The following blog post is an excerpt from a recent GovLoop guide: Your Cybersecurity Crash Course. We solicited the GovLoop community to learn their top cyber challenges. In the report, we answer 12 of their most pressing cyber questions.
An interview with Philippe de Raet, Vice President of Strategic Alliances and Business Development, Experian Public Sector
User authentication is an integral component of any cybersecurity process. Creating an environment safeguarded from fraudsters, hackers and even misguided internal users requires a robust identity management system. In an interview with GovLoop, Vice President of Strategic Alliances and Business Development at Experian Public Sector, Philippe de Raet discussed how Experian approaches authentication in a way that focuses on the context of access, rather than just the person trying to log on.
He suggested focusing on the specific transaction occurring between the user and an agency to determine the appropriate verification processes. Rather than deploying a cumbersome verification process, agencies should focus on securing the processes most susceptible to fraud while making less sensitive processes more practical and easier to execute.
The reason behind this approach is twofold. Firstly, the burden on agencies to safeguard every virtual process with a cybersecurity system, which may be overkill and counterproductive for employees, is reduced. Lengthy authentication processes can be costly and cumbersome, especially for information that isn’t sensitive enough to require heavy credentialing for access.
Over-credentialing can even put your organization at greater risk for a leak by increasing the amount of authentication information you keep on file. “We only release data that’s appropriate with the level of assurance needed. Otherwise, you’re opening yourself up to fraud by releasing attributes about yourself that may not be relevant for a certain transaction,” said de Raet.
Secondly, creating a context-specific identity management system also ensures that security is maintained without impeding employees or external users from accessing necessary information. “The issue around privacy is maintaining that balance between making it practical for the person, yet at the same time secure for the transaction,” said de Raet. “People will only adopt what’s practical, no matter the risks.”
Focusing on the context of a login can ensure you find that balance between privacy and practicality. The goal of the transaction can be a key determinant in deciding what sort of verification is required, and also what the user may be willing to offer in exchange for access. As an example, de Raet explained: “People aren’t willing to be frisked for a cup of coffee, but they might agree to offer information about themselves, such as their first name. That said, they might be willing to get frisked to get on a plane, especially if it’s the only way to get from one place to another.”
Another aspect to consider is how the person is attempting to access your system.
Instead of focusing solely on information provided at login, adding device intelligence to the authentication process can create a more holistic view of user actions. Experian considers parameters such as typing speed, browsing history, and login location. Thus, even if credentials are correct, the identity management system will know whether the user’s account might have been hacked.
Similarly, the device a person uses to log on can add a layer of contextual verification. Increasingly, users are using personal devices to access information. These devices then become a part of that person’s identity, and can provide context for a questionable authentication process. As de Raet explained, “Using device intelligence as part of the authentication process is a phenomenal way to close the loop. Even if someone’s identity is in question, if we can validate the device being used as belonging to that specific user, we can verify that identity.”
Finally, the verification process must consider the context of the relationship formed by the user and your services. “A straightforward ID proofing session for someone may be well and fine today,” de Raet said, “but the context there may not be the same in a month, a year or two years from now.” Target threats by studying the habits of individual users over time, and adjusting your safeguards to changes in their behavior. For instance, a user may suddenly access substantially more information than usual without an apparent business need. Your cyberteam can use this as a tip that better security is needed to authenticate that user and his intentions.
“On the one hand, you want to stay outside of the pages of The Washington Post. On the other hand, you don’t want to make it so stringent that it’s impractical and that people are complaining because they can’t get to a website. That balance has to be maintained between adoptability of the offering and, at the same time, the security of that offering,” de Raet concluded. Focusing on the context of each access point is crucial to identifying this balance.
To learn more about cybersecurity, be sure to check out the report: Your Cybersecurity Crash Course