What do smartphones and corporate credit cards have in common? Very soon, both will be monitored by employers in an effort to detect abnormal or otherwise suspicious patterns of activity. In the age of bring-your-own-device (BYOD) policies, companies are turning to techniques like these to manage access from smartphones and tablets to their internal systems and to confirm the identities of the people using them.
Intel estimates that almost 30,000 employee mobile devices access its systems daily. To keep that growing crowd under control, the chip maker's IT department early this year adopted a new approach to mobile device authentication that uses what's known as the "granular trust model."
When an employee attempts to log in to company applications from a mobile device, the system takes into consideration where the user is, what device he's using and what the employee is trying to access -- basically calculating a "risk rating" for the request. Using a trust calculation, the technology determines whether the requested level of access is appropriate. So far, 9,000 devices are using Intel's trusted application portal, which allows users to access applications and supports the granular trust model. That number is growing weekly.
"Credit card companies look at my patterns as a buyer and how far out of those normal patterns I am, and they may send me a fraud alert," says Malcolm Harkins, vice president and chief security and privacy officer at Intel. "We want to do the same things over time with our compute infrastructure and leverage the patterns of where you're at and what you're trying to do -- what device you're on and to some extent what you've done before as a way to manage the risk and enable the user. We're at the beginning stages of that journey."
Growing and diverse security threats, along with the proliferation of personal mobile devices in the workplace, are pushing IT departments to find unique approaches to identity and access management. So far this year, there's been strong demand for products with strong multifactor authentication and federated or single sign-on capabilities in the $4.8 billion identity and access management (IAM) systems market, which is expected to grow to almost $6.4 billion by 2016, according to IDC. The research firm calls these types of offerings "bring your own identity" systems.
"We're seeing a shift from impressed to expressed identity," says IDC analyst Sally Hudson. "The devices [we] use tell about the behaviors we choose to exhibit and define us in various settings. So you can collect a rich identity profile on somebody just by being able to profile what they access most often, their geolocation, what products they buy, what services they use and their social connections."
Intel's granular trust model is somewhat unique because it integrates multiple technologies, such as risk-based authentication and geolocation. Gartner analyst Gregg Kreizman says lots of vendors have products with some of those capabilities. Examples include Adaptive Authentication tools from EMC's RSA security division and Adaptive Access Manager from Oracle.
Proximity to replace passwords?
Intel's next goal is to eliminate passwords by using so-called proximity technologies. Maintaining multiple passwords across multiple sites and applications is a beast of an issue for Intel, but Harkins is starting to see emerging technologies that could enable IAM products to use contextual data to verify users' identities with the help of voice, biometric and facial recognition systems.
"If my phone is proximal to my laptop, my wireless is on in the building, I badged in this morning to the building, the [laptop] camera sees me, the mic can hear me -- why even ask me for a password?" Harkins says. "When you start tying those elements together, I think that ends up being a stronger multifactor authentication that's more resistant to advanced persistent threats or misuse by someone who's gained physical control of the device -- and a much better user experience because I don't have to remember all of those passwords or go through all that complexity."
If an employee wanted access to highly sensitive data on a system, a policy setting could be put in place that authenticates the employee but still asks for an extra level of security, such as a one-time password sent to his smartphone that can be used as another authentication mechanism, Harkins adds.
Preventing the loss, theft or misuse of devices
Proximity technology could even prevent devices from being lost, stolen or tampered with, Harkins says. Many employees forget to lock their computer screens when they leave their desks. With proximity technology, Harkins foresees screens locking automatically when an employee walks 10 feet away. The device would know that the employee was out of range because her employee badge or smartphone would go with her. When the employee gets 100 feet away, the device would be automatically encrypted.
Such technology exists today. It's now a question of integrating multiple technologies and coupling that into the company's infrastructure for policy decisions.
"We're moving toward more contextual and adaptive-based authentication," Kreizman says. "Things that mobile devices now help support -- such as cameras in the phone or tablet, the voice interface and voice biometrics, GPS, touchscreen interfaces, cell tower location, IP address -- are coming together to reduce the friction for users, and we're moving toward this notion of not having to overtly authenticate."
Rules to follow
There are still some wrinkles that need ironing out. For starters, IAM systems aren't easy to deploy at companies with BYOD policies because not all devices, operating systems and platforms are created equal. "If I've got Handheld A, and I don't trust it as much [as other devices] then I'm going to let it have access to [only] certain apps and data," Harkins explains.
Employees must also agree to some oversight of their devices. At Intel, employees have to sign a service agreement before using a personal device at work. They must agree to the company's terms for conduct, software licensing and information security policies. Employees are also warned to keep personal data separate from corporate data by creating separate partitions or data containers. "If it's lost or stolen, or if they leave the company, we'll have to remotely wipe it -- which could be a problem if they've mingled corporate stuff with personal stuff," Harkins says.
Employees must also equip their devices with special apps that can be download from an internal application portal -- much like an app store, but with guidelines on what they can download based on their use history and what additional security features they might need if they will be using the device to access sensitive company data.
Federated and single sign-on
Sales of Web single sign-on and federated systems, or single sign-on systems for partners or regular outside visitors to a network, are expected to reach $1.5 billion this year and make up about one-third of all IAM system purchases by 2016.
At HMS, which offers information and services to help healthcare providers minimize erroneous payments, CSO Scott Pettigrew knew a security upgrade was inevitable because the company has grown rapidly -- from $55 million in revenue five years ago to an expected $520 million by the end of this year.
Security requirements spelled out in regulations governing the healthcare industry mandate that every account be automatically disabled every 30 days, requiring the help desk team to spend much of its time reissuing access rights to temporary staffers. The company used to manually keep tabs on the access rights of its portal users. But the portal is used by almost 20,000 outsiders, including more than 500 temporary employees working on Medicare claims and verifications, so provisioning processes began to take up a lot of time and it became nearly impossible to remain compliant with the Health Insurance Portability and Accountability Act.
"To meet those regulations, you've got to have some sort of identity management suite to make sure you're deleting people off your systems and taking away their access [in a timely way]," says Pettigrew.
Today, HMS is working through a more than three-year overhaul of its IAM structure that combines identity, governance and federation capabilities. The new identity system is a central point for access requests at HMS. To manage external contractors, HMS is deploying two-factor authentication to close a gap in access by self-certifying users through access to registered email. Users will be locked to one external device after being auto-enrolled in two-factor authentication. The process leverages existing identity information and technologies with two-factor certificates to maintain control of resources for noncaptive users.
Today, nearly 500 accounts are automatically provisioned or deprovisioned every month, and even the accounts of employees who leave the company are automatically disabled as names are removed from the payroll -- a process that safeguards security by eliminating orphan accounts.
"I feel like we're ahead of the game" in terms of bleeding-edge IAM solutions in the healthcare industry, Pettigrew says.
Making the case with ROI
While the benefits -- safety, efficiency and simplicity -- make IAM seem like a no-brainer, the cost of such systems can be hard to justify, says Pettigrew. "You can argue that you're saving money, but the bigger [issue] is you're not going to end up on the front page of the newspaper for violating some regulation and being fined millions of dollars," he says.
Indeed, in financial circles it's a game of reducing fraud and paying less for technology than you could lose in a security breach or fine, Kreizman says. Depending on their companies' security needs, IT departments will have to go beyond basic IAM implementations and link different channels together or monitor transaction behaviors, and that gets expensive, he adds.
At HMS, Pettigrew is confident that password self-service and automated access tools are cutting labor costs, but he says the savings are still hard to quantify. To help sell the $4.5 million project, he divided it into manageable phases, and the IT team showed some benefit to the business at the end of each phase.
Intel has been able to measure some productivity improvements from BYOD and IAM. Harkins says most employees who use their own mobile devices report gaining an hour of productivity per week.
He compares this ROI challenge to the transition from desktops to laptops. Companies transitioned to laptops "around the faith and belief that agility, flexibility and mobility would enable creativity and enable the company to move faster, and it certainly has," he says. But even in that case, he adds, "the financial ROIs were those semi-qualitative things."
Privacy issues loom
As more biometric ID systems, cameras, mics and GPS tools are used to authenticate users, privacy concerns will inevitably follow.
"Privacy and security are like magnets," Harkins says. "When they're turned the right way, they're perfectly binding because you need security to have privacy. But if you start turning one of them a different way, there's a polarization that occurs because security can encroach upon privacy. That's going to be the challenge: How do you reconcile the potential polarization between security and privacy?"
This story, "How security is using IAM to manage BYOD" was originally published by CSO.