Risk management and cybersecurity aren’t the same thing. While the two are closely related, they have different aims, and one needs to be addressed first before the other can be effective. To stay ahead of potential attackers and protect critical data, organizations need to start by understanding and quantifying the cyber risk they are accepting across their whole organization before deciding which security solutions they need to implement.
In no place is this truer than with Identity and Access Management (IAM) solutions that organizations use to decide who can have access, to what, and how they prove their identity to gain access. Understanding the level of cyber risk is critical when deciding what authentication methods to use, the ins and outs of an IAM plan, and how to implement it.
Risk vs. Security
Cybersecurity, and specifically IAM, looks at whether the right people are gaining access to the right data and resources for the right reasons, at the right time. We can think of security as being tactical, having a distinct end goal with clear steps that are required to reach it. In the case of IAM, that goal is simply to be able to authenticate legitimate users and prevent adversaries from gaining access.
Risk management on the other hand, is more strategic. Rather than having a clearly laid out path, it is the process of attempting to understand the threat landscape, the assets being protected, and making informed decisions as to what will keep those threats at bay. It requires the understanding that nothing is ever 100% certain, and no matter what technology is being used to keep hackers out it is unlikely we will ever create a perfect, no risk environment. Risk management provides the blueprint for what needs to be prioritized and accomplished in an effective IAM strategy. Similar to a radar or heat map, assessing risk is what indicates what level of security is required and where.
Seeing the Risk
One place organizations need to focus on when assessing risk to inform their IAM strategy, and more specifically multi-factor authentication (MFA) strategy, is how users are authenticated. Relying on passwords alone is an inexpensive solution that requires little training or additional equipment, but the tradeoff is weak security and easily breached networks. Using MFA to layer authentication methods has become standard, and can prevent as much as 90% of cyberattacks. However, that percentage drops dramatically if weaker authentication methods are used or if there is a poor or inconsistent implementation across the organization. When choosing authentication methods, a thorough risk assessment needs to take place. Here are two places organizations need to focus on to achieve the highest levels of risk mitigation when implementing MFA.
Scalability Creates Gaps
As organizations grow, their needs change and new use cases and situations arise. The authentication method you picked a year ago, for example, may not work for all your users today. Having the wrong authentication method in place risks impeding business growth and the ability to scale. For example, hardware tokens that are distributed to users for authentication may work in small environments, but they become a logistical nightmare and expensive when working with many distributed users.
And phone-based authentication methods have a similar issue. While smartphones are becoming increasingly ubiquitous, they aren’t everywhere. The more diverse a group of users are the higher the likelihood that they cannot and/or refuse to use smartphones for authentication. That means users without smartphones, users in areas where phones aren’t accessible, and users who have recently switched devices are all completely left without another option. Instituting methods that do not rely on tokens or phones, such as centralized biometric methods like identity bound biometrics (IBB), where a unique biometric identity is centrally stored rather than on an intermediate device, is easily scalable and offers high availability. By using the person as the credential and having the ability to support one-to-many matching users can authenticate on any device, at any location, with nothing to remember or carry.
Friction Causes Users to Circumvent Controls
Another important question when establishing MFA is, will users engage in the right way? We all know that this is rarely the case with passwords. Whether it’s people using weak passwords (1234, password, etc.), having the same password across multiple platforms, or falling victim to increasingly sophisticated phishing exercises, the fatigue of keeping up with passwords causes many users to circumvent them all together and introduce increased levels of risk as they do so.
The friction on the user generated by using any authentication method inherently creates risk – if users aren’t using the system properly, it won’t stay secure. For example, hardware tokens are a great example of where things can go wrong. If a person has forgotten or lost their token, they are unlikely or unable to stop working and wait for the replacement to arrive, so they may borrow a token from another user. And right there the security has been compromised. The organization no longer knows who is being authenticated, merely that an authenticated token is being used.
To reduce the friction and create user friendly options, MFA needs to have multiple options to increase flexibility across different use cases. This means having a primary method that is both convenient and secure, as well as auxiliary methods in case users can’t use the primary. In the case of the user who lost their hardware token, giving them the option of using a biometric method or authenticator app instead will allow them to authenticate and not introduce the risks that come with sharing credentials.
Start With Risk
While all of us wish it were possible, there isn’t a perfect “risk free” outcome in today’s environment. As cyber professionals develop stronger encryptions, add layers of authentication, and lead the fight against breaches, hackers develop increasingly sophisticated tools for gaining unauthorized access. All that organizations can do is look to mitigate as much cyber risk as possible by having essential controls, including a proven IAM strategy.
Risk assessments inform an organization about where their vulnerabilities lie and what needs to be prioritized as they implement critical IAM solutions, such as MFA. Yet making sure that all risks, especially those introduced by implementing the wrong authentication methods, is essential for organizations to make sure they are covered where they need it.
