There’s an old joke in which the Dalai Lama walks into a fast food joint to order a hot dog, and the guy behind the counter asks him what he wants on it. The response is, “Make me one with everything.”
Being in the identity and access racket for literally decades, I’ve been striving to escape the boring paradigm in which I am no more than a set of credentials. Just a name and a password. These have long been my key to unlocking the roles or group memberships that subsequently got me into the various applications I need to do my job. Seriously, seriously boring.
It’s also seriously dangerous. Anybody who can pull off the relatively simple trick of snatching my password can also unlock my access.
It’s also seriously one-dimensional. I log in, I do some stuff with my apps, and I indirectly generate some audit data. If I do something funky, or if a bad guy does something funky with my stolen creds, the audit data might help with the subsequent investigation. “Hey, now that the horse has escaped from the barn, let’s figure out how to build a better barn door. Not that this gets our horse back.”
But what if I apply a little Digital Transformation to this formula? Smart guys have been nibbling at the edges of this for years, finding small gains for security and personalization, but there is so much more to be found, if we only make the effort.
At my organization, we have several practices. We build products for other vendors and companies, we build platforms, we do big data, and yes, we do identity and access. Sometimes they overlap, sometimes they don’t. But when it comes to identity and access management (IAM), we have One Ring to Rule Them All. An intelligent, interconnected nexus for IAM can not only benefit from a centralized DX platform, it can also feed it. We all get smarter together.
So how does that work? I’m glad you asked me, because I’m an expert. Just take my word for that.
Let’s re-examine IAM from a few new perspectives:
- I am more than just credentials – I am other factors
- I get to pick my own factors
- The IAM platform learns as we go along together
- I teach the platform how to talk to me, for my benefit and its own
- My actions, and those of everybody else, make the experience better and safer for all of us
- Somebody might actually be able to make a buck off this, too
First off, credentials don’t go away, but they get redefined. Various software vendors have long predicted the “death of passwords.” And they were way, way ahead of things. The technology has barely been there, and the adoption has absolutely not been there. But that time has finally arrived. Passwords can still get you to the most basic access. But more sensitive assets may require more powerful factors. Credentials themselves have been transformed. Through the use of FIDO (Fast ID Online) and other technologies, you can use your personal device to authorize to your desktop session. Open your laptop app, give it your username, then wait for it to send you a QR code. Scan it with your smart phone, and that action circles back to fully open that session. Or maybe the application tells you to get on your smartphone and give it your thumbprint. Or your face, or voice. And THAT biometric circles back and authorizes your desktop. OR the application sends a one-time-password or other PIN to your device, and you enter THAT into your desktop to open up full access. There’s no password to steal. Sure, somebody could steal your thumb, but in that instance, you’ve got bigger things to worry about than your app.
In order to use these advanced options, you first have to register them. You register your device, so that you and ONLY you can use it to access corporate resources, or your bank account. You register your fingerprint, your face, your voice. When you use your personal device to unlock the local biometric, the remote token is then unlocked, and in you go. Imagine if you’ve told the system how to recognize your finger and face and voice. When it’s time to authenticate, you pick the method you like that day.
NOW … every time you log in, ask for resources, navigate a site, you are feeding that audit data. But now, that data isn’t just getting logged for possible autopsy later. It is getting curated, contextualized, segmented, to fuel even more powerful identity methodologies.
It’s long been a capability of access management systems: limit access based on IP address or time. But every time a user authenticates and moves around, he’s feeding that curated data with his own behavior.
If you fly out of New York and hit Frankfort, but don’t bother telling your credit card company you’re leaving the continent, you might very well get shut down in that very first German gift shop. You dummy, you. Behavioral profiles, built on top of historical user activity, can now be far more in-depth. Users can be profiled not only on their own behavior but also by their peers. Anybody else from the same location, with the same company title, the same travel habits, same hat size, WHATEVER, become part of a giant pool for analysis. The more bodies, the more activity, the more accurate the modeling becomes, until you synthesize a muscular pattern for determining if somebody is really who they say they are.
A few years ago, an investigative TV show sold what appeared to be a stolen credit card online. The bad guys who bought the card used it to purchase some very mundane items. Dog food, detergent. They wanted to make sure the card was legit, AND to not raise alarms. Only then did they start buying expensive jewelry. This is what adaptive authentication tech can handle. When a session takes a strange turn, one that is out of the norm, those intelligent, cognitive, history-based profiles kick in, and kill the bad guy’s session. But less reliance on simple credentials and stronger requirements for stronger factors eliminates a lot of those bad guys’ chances in the first place. User governance is digitally transformed by user behavior and user attributes.
And when the platform knows how I should act, or how people LIKE me should act, it may very well decide to approach me in a different way. If I start doing things at a strange hour, from a strange IP, using a strange device, and at a different volume, I get challenged. “I trusted you you when you logged in, but now you’re trying to download too many engineering docs in a single hour. Maybe you’re a thief, or maybe you’re quitting and attempting to take a bunch of collateral with you. So now I’m going to keep you from going forward until you answer some challenge questions, or demand your fingerprint or voice print or face or make you dance the Macarena to prove it’s really you.”
Cognitive models can do a little more than just keep the bad guys out. Remember Germany and the cut-off credit card? Yeah, well, imagine you’re at the last gas station before you cross the desert, and you find out that a snafu with your Visa at the last trading post has left you without a valid card. Ouch, you’re stuck. Accurate models can also prevent false positives.
Just one more little wrinkle. All that user data might be of use to others. Cognitive models could serve any number of communities. Behavioral profiles gathered from large enough samples could have value for any organization looking to isolate bad players and avoid blacklisting good ones. That value could very well be monetary. We helped a large manufacturer start a revenue stream involving the chronic sale of literally billions of dollars of its usage data. We helped a retail chain monetize its API services, also to the tune of billions. Properly anonymized user data, behavioral rather than identifiable, could be a gold mine.
Transforming how we introduce ourselves to our digital platforms can improve the process for all of us in a loop that’s –
- Closed because it continually secures our access by leveraging that same access, and
- Open because it’s perpetually assimilating new data.
Does that make any sense to you? Of COURSE not. You’re not an expert like me. But it works. Just take my word for it.
- Jeffrey Scheidel – Senior Director, Digital Sales | @