1 Introduction
Organizations around the world have been rapidly modernizing their IAM infrastructures in response to increased cyberattacks and data breaches, enactment of security and privacy regulations, and a shift to remote working. IAM technologies are widely deployed, but can be notoriously difficult to upgrade, which can leave businesses and agencies struggling to meet demands for strong, risk-adaptive yet usable authentication mechanisms. For this reason, IAM customers are turning to modular authentication solutions that can present stronger, contemporary login methods powered by risk engines utilizing Machine Learning (ML) algorithms to detect anomalous behavior and require the collection of additional context information if dictated by security policy to prevent unauthorized access.
Authentication has been one of the areas within IAM that has experienced the most technical advancement. Researchers and vendors have sought to address the inherent weaknesses of password-based authentication and have thus developed many different kinds of authenticators and protocols to increase assurance levels. Biometrics on mobile devices, out-of-band applications, mobile push notifications, and a variety of hardware tokens are noteworthy examples.
Authentication processes have also been improved by behind-the-scenes measures such as the evaluation of user attributes, history, and behavioral analysis; behavioral biometrics; device identity, history, and health; and environmental context, including request types and history, locations, and networks. These unobtrusive means can operate as needed in the background, only interrupting users with explicit need for input when deviations from their established baselines occur, leading to continuous, risk-adaptive authentication.
Regulations written with the goal of improving cybersecurity across various industries have taken effect in multiple jurisdictions. For example, in the US, legislation such as the New York SHIELD Act imposes penalties of up to $250,000 per incident for organizations that allow unauthorized access to personal information. Whereas the EU's PSD2 requires Strong Customer Authentication for finance customers, NY SHIELD Act will penalize companies that do not adequately protect employees' HR information. Thus, stronger authentication controls for workforce applications are on the radar for many organizations that hold the HR data of New Yorkers.
Access control solutions must balance security and usability. Today's offerings in this area provide multiple authentication mechanisms, including many mobile options and SDKs; risk engines that evaluate numerous definable factors that can be gathered at runtime and compared against enterprise policies; authorization services that can granularly evaluate complex request contexts against pre-defined policies; and out-of-the-box (OOTB) connectors to enable Single Sign-On (SSO) to many popular on-premises and cloud-hosted enterprise applications. Therefore, integration with existing IAM infrastructure should be a primary factor in selecting a suitable product.
Authentication and authorization services are important threads in Identity Fabrics, which are gaining traction in industry today. An Identity Fabric is an architecture that can be composed of disparate data sources and capabilities delivered as discrete services. Identity Fabrics permit organizations to add and upgrade segments of their infrastructure or contract with service providers to meet business objectives in a more agile manner. Given the widespread availability and adoption of cloud-hosted services running the gamut from IaaS to PaaS to SaaS, more vendors are packaging their solutions in containers such that they can provide the same types of functions regardless of deployment models. This means that on-premises software ships as images or virtual instances that can be deployed on most of the common operating systems or IaaS/PaaS platforms or made available as micro-services via the vendor or MSPs.
The key requirements most organizations look for in access management solutions are:
- Support for multiple authenticator types, such as:
- Smart Cards, USB tokens, and older form factor hardware tokens
- Mobile apps and push notifications
- x.509 certificates
- Biometrics, especially mobile biometrics leveraging native OS capabilities
- OTP: HOTP/TOTP over phone, email, and SMS
- Availability of a mobile SDK for customers to write their own secure apps; optional use of Global Platform Secure Element for credential storage and Global Platform Trusted Execution Environment (TEE) for safe mobile app execution
- Adhere to policy-based access control model so that IT departments and Line of Business application owners can define risk-appropriate authentication rules
- Perform run-time risk analysis of behavioral and environmental factors
- Enforce configurable actions including permit, step-up authentication, deny, lock account/device, etc.
- Integrate with other IAM systems to allow SSO, usually via cookie support
- Support identity federation via OAuth2, OIDC, JWT, and SAML
- Integrate with SIEM, SOAR, UBA, and other security systems
- Provide administrators with management dashboards and configurable reporting
- Allow for delegated and role-based administration within the solution
- Process relevant threat intelligence in real-time: using customer's internal, vendor ecosystem collected information, and/or subscriptions to 3rd party services that identify aberrant user behavior, compromised credentials, etc.