutdown, for instance, smartcard provisioning was backlogged. Access controls likely suffered during the catch-up period.”

To solve this problem, Duo enables organizations to push multifactor authentication (MFA) to a user’s mobile device. The solution enables use of biometrics, SMS messages and other means to authenticate the user’s device. It can also work with government-approved smart tokens.

Due then makes it possible to establish a zero trust model of authorization. User access is determined by a trust decision based on the trustworthiness of the user’s auth assertion – based on the system’s conversation with the Duo mobile app. Trust is not based on where the user is located or what device he or she is using. This approach can also apply to Privileged Access Management (PAM) credentials.

SecureAuth: Risk-Based Authentication

SecureAuth incorporates machine-to-machine identity management into their approach to IAM. “Who is the ‘user’ you’re trying to authenticate in any given situation?” asked Justin Dolly, the company’s Chief Security Officer and Chief Operating Officer. “Often, it’s an app that needs to access another app, and so forth. This is not a new scenario, but securing the access in these cases is growing more cumbersome.”

“Who is the ‘user’ you’re trying to authenticate in any given situation? Often, it’s an app that needs to access another app, and so forth.”

As Dolly explained, the tendency is to layer on more controls, e.g. 2FA and then one-time passwords via SMS and so forth. “This adds noise,” Dolly said. “It adds overhead. Our goal is to increase authentication security without adding load.” The SecureAuth approach is to base authentication processes on perceived risks. Taking the machine-to-machine use cases into consideration, the SecureAuth solution will require more stringent authentication measures if it detects suspicious activity.

For example, if there appears to be location spoofing going on, the solution will demand additional authentication factors. Otherwise, it may adopt a more relaxed approach to avoid burdening the user experience with excessive authentication requirements. “There has to be a flexible approach for IT managers,” Dolly added.

Photo Credit: adbrucephotos Flickr via Compfight cc