CIO Review >> Magazine >> March - 2014 issue

ThreatMetrix: Pioneering Context-Based Workforce Authentication


Tuesday, March 4, 2014

Joe Philip The consumerization of IT is well underway. The network perimeter has virtually disappeared, a modern workforce connects from inside and outside of the corporate firewall to both on-premise and cloud-hosted applications. As BYOD is now a business reality, corporate IT has lost visibility and control over the devices that employees and contractors use to access both critical and non-critical applications.

In this fast-changing IT environment, traditional access security controls are increasingly archaic and unworkable. Today employees accessing mission-critical applications look like consumers on ecommerce websites. Enterprise security practitioners must find new approaches for securing access to corporate applications to address a major source of risk.

ThreatMetrix™ is helping businesses apply techniques of context-based authentication and federated trust to address the growing problem of remote workforce authentication.

Gartner estimates that by year end 2016, more than 30 percent of enterprises will use contextual authentication for remote workforce remote access. [Source: Gartner Magic Quadrant for User Authentication, December, 2013]

The Challenge of Remote Workforce Access
Remote workforce logins are open to the same types of misuse and abuse as consumer-based applications with potentially far greater business risk. A cybercriminal logging into an employee’s account using stolen credentials can do far greater damage to a company than a customer using a stolen credit card.

"Endpoint trustworthiness is especially poignant for bring-your-own-device (BYOD) scenarios. In such cases, the enterprise may not use mobile device management (MDM) software to help secure workforce mobile devices. As a result, employee phones and tablets may look very much like consumer devices, and it's important to decide how much to trust the user and the credentials and the contextual information that they're presenting." [Source: "Adaptive Access Control Brings Together Identity, Risk and Context," Gartner: Trent Henry, August 2013]

Enterprise security professionals must walk a fine line when it comes to securing workforce access to applications. On the one hand, mitigating the risks of data breaches is a top priority – no company wants to end up on the front page of The Wall Street Journal as a high profile data breach.

On the other hand, security must be balanced with the user experience. Time-consuming authentication techniques erode overall productivity. Worse, the more onerous the security measures, the more motivated the workforce will be to find ways around them.

Traditionally, companies lock down remote logins by deploying VPNs, requiring employees and partners to use corporate-issued equipment, or issuing hardware tokens or one-time passwords (OTP) for strong authentication. These methods are getting more and more impracticable in today's "consumerized" IT environment.

Context-Based Authentication and Federated Trust

ThreatMetrix offers an alternative to traditional workforce authentication models, leveraging a shared trust intelligence network that currently protects more than 2,500 financial services and e-commerce companies from global cybercriminal rings.

ThreatMetrix offers real-time technologies that analyze online personas, employee devices, transactional or application context and employee behavior. As a passive, network-based solution delivered from the cloud, ThreatMetrix is capable of recognizing all employee-supplied devices, whether they have authenticated in the past or not. A global policy engine lets businesses define specific and appropriate risk and access policies. Using ThreatMetrix, businesses can tag trusted combinations of credentials and identify indicators of risk learned from a global network of online identities, transactions and data.

By analyzing the contextual information from the login and comparing it to data from a global network, ThreatMetrix can help business reduce the risks of remote login without burdening the user.

"Enterprise adaptive access control combines contextual information and user credentials to evaluate the risk of users attempting to access resources. Once the purview of e- commerce and financial services, adaptive access is finding an increased role in workforce identity — particularly for mobile device use cases." [Source: "Adaptive Access Control Brings Together Identity, Risk and Context," Gartner: Trent Henry, August 2013]

Context-based authentication has two essential benefits for the enterprise:

• Frictionless access: Real-time, passive assessment of the login context gives businesses the ability to streamline access for known and trusted combinations of logins and devices – reducing effort and inconvenience for the workforce.

• Increased security: Combining global federated trusted identities with context-based authentication helps businesses quickly and easily identify high-risk connections that have the potential to compromise data. This includes devices that are part of botnets, devices associated with many different unregistered credentials that are used to conceal true identity or devices that are known to be involved with fraudulent access across the ThreatMetrix global network.