Today, most identity and access management (IAM) professionals are only able to implement conditional access policies based on WHAT they know about the access attempt—source location, time, network path, VPN, public, device posture, etc. These IAM pros are asking, is the device compliant? Does it have any existing vulnerabilities?
All well and good. But there’s one major problem with this traditional way of managing access. Today’s IAM teams can’t fully understand the cyber risk context of the actual person WHO is attempting to access their systems.
- Did they recently download malware, or click on a phishing link?
- Have they recently been the victim of targeted attacks? Are they under attack right now?
- Are they an employee or contractor? How long have they been onboard? Does their role allow access to critical assets or intellectual property?
- What is their blast radius if they were compromised?
By adding people-specific cyber risk to the user authentication process, IAM teams gain a complete picture of the risk of each access attempt login, and protection decisions become nuanced, dynamic, and specific. In this article, we’re diving into the benefits and immense need for authenticated user risk.
➡️ Interested in seeing authenticated user risk in action? Watch the quick demo of Elevate Identity here.
The Consequences of Overlooking the Human Risk Context During Identity and Access
According to the Verizon DBIR, 82% of breaches are due to human error, and account compromise is involved in 61% of those breaches. It’s evident that today’s threat actors are leveraging social engineering tactics to target users susceptible to attack.
Without visibility into user cyber risk at the time of authentication, your chances of allowing access to a high-risk user, or worse, letting an adversary in , increase dramatically. In other words, without knowing a user’s cyber risk context, your options for proactively protecting that individual are limited.
For example, requiring hourly reauthorization for all remote users would likely improve overall security, but many users would rebel against the impact on productivity. However, armed with an individual’s unique risk score, you can easily tailor access policies to match that user’s level of risk, minimizing impact and maximizing access security, while maintaining productivity.
The Benefits of Adding Human Risk Context to Identity and Governance
Many of us have participated in the annual check-the-box governance process of ‘Does Jennifer need access to X, Y, or Z app?’, eyeballed it quickly and said ‘sure.’ Not the smartest or safest choice, but one made often.
In most cases, we check a governance “box” simply because the user has been given prior access. Access may have been granted by a different manager, for a different role, or even by a different leadership team. Unfortunately, it’s easier to maintain existing access rather than manually track down what the system is and determine if access is still needed or warranted.
A risk-based approach to authentication allows teams to consider an individual’s historical actions when making access decisions. Additionally, factors such as employee or contractor status, tenure, role risk, and blast radius can be considered in tailoring protection decisions to the individual user and their specific risk profile.
User Risk is the Future of Effective Identity and Access Management
Authenticated user risk augments identity and access management by adding comprehensive information that enriches traditional identity data, providing a 360° profile of the human behind each access attempt.
The result? A lesser likelihood of an adversary successfully establishing persistence and performing lateral movement, leading to reduced incidents of unauthorized access and helps avoid post-incident cleanup.
With authenticated user risk, you can:
- Require very frequent reauthorization for the specific high-risk individual
- Block that high-risk individual from directly connecting to any system with potential for lateral movement or reconnaissance abuse
- Initiate changes in access governance
- Relax protections and reduce friction, enhancing productivity of lower risk individuals
- And much more
➡️ Watch a brief, but in-depth demo of authenticated user risk here.
Final Thoughts
Traditional identity and access management approaches rely solely on contextual factors like device posture and network path. Important? Yes. But inadequate for addressing today’s security risks.
Here’s the bottom line: not all people are created equal when it comes to security. Adding authenticated user risk to IAM and IGA processes is a surefire way to dramatically improve access and authentication, keeping high-risk users safe and lower risk users productive.
Discover a stronger defense against unauthorized access—discover Elevate Identity.
