The future of identity management in the mobile era
- By Chris Balcik
- Mar 25, 2019
Federal leaders are looking to transform their operations with the benefits of mobility, including increased productivity, flexibility and the ability to access and share information from any location seamlessly. In fact, new mobile capabilities can completely transform how agencies achieve their critical mission objectives by allowing them to explore new use cases such as data collection from the or even enhanced situational awareness for warfighters on the battlefield.
However, adversaries are continually testing new strategies and threat vectors to penetrate the government’s most sensitive data and systems. In 2017 alone, the public sector experienced 22,788 cybersecurity incidents ranging from ransomware, email-borne malware and phishing, among other types. With the growing rate of data breaches resulting from both malicious outside actors and insider threats, agency leaders can’t truly benefit from mobile technology without guaranteeing that their mission-critical data is secure.
Components of a smart mobile identity management strategy
One of the primary challenges in securing a mobile environment is ensuring only the authorized individual is using the device. Phones and tablets can be lost or stolen, and unattended devices can easily be viewed by unauthorized eyes. To address these security challenges and stay one step ahead of attackers, agencies need stronger identity management strategies, as called for by both the Department of Homeland Security’s Continuous Diagnostics and Mitigation program and the National Institute of Standards and Technology's Cybersecurity Framework.
Advanced capabilities like behavioral analytics (BA) can enhance identity management strategies by verifying user’s digital behavior and interactions. Multifactor authentication, which verifies users with a physical item such as a common access card or a biometric factor in addition to a passcode is a good start. And while derived credentials -- where an individual’s verifying information is stored on the device itself -- are central to smart identity management in the mobile era, they don’t go far enough in protecting data against today’s sophisticated adversaries.
BA goes that extra step to identify users' browsing habits, messaging syntax and even how they hold or interact with their phones. Because BA technologies are designed to capture how a device is used, they can provide the equivalent of a continuously authenticating security "matrix.” BA is faster and more effective than a one-and-done “snapshot” tool that’s detects unusual behavior transaction by transaction.
Additionally, BA can help government IT security leaders detect anomalies by creating a baseline, then assessing against deviations to that baseline. This significantly narrows the amount of information involved, helping agencies quickly detect and neutralize threats in mobile environments. In addition, BA can provide administrator-configurable baselines customized to a specific agency’s security levels.
Why BA is critical for multifactor authentication
Because BA is based on verifying by an individual’s traits, habits and even location, it’s even harder for an inside or outside threat to breach any mobile environment. Hackers can steal a password, authentication tool or even the mobile device itself, but they cannot steal a person’s behavior.
For BA to work for identity management, security leaders must implement a multilayered approach that combines down-to-the device chipset protection to secure sensitive data and multifactor authentication to ensure those devices are in the hands of only authorized users.
- Security down to the device: Mobile devices should include security built from the hardware up while making sure devices are continuously authenticating users. Authenticating from the device chip offers multilayer data/network protection at the transactional level. This means that the mobile device itself authenticates the user. For example, if a hacker tried to steal a smartphone protected this way, the device could shut itself down if it detected attempts to access any apps outside those the user had been authorized for or view sensitive information.
- Multifactor authentication: To address the challenge of devices and data getting into the wrong hands, IT leaders must incorporate multifactor authentication at the very base level to verify identity in various situations. Mobile devices integrated with BA-based authentication technologies can leverage geolocation and advanced biometrics data for more precise identity management. For example, if a government employee's mobile device were stolen, that device could be turned off depending on the location or locked because the BA scores fell below the baseline.
BA means authorization becomes more convenient for employees, and agencies can prevent unauthorized logins. Advanced mobile security capabilities can also eliminate the need for smartcards. Credentials derived from the smartcard can be securely generated on the mobile device and used in place of a physical card. Real-time behavioral analytics can enable richer insights into the identity of the user than physical smartcard use alone, making the solution more convenient than carrying a physical smartcard and also more resistant to misuse if stolen.
Securing the future of mobile with behavioral analytics
Mobility offers government the opportunity to transform operations and the way missions are achieved even as data breaches become inevitable. Agencies must stay resilient amid the ever-evolving cyber threat landscape while ensuring they can recover from any attempted or successful data breach.
Requiring security down to the chipset, combined with stronger multifactor authentication methods will be central to the way government manages identity verification. BA functionality in particular plays an essential role in defending devices and networks from malicious cyber hackers as well as insider threats, such as disgruntled employees or those unintentionally misusing mobile devices or data. With BA, agencies don’t have to sacrifice the convenience and productivity of mobile devices for the sake of security. They can have higher confidence in their identity management approach for keeping mission-critical data safe.
Chris Balcik is VP of Federal at Samsung.