Making security invisible with adaptive access management

The more invisible cybersecurity safeguards are, the more they help improve adoption and stop breaches. With every organization obsessed with speed as a competitive differentiator, it is no wonder that CIOs are tasked with streamlining login and system access user experiences. When security measures are fast and seamless, users are much more likely to embrace them, contributing to, rather than detracting from, speed and accelerated response. 

CIOs and CISOs tell VentureBeat that improving mobile security user experiences across managed and unmanaged devices is the highest priority. In 2022, many enterprises were hacked from mobile and IoT devices. Verizon’s Mobile Security Index (MSI) for 2022 discovered a 22% increase in cyberattacks involving mobile and IoT devices in the last year. The study also found that the attack severity is at levels Verizon’s research team hasn’t seen since they began the security index years ago.

Enterprises still sacrifice security for speed

Verizon’s study found that 82% of enterprises have set aside a budget for mobile security, but 52% have prioritized meeting deadlines and boosting productivity over the security of their mobile and IoT devices, even if that means compromising security.

“During the last two years specifically, many organizations sacrificed security controls to support productivity and ensure business continuity,” Shridhar Mittal, CEO of Zimperium, said in the company’s 2022 Global Mobile Threat Report. 

Enterprises’ willingness to prioritize speed and productivity over security highlights how cybersecurity budgets affect every aspect of a company’s operations and employees’ personal information. This shows how cybersecurity budgeting and investment needs to be treated as a business decision first.

“For businesses — regardless of industry, size or location on a map — downtime is money lost,” said Sampath Sowmyanarayan, chief executive at Verizon Business. “Compromised data is trust lost, and those moments are tough to rebound from, although not impossible. As a result, companies need to dedicate time and budget to their security architecture, especially on off-premises devices. Otherwise, they are leaving themselves vulnerable to cyberthreat actors.”

Adaptive access management is designed to be transparent and non-intrusive, protecting enterprises’ systems and data without disrupting normal business operations. By adopting an adaptive security approach, enterprises can better balance the need for security with the need for speed and productivity, removing what would otherwise be security roadblocks that get in the way of increased productivity. 

Enterprises pursue frictionless login experiences by simplifying authentication using various techniques, including biometrics, FIDO2 and conditional access. This reflects how CIOs collaborate with CISOs to make security as unobtrusive yet effective as possible. Source: Identity and Access Management Built For Microsoft Azure Active Directory, Microsoft.

The more adaptive security is, the more invisible it becomes

Adaptive access management is a security approach that continuously monitors and adjusts access controls based on changing user and system behaviors. An example of adaptive access management solutions is risk-based authentication that uses machine learning (ML) algorithms to analyze user behavior and assign a relative risk score to each request for access.

Enterprises are prioritizing the purchase of adaptive access management technology to secure remote access for hybrid workforces, create more secure collaboration platforms and bring zero trust to supplier and customer sites and portals.

Additional technologies used as part of adaptive access management platforms include context-aware access control and anomaly detection. The latter technique uses ML-based algorithms to identify unusual or suspicious behavior, such as a sudden increase in login attempts from a particular location or an unusual pattern of access requests. If the system detects an anomaly, it may trigger additional authentication measures or block access to the resource.

All adaptive access platforms are making strides in improving access policies that automatically adjust access controls based on changing risk levels or other factors, including the sensitivity of data being accessed.

According to Gartner, by 2024, 50% of all workforce access management (AM) implementations will use native, real-time user and entity behavior analytics (UEBA) and other controls. By 2026, 90% of organizations will be using some embedded identity threat detection and response function from access management tools as their primary way to mitigate identity attacks, up from less than 20% today.

Forrester has found that using Azure AD’s adaptive risk-based policies and multifactor authentication can help organizations reduce the risk of a data breach, saving them an estimated $2.2 million over three years. And a study by the Ponemon Institute found that organizations that adopted an adaptive security approach had a significantly lower total cost of ownership (TCO) and a faster time to value compared to those that relied on traditional, static security measures. 

Microsoft Defender for Cloud uses ML to analyze the applications running on machines and create a list of the known-safe software. Allow lists are based on specific Azure workloads, and organizations can further customize the recommendations (see below).

Microsoft Defender for Cloud supports adaptive security controls that define which applications are safe to use across specific groups of machines. Source: Microsoft blog, “Use adaptive application controls to reduce your machines’ attack surfaces.” (December 13, 2022)

Building a case for paying for adaptive access out of the zero-trust budget

CIOs tell VentureBeat that when they can deliver measurable outcomes and quick wins as part of their zero-trust frameworks and initiatives, they can better defend their budgets with CEOs and boards. Zero trust is a security approach that assumes that all users, devices and networks inside and outside an organization’s perimeter are potentially compromised and must be continuously verified before being granted access to resources. 

By increasing the accuracy and strength of identity verification to match the context of each request, adaptive access management platforms quantify and track the perceived risk of every query. For example, a request for access to sensitive financial data might require more robust identity verification than a request for access to a public website. Workflows that can ensure least privileged access while eliminating implicit trust are critical for enterprises’ reaching their zero-trust strategic goals.   

“In the more dynamic digital world where attacks happen at cloud speed, zero-trust architecture recommends continuous risk assessment — each request shall be intercepted and verified explicitly by analyzing signals on user, location, device compliance, data sensitivity, and application type,” Microsoft’s Abbas Kudrati and Jingyi Xia wrote in a blog post.

They continued: “In addition, rich intelligence and analytics can be leveraged to detect and respond to anomalies in real time, enabling effective risk management at the request level.”