The importance of Risk-Based Access in today’s mobility driven world
Melissa Stevens 270005B76W MELISSAS@US.IBM.COM | | Tags:  mobile security risk ibmsecurity
0 Comments | 3,146 Visits
This post is written by Archit Lohokare, Product Manager for IBM Security Systems.
By now, Matt Honan’s nightmarish experience of his accounts being hacked has been echoed by many other individuals who’ve faced similar disruptions to their online lives. Matt’s twitter account was even used as a platform to broadcast racist and homophobic messages. His AppleID account too was broken into, and all the data on his iPhone, IPad and MacBook was remotely erased. One of the ways he could have limited or even prevented the damage would have been to use multi-factor authentication or risk-based access for protecting his accounts.
Incidents like these can have even more far reaching consequences and can have a much larger negative impact when the applications and information in question is sensitive belong to an enterprise. Growing trends like Bring Your Own Device (BYOD) and mobility have resulted in enterprise users expecting access to applications and data from anywhere, at any time. With this, comes the added risk of users losing their mobile devices which often have cached usernames and passwords to critical enterprise applications. Can you imagine the extent of risk and potential damage you’re exposed to if your organization’s CEO has his mobile phone stolen?
Here’s where Risk-Based Access (RBA) Control can help secure your organization’s information assets. Risk-Based Access refers to the idea of implementing an access decision and enforcement based on a risk assessment of the transaction that uses static and contextual attributes to calculate the risk. The risk assessment is used to determine if the user should be permitted, denied or permitted with some further authentication proof, to access the information he or she wants to.
For example, let’s assume your CEO typically accesses his web based email only from within the corporate network. In such cases, the Risk-Based Access capability built into IBM Security Access Manager for Cloud and Mobile (ISAM for Cloud and Mobile) will allow your CEO to login with just his username and password. Now, imagine your CEO’s mobile device gets stolen by a malicious outsider and he tries to login to the corporate email with the cached username and password from outside the corporate network. ISAM for Cloud and Mobile will recognize this is an external access and will ask for a one time password (OTP) in addition to the username and password. That way, the outsider will not be able to login without providing an additional factor of authentication.
So how does the ISAM for Cloud and Mobile know when to ask your CEO for an additional factor of authentication? ISAM for Cloud and Mobile will calculate a risk score based on many static user attributes and transactional context based attributes (user’s location, operating system of the client, IMEI number of the device, etc.). It also takes into account behavioral attributes, like time of access most likely to be unauthorized access, etc. to further augment the risk score. Based on this risk score, your CEO is then permitted or denied access, or is requested to provide additional factors of authentication.
Risk-based access and multi-factor authentication might have spared Matt Honan the pain associated with getting his life hacked into. And so it would, for your CEO and your organization!