Efficient Storage for Green IT

Green Storage Journal

Subscribe to Green Storage Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Green Storage Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Trends in Green Storage Authors: Natalie Lerner, Greg Schulz, RealWire News Distribution, Bob Gourley, Jayaram Krishnaswamy

Related Topics: Cloud Computing, Security Journal, Cloud Security Journal , Cloud Backup and Recovery Journal

Article

Adaptive Risk: Making Sure You Are Who You Say You Are

Identification by predictive behavior to prevent account takeover

Does this sound familiar? Ann, sitting at her desk eating lunch, is surfing the Net. She checks her personal Yahoo email account and sees a message from a purported survey company asking her about her music preferences. She opens the email and takes the survey. Seems harmless enough, but what Ann doesn’t know is that this survey company doesn’t exist and embedded in some of the survey prompts hides an undetected botnet that downloaded onto her desktop. This nasty bugger can record her keystrokes and take screen shots as she navigates through your network. Now some unauthorized entity has her login credentials, passwords…essentially her online/employee  identity and access to your enterprise’s proprietary assets and other sensitive data.

You tell them, you educate them, but sometimes it’s not enough. You need to implement another layer of security. These threats aren’t new…they simply get more insidious, more widespread and more effective.

Account takeover is one of the more prevalent forms of identity theft and one of the most damaging to businesses. In fact, according to Meridien Research, while the victim suffers an average loss of $808, businesses absorb about $18,000 (that's more than 20x) in fraudulent charges per victim.

Problem is, every time technology finds a way to slow or prevent some type of fraud, hackers will always be one step ahead. But it’s not a hopeless consideration. Especially if you apply adaptive risk processes into your security initiatives.

Adaptive risk is the key engine in the unified Identity Management/Access Management (IAM) deployment.  It provides the smarts (or the means to collect the “fingerprints”) of possible identity breaches while closely controlling who gets to access what portions of your network.

This process is designed to assess/score risk attributes during authentication so that Access Management can determine whether to require the user to complete further authentication steps. The risk threshold is the first value set in the module and various checks can be enabled, each with their own score. For example, if Ann is a Admin Assistant for marketing, her credentials are not enough to give her access to HR applications or finance data. However, even if the network weren’t partitioned as such and her credentials were stolen, it’s highly unlikely she's trying to access social security numbers from a laptop in Belorussia at 3 in the morning. Or someone using Ann’s “identity” is trying to buy 10,000 Los Angeles Dodger jerseys from a “vendor” site in China using company funds, there are certain levels of authentication beyond password that can be applied to prevent further breach.

Taking a step back, it really starts with asserting control of the process. You must have the visibility to verify such things as a specific device or location. Then you need the parameters to recognize and affirm behavior patterns to ensure proper identity. These verifications are added to existing enterprise requirements for login/password credentials and additional knowledge-based authentication. In this way, adaptive risk policies make an endpoint an additional second factor-without requiring any behavior change.

Through IAM, there are certain aspects you need to apply to get that enhanced visibility and to exert the necessary activity control:

  • Multi-authentication using details a fraudster cannot easily know (pet's name, parent's anniversary, the name of your first grade teacher, etc…) especially when authorizing a payment, changing/modifying administrative rights or access to certain data.
  • Detect proxy IP addresses and reveal the true location of a fraudster. Combined with an intrusion detection process through SIEM, you can identify the specific geo codes and other suspect indicators (time, mode of entry, etc…) in real time.
  • Detect inconsistencies in device, location, address, email, etc. to reveal suspicious activity and anomalies
  • Device lock out for failed access
  • Email confirmation/notification for any change to admin rights
  • Track velocity of information being presented to detect fraudulent activity such as multiple accounts associated with a single device.
  • Detect account utilization anomalies such as credential sharing.
  • Prevent/allow access  through role based provisioning
  • Apply user and company activity limit policies

To those that heavily sighed because the cost of such a deployment is not just prohibitive, but resource draining, I say the enterprise power of cloud-based solutions (security-as-a-service) makes these initiatives affordable, manageable, and most importantly, strengthens the backbone of any security initiative.

Many companies (especially financial institutions) have various anti-fraud programs. For many it’s more than a compliance issue, but one of common sense protection. However, too many modest organizations like regional and community banks are hamstrung by a “decline in anti-fraud expertise.” (says Dr. Ken Baylor Research Vice President  for NSS Labs, a leading information security research and advisory company) This is not to say dealing with such organizations is a risk. In fact, because many of them find additional value in cloud-based security initiatives, they are as safe as their Wall Street brethren. Security-as-a-service has been show to provide the equalization factor—the ability to apply enterprise-class power, capability and control over access to the network and the expanding perimeter of SaaS and other third party applications and solutions requiring authorization and credentialing.

And it starts with a plan, a policy and a process.

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.