September 2, 2019

IT Security Is NOT A Binary Decision

Yes or no? Good or bad? Applicable or not applicable? Permissible or not permissible? Access granted or denied? It seems that since the dawn of cognitive thought, humans have separated matters of security into a simple binary decision: should we allow them entry or deny them access? In days of old when all that was needed was a strong fortification around a defined perimeter, this strategy made total sense. However, as the world became digital, and the concept of boundaries has largely been blurred beyond all recognition, this binary access strategy should also undergo a major strategy shift.

Guns, Gates and Guards-Based Security

Since the start of the digital age, IT security mimicked the concepts of security for medieval castles. Specifically taking the guns, gates and guards at the perimeter as a way of preventing the bad guys from getting in, into the digital equivalent of identity authentication allowing only the good guys to access your precious IT resources. This binary approach to IT security is unfortunately one of the primary factors cyber criminals are so successful. This approach relies almost exclusively on the ubiquitous login/password combination with maybe a little bit of 2FA and MFA to provide a perceived layer of comfort.

A friendly reminder question you should ask yourself is: “Why Are You Still Using Passwords When They've Already Been hacked?”. This is not only an important question because it sets the stage for a password-less solution, it is also a critical to tee up another question of whether or not you should do event or process driven authentication.

As you can imagine, the cost of each breach can be astronomical.

Binary Versus Continuous Cyber Security

In order to access an IT resource, a user needs to authenticate first (i.e. login).  The original and still most prevalent method of doing this is binary authentication which is based on a simple username and password combination that then allows an individual complete access to the resource until they log out.  

The downside of binary authentication is best described by Roger Grimes in his CSO article titled “What is continuous user authentication? The best defense against fraud”:

“Binary authentication allows you to do nothing (not authenticated) or everything previously allowed (after a successful authentication). The biggest negative of this type of authentication is that if bad guys gets your credentials, they can do anything including deleting your account. If they create a new fake account on a legitimate system, they can use it as a base for all sorts of badness.”

Roger Grimes continued in his article that:

“But with continuous user authentication, benign behavioral attributes are consistently evaluated and compared to an established pattern. Deviation from the established pattern may trigger a step-up authentication for higher risk application functions. It’s a fantastic idea that makes evaluating user behavior only at the logon sounds so horse-and-buggy. How did we ever survive with that archaic security model?”

Put more succinctly, cyber credentials are continuously being reauthenticated during a session to ensure you are still you and not a bad actor impersonating you.

We have written extensively on the need for “Continuous Authentication = Continuous Protection”, cautioned you on the differences between “Insider Versus Outsider Threats” as well as provided  A Case For Cognitive Continuous Authentication”. In short, there is copious information, facts and cited sources on the value of migrating your IT security strategy from one that is binary-based to one that is continuous-based.

Continuous Behavioral Authentication

The bottom-line here is that any successful IT Security strategy needs to take into account that IT Security is not a binary decision.  Acceptto was the first to understand, develop and deliver continuous authentication. Our company was built on the foundation that the only way to ensure digital credentials are being used only by the person who those credentials represent and not some imposter or someone hijacking a device correctly authenticated by that person.

Acceptto’s eGuardian engine continuously creates, and monitors user behavior profiles based on the user interaction with the It’sMe authenticator. Every time an activity occurs, actionable intelligence is gathered and used to optimize the user profile. eGuardian is capable of autonomously and continually learning new policies and adapting existing ones. While policies can still be manually defined and contribute to the computation, our Biobehavioral AIML approach automatically finds the optimal policy for each transaction. eGuardian leverages a mixture of AI & ML, expert systems and SMEs to classify, detect, and model behavior, and assign real-time risk scores to continuously validate your identity prior to, during and post-authentication.

Download the Enterprise Management Associates’ Ten Priorities For Identity Management in 2019  today and then check out what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy registering for a free demo today.

Download EMA Top 3 Identity Management Report

 

identity Access Management continuous authentication it security