Ten years ago, organisations were protected by the ‘fortress’, it was an era of locked down data centres and computing devices. Access to data and services required a person to have access to the right computing device, regardless of them being in the right location and network, and authenticate themselves to the data centre (firewalls) and before each service could be accessed.
"Applying AI to SIEM and IDAM together is arming the sentinel with advanced weapons in the fight against cybercrime"
Fast forward to today’s digital world, advances in technologies, networking, and smart devices (IoT) has changed the landscape to one of distributed services often hosted in the ‘cloud’ by different organisations in shared data centres.
Users want to use their own devices and they want to access services anywhere, anytime, and be protected whilst doing so.
IoT devices are becoming smarter and increasingly autonomous, having access to data, services and decision-making.
No longer can the fortress/firewall be the perimeter to protect scattered services/devices, Identity and Access Management (IDAM) is the new perimeter.
To ensure effective security, authentication and authorisation must be wrapped around every person, device, service and network. Each protected with independent security measures that are far more complicated than the old fortress model. As a result, the business ecosystem is experiencing a proliferation of credentials for interconnected services/devices. Fortunately, IDAM technology has also evolved to provide the Single Sign On (SSO), Identity Provider (IDP) and Self- Sovereign Identity (SSI) models to reduce the number of credentials needed.
SSO technology allows services to access and trust authentications from other service reducing the credentials needed.
The IDP model enables users to have credentials and assurances provided by a single organisation or a federation of enterprises who authenticate and allow access to the services/devices. This means a user does not need to maintain different credentials and more importantly, does not need to proliferate their personal data to each service/device. IDPs can also provide assertions to support service risk profiles.
The Self Sovereign Identity model is evolving and will allow the user to be in control of their own identity and to offer the ability to assert it themselves with assurances provided by third parties. However, it is still too early to see how this model would work in a commercial world.
The proliferation of services/devices beyond the fortress also brings with it more targets for cyber criminals that want to profit from malicious access to data and services.
From sophisticated social engineering, phishing, sim swap, vishing, bots to hackers, cyber criminals are becoming increasingly adept at using new technologies and their defects to illegally gain access to data and commit social and financial crimes. Often times, breaches in one service provide a cascade effect to breach other services.
The evolution of the digital world is also moving so fast that it has become impossible to have enough skilled cyber security and identity management experts to keep pace with the increasing cyber threats. People are often the weakest link and can undermine the employed security measures if it causes workforce friction; therefore, we need to make IDAM as frictionless as possible.
With technology advances, IoT and mobile device usage, we have access to vast amounts of data about users and can use this data to understand their normal behaviour and establish a risk-based approach to authentication and access. And as we no longer rely on single factor authentication, we can use multifactor to reduce the risk.
We can eliminate friction for the user by authenticating them with biometrics, analysing their behaviour (how they touch the screen and type), environment (locations, ip addresses), devices (usage and health of the device), and networks (mobile, Wi-Fi, sim swaps). We can use this data along with peer profiles and shared fraud signals, and perform pattern analysis to build a profile of ‘normal behaviour’ for each user. Each time they authenticate, the authentication required is suitable for the transaction risk profile and we only require them to bolster authentication when the ‘normal behaviour’ pattern is not satisfied.
For example, Doris is in the supermarket and wants to buy a bottle of wine, she approaches the self-service PoS, scans the wine, speaks her name and takes her wine. So how did we do this? the PoS uses voice and facial recognition to identify that it is Doris (authenticated by her Identity Provider), that she is over 18 (verified by her Identity Provider), her smart watch is within proximity and she has visited this supermarket many times before. This is all possible because we have built a pattern of normal behaviour for Doris.
AI can access vast amounts of data in real time and is not just leveraged to monitor and manage transaction data, AI can enrich the transaction with data from the user profile, behavioural analytics, threat sources, shared fraud signals and crime signals, known patterns of peer group behaviour as well. Furthermore, it uses this knowledge to determine if the transaction is ‘normal’. The AI can automatically remediate by enhancing the authentication or alert a cyber professional, or by giving them the data and recommendations they need to make decisions. In this way, the AI becomes the IDAM sentinel.
AI is not just the sentinel for IDAM, we can create stronger cyber defences by integrating Security Information and Event Management (SIEM) and IDAM to look for patterns of behaviour across an organisation.
Applying AI to SIEM and IDAM together is arming the sentinel with advanced weapons in the fight against cybercrime.