the rise of ai-powered identity security · saas sector will reach a whopping $623 billion by the...

I D A P T I V E . C O M

W h I T E P A P E r

The Rise of AI-Powered Identity Security

Table of Contents

©2019 Idaptive. All Rights Reserved. idaptive.com

3 Introduction: The times they are a’changin…

4 If I had a dollar every time someone said Identity is the new perimeter…

4 The Future is AI-Powered Identity Security

5 The Zero Trust Access Maturity Model 5 Level 1: Basic Model of Maturity: Policy Driven 8 Level 2: Proficient Level of Maturity: Policy & Context-Driven 10 Level 3: Optimized Level of Maturity: AI Powered

13 Conclusion: You better start swimmin’ or you’ll sink like a stone…

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of IDaptive, LLC.

Idaptive may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Idaptive, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

3

THE RISE OF AI-POWERED IDENTITY SECURITY

idaptive.com

Enterprises, big and small, are experiencing huge changes in their application and infrastructure landscapes. They are rapidly marching to the cloud for much of their new application and infrastructure needs, while continuing to support their own data centers. In this hybrid world, they’re constantly launching new services for their employees, partners, and customers.

IT and SecOps teams are stretched thin because deployment, management, and ever-changing policy configurations and updates are creating significant overhead for the administrators and security operations personnel. Enterprises are also operating with a new workforce that refuses to accept anything short of a polished Instagram-like experience with all their apps and devices. While all of this is happening, enterprises are constantly under threat of attacks and potential security breaches.

With all of these changes happening in quickfire fashion, it is sometimes impossible to keep up with managing, much less have confidence in who has access to what, and what they are doing with that access.

Introduction: The times they are a’changin…

SaaS sector will reach a whopping $623 billion by the year 2023, at a compound annual growth rate of 18%.

4


idaptive.comidaptive.com

If I had a dollar every time someone said Identity is the new perimeter…We now live in a world of hybrid apps and infrastructure, anytime-anywhere access, the 1099 economy, millennial workforce, with interconnected devices, and IoT. Traditional network perimeters, protected

by firewalls, are no longer sufficient to provide enough security for modern use cases. For example, a mobile worker using a personal device at a Starbucks to access a SaaS app would never cross the traditional network boundary. Identity and Access have become the only common control plane to enforce security and manage access across all traditional and modern use cases.

However, many Identity and Access Management (IAM) projects fail due to the complexity and drawn-out timeframes. The maintenance of traditional IAM solutions has also become tedious and complex. A large enterprise now has to create thousands of roles, create and maintain hundreds of attributes for their users, and manage tens of thousands

of users across many directories. And most importantly, enterprises have to create, configure, and maintain thousands of policies to protect access to sensitive resources. A different approach is required.

The Future is AI-Powered Identity SecurityUnlike traditional IAM systems, AI-powered identity solutions can operate without having to manually define, model, and manage user roles. These services function without complex and reactive rules or policy configurations, and can autonomously control access with step-up authentication to secure your organization.

AI-powered identity services employ unsupervised machine learning algorithms to develop user behavior models and continuously update them whenever new data or events become available.

Using these models, AI-powered systems can distinguish between users’ typical behavior and anomalous behavior in real-time. This enables companies to assess the risk score to each access event and proactively invoke risk remediation steps, such as blocking user access, requiring additional authentication, or informing security teams of a potential attack.

So how do we get from where we are to this future state of AI-Powered Identity Security? That is where the Zero Trust Access Maturity Model comes in. This model, along with an experienced partner like Idaptive, can help you assess where you are today and what you should invest in next. And the good news is that Idaptive can help you achieve a greater maturity level through the Idaptive Next-Gen Access Platform.

Identity in today’s large enterprises requires discovering, modeling, and managing:

· Dozens of directories

· Hundreds of attributes

· Thousands of roles

· Tens of thousands of users

· Nearly uncountable policies

5



The Zero Trust Access Maturity ModelZero Trust approach to access security is based on the assumption that you can’t separate the “good guys” from the “bad guys” once they are inside your network. With a Zero Trust approach, no actor can be trusted until they’re verified, their device is validated, and their access is limited using the principle of least privilege. It’s a holistic, strategic approach to security that ensures that everyone and every device granted access is who and what they say they are.

At Idaptive, we help customers adopt a Zero Trust approach to access security by implementing our AI-powered IAM solution. With Idaptive, customers move along the maturity model from Policy-Driven controls towards an access security framework that is based on AI-powered controls.

These levels of maturity can be examined across five key areas, each seeking to solve challenges related to security, risk, and access control:

· Directory or Identity Stores

· Authentication

· Authorization

· Governance

· Compliance

Level 1: Basic Level of Maturity: Policy-Driven

Getting to a basic level of IAM maturity can be challenging and often requires additional resources — people, time, and money — to deploy a basic IAM stack that attempts to address the five key challenges noted above. The key capabilities required to reach this level include a centralized, authoritative source

• Laborious & Complex• Hard to maintain & Error prone• Rigid & Reac�ve

• Contextual & Smarter• Dynamic & Comprehensive• Flexible & Proac�ve

• Unsupervised & Autonomous• Intelligent & Insigh�ul• Learning & Evolving

NOTE: LOM = LEVEL OF MATURITY

Compliance

Governance

Authoriza�on

Authen�ca�on

Directory

Policy-Driven(Basic: LOM1�

Policy & Content(Proficient: LOM2�

AI-Powered(Op�mized: LOM3�

6



of identities, an access management system that can enable multi-factor authentication (MFA), and a coarse-grained authorization system. Additionally, you need a governance system that enables automated provisioning, access certifications, and workflows.

Below are examples and descriptions of capabilities across the five key areas that help an organization achieve the Basic Level of Maturity.

L E V E L 1 : B A S I C L E V E L O F M A T U R I T Y

Policy-Driven

ZT Maturity Model Pillars Capabilities Required Description

Directory Directory Synchronization · Support for multiple directories, both on-prem (AD, LDAP) as well as cloud directories such as Google and Azure AD.

· Create a reference store of identities and refresh it periodically and asynchronously by replicating identity data to the cloud.

· Prevent caching of passwords and always go to the directory source for authentication.

Directory Federation · Support identity federation across directories through IDP chaining.

· Support SSO access to resources across business boundaries through directory federation. .

Authentication Single Sign-On · Support SSO to web and on-prem applications that leverages SAML, WS-Fed, and OIDC standards.

· Support access to on-prem apps without a VPN, offering a secure and seamless access experience to end-users, customers, and partners.

Rules and Policy-Driven MFA · Manually create and configure MFA policies based on users’ roles and other properties. The policies are often static, and the corresponding factors are manually chosen and rarely updated.

Step-up Authentication to Apps · Decide which applications are sensitive or risky and then apply static step-up authentication rules based on basic conditions, such as the presence of cookies, source IP ranges, etc.

7




Authorization Coarse-grained Authorization · Grant access to resources and applications based on assigned user roles (RBAC).

Governance Periodic Access Reviews & Certification

· Configure and run attestation campaigns for designated approvers to periodically review users’ privileges in various resources and approve or deny access.

· Provide offline and online access certification methods along with closed loop remediation when access or entitlements need to be revoked.

Automated Provisioning · Sync users from trust sources, such as HR systems and provision user access to downstream apps (along with entitlements) based on user attributes or the groups/roles the user belongs to.

· Re-evaluate access and grant or revoke access to resources and entitlements when user attributes change.

· Automatically remove all access and entitlements when user is terminated from the trust source

Entitlements Management · Manage fine-grained access entitlements within resources based on assigned roles or user attributes.

· Synchronize entitlements from each of the target apps

· Define policies to associate entitlements to users based on their role and attribute conditions.

· Automatically evaluate entitlements to ensure access is appropriate.

Compliance Identity Incident Reports & Dashboards

· Support basic reporting capability to gain visibility into user access.

· Provide a set of out-of-the-box dashboards and widgets.

Note: Few vendors provide the capability for customers to build custom reports and customize the dashboard widgets based on user preference.

8



In this level of maturity, policy-driven access controls are laborious and complex in nature, often requiring the definition and management of thousands of custom rules and policies. These rules and policies are hard to maintain over time and often end up causing complex errors where users can get locked out, or worse yet, get access to applications and data they shouldn’t have access to. They are often rigid and can be difficult to change, test, and deploy in production. These rules are often reactive and put into place only after breaches.

Level 2: Proficient Level of Maturity: Policy & Context-Driven

Organizations at this level have moved beyond basic policy and rule-driven IAM controls, to ones that leverage context collected from the ecosystem of applications, endpoints, and software installed across the enterprise. This context is based on data points associated with each access request. For example, you can analyze the user’s IP address, physical location, device operating system, and timing of the request before granting access to applications or data. Given the dynamic nature of context, these rules are smarter, more flexible, and can adapt to a variety of different scenarios under which end-users are accessing resources. Some examples of the Proficient maturity level IAM controls are described below.

L E V E L 2 : P R O F I C I E N T L E V E L O F M A T U R I T Y

Policy & Context-Driven


Directory Virtual Directory & Account Linking · Link user accounts between multiple directory services and augment user profiles with additional attributes without replicating identity data to the cloud.

Adaptive MFA for Federated Users · Enforce uniform multi-factor authentication requirements across linked accounts or standardize on one directory with a robust MFA authentication policy.

Authentication MFA Based on Device, Network, Location, and Time context

· Leverage the device, network, location, and time context to evaluate access events and require multi-factor authentication for anomalous requests.

Adaptive Step-up Authentication to Apps and Endpoints

· Leverage contextual access rules to control access to applications.

· Manually associate authentication profiles to applications based on the required level of authentication assurance.

9




Authorization Policy-driven Dynamic Fine-grained Authorization

· Create dynamic access rules that are based on the attributes of the user (ABAC).

Governance Change-Driven Access Reviews & Certification

· Trigger access certification processes based on changes to user role assignments or user profile updates.

Access Requests & Workflows · Support the ability for users to request additional access to resources and entitlements that are not granted as part of the policies defined for their role.

· Support integration with ITSM solutions to handle complex workflows and requests for disconnected systems. For example, provisioning users to laptops, mobile devices, or systems that do not work with connectors and require manual provisioning.

Compliance Identity Incident Investigation & Tracing

· Provide insights into security incidents and policy violations.

· Support the ability to investigate vulnerabilities and identify incident root causes.

Incident Automated Response Orchestration

· Define policies to notify appropriate personnel when a security incident is detected.

· Support integration with ITSM tools for ticket-based manual remediation or automated remediation (disable user/lock device/ force password reset/terminate user session).

1 0



Idaptive has enabled many of our customers to implement the core capabilities you see in the table above with our Next-Gen Access Platform. Capabilities such as adaptive MFA for all users and endpoints, role-based access control authorization, and identity incident investigation have helped our customers to protect access to their sensitive resources without impacting end-user productivity.

Level 3: Optimized Level of Maturity: AI-Powered

At this level of maturity, the need for creating policies based on rules, attributes, and context is greatly reduced, if not completely eliminated. Organizations that reach the Optimized level of maturity deploy AI-powered IAM solutions that can automatically distinguish between users’ typical and anomalous behavior, and enable customers to secure access to applications and data with dynamic policies that do not require manual setup.

For example, the Idaptive User Behavior Analytics engine, which is part of our Next-Gen Access Platform, leverages machine learning to autonomously build out user behavior profiles. This engine constantly collects data and context from a variety of sources, including endpoint and app access attempts, mobile device security context, as well as third-party sources such as Palo Alto Networks Cortex Data Lake. When this engine is integrated into an enforcement point, such as Idaptive SSO, Idaptive MFA or Idaptive Device Security Management, it enables customers to automatically enforce dynamic access controls in real-time.

L E V E L 3 : O P T I M I Z E D L E V E L O F M A T U R I T Y

AI-Powered


Directory Contextual and Risk-Based MFA for Federated Users

· Support risk-based MFA for federated accounts.

Authentication Continuous Authentication including Behavior Biometrics

· Collect users’ behavior data to develop unique behavioral profiles for each user.

· Assess user behavior against established behavioral profiles and elevate user risk when anomalous behavior is detected.

· Define appropriate authentication profiles based on acceptable risk levels.

Adaptive MFA based on device, network, location, time and user behavior risk context

· Support risk level context to determine the right set of authentication factors and policies for the protected resource.

· Leverage behavioral risk context, along with network, location, and time context to control access to applications.

1 1




Authentication (contiuned) User profile leveraging 3rd party threat feeds

· Support 3rd party context sources such as firewalls, endpoint protection solutions, Data Loss Prevention (DLP), and CASB-related threat intelligence feeds.

Authorization AI-Powered Dynamic Fine-grained Authorization

· Grant access to resources and applications based on user behavior and risk profiles.

· Continuously evaluate users’ risk profiles to determine if users can access capabilities within applications they have been granted access to.

Governance AI-Powered Access Violations · Leverage machine learning-based algorithms to determine if users have roles and entitlements that violate the segregation of duties rules.

· Automatically trigger remediation steps by deprovisioning access or initiating access certification processes.

· Check for segregation of duties violations at the time of access request, approval, and provisioning of entitlements

AI-Powered Account Lock/Unlock/Certification

· Automatically remediate risk by disabling user/locking user/forcing password reset/terminating user session/de-escalating user privilege, quarantining user based on a user’s risk profile or when the risk analytics engine detects a possible anomalous activity.

AI-Powered Roles Engineering · Synchronize roles from all the connected and disconnected applications and feed them to an AI-based system to identify similarities in roles across applications.

· Consolidate and define enterprise-wide roles that are easily manageable for provisioning and access certification.

1 2




Compliance User Risk Profiling · Asses risk for each user based on the analysis of context and access events.

· Support 3rd party context sources, such a SIEM, CASB, and EMM solutions for deeper insights and risk evaluation.

· Feed access events into a risk analytics engine to determine typical and anomalous user behavior.

· Rank users into risk categories (high, medium, low) or assign specific risk to each of the users.

AI-Powered Automated Response · Automatically notify appropriate personnel when a security incident is detected.

· Integrate with ITSM tools for ticket-based manual remediation or automated remediation (disable user/lock device/ force password reset/terminate user session).

Cloud Insight · Provide complete visibility into user activity and detect vulnerabilities in system and application configurations.


1 3

Idaptive delivers Next-Gen Access, protecting organizations from data breaches through a Zero Trust approach. Idaptive secures access to applications and endpoints by verifying every user, validating their devices, and intelligently limiting their access. Idaptive Next-Gen Access is the only industry-recognized solution that uniquely converges Single Sign-On (SSO), adaptive Multi-Factor Authentication (MFA), Enterprise Mobility Management (EMM) and User Behavior Analytics (UBA). With Idaptive, organizations experience increased security, reduced complexity and have newfound confidence to drive new business models and deliver awesome customer experiences. Over 2,000 organizations worldwide trust Idaptive to proactively secure their businesses.

©2019 Idaptive. All Rights Reserved. idaptive.com

Conclusion

You better start swimmin’ or you’ll sink like a stone…Maturing from a basic level of managing Identity and Access, with its rigid and reactive approach, to a more mature level that automatically enforces dynamic access controls in real-time is now possible — which is great because there is really no choice if you want to keep us with rapidly increasing complexity and changes that are facing organizations.

But the good news is that AI-powered Identity and Access is no longer just aspirational or purely visionary – it’s being realized by platforms such as Idaptive, which leverages the combination of the incredible amount of data available in the enterprise, along with cutting edge data science paradigms that range from featurization to unsupervised learning, in a bid to detect anomalies in user behaviors and drive smarter and more automated security, governance, and compliance within the enterprise.

Start a free, full-featured 30-day trial of Idaptive today.

3300 Tannery Way Santa Clara, CA 95054

[email protected]

the rise of ai-powered identity security · saas sector will reach a whopping $623 billion by the...

Documents