Implementing Identity and Access Control? Don’t Forget the Data!

Last weeks European Identity and Cloud conference (EIC) hosted by KuppingerCole in Munich, Germany, proved to be the start of a week full of conversations focusing on the questions and challenges surrounding identity. Conversations around terms and phrase such as “Centralized Identity”, “Hybrid-Cloud” and the latest hot topic of “Blockchain” filled the hall and exhibition center but the one conversation binding them all was “Security”, more specifically how to secure the actual data that identities are communicating without complicating the business process.

A clear trend is that cyber breaches have become more sophisticated. Establishing a user’s identity by user name and password is simply not enough in establishing a secure trusted user. The concept of a trusted user is a dying paradigm – as demonstrated by many of the insider attack breaches all too common in the industry. A trusted user needs the additional information assurance validation of user behavior. And with that, we come to the crux of the conversations at EIC, which is security and identity together.

User behavior, even from trusted authenticated users should be enforced by access control technology to not expose your company assets and data purely on the concept of an authenticated user. Rather, your technology architecture needs to understand the data and the context of that data the user is communicating. It is here where our CTO, Jason Macy, spoke to the need for a “Multi-factor and Multi-context Authentication” in his presentation “Secure Identity Federation and SSO.

You have probably heard of mutli-factor authentication, but what is Multi-Context authentication? Multi-factor authentication is the means to require dynamically or statically multiple forms of acceptable authentication information in order to gain access to an application, resource, or service. For example, PKI certification and PIN number, username/password and challenge question. This higher level of access control raises the security threshold by leveraging the differing authentication factors available. Multi-context authentication is the analysis of the user and the data such that the authentication and authorization is inclusive of the behavior, i.e. the information being requested or retrieved by the user.

There are many aspects and solution approaches to identity and access control, and EIC brought together many industry experts and technologies with focused solutions to each area. Forum Sentry, a product leader in both Leadership Compass reports by Kuppinger Cole, provided a balance to the identity-only approaches, with the augmentation of including data in the policy decisions. This changes the scenario from merely Identity Federation to Secure Identity Federation. If you missed our workshop presentation on this topic, which describes architectural gaps in existing strategies and how to unify, simplify, and deploy secure Identity Federation solutions, we invite you to download our presentation “Secure Identity Federation and SSO”, or contact us for a demo.