Risk Based Access Control and the Role of Continuous Authentication

As the frequency and impact of security breaches increases, traditional security measures are no longer enough. Point in Time (PiT) authentication for access to a broad array of information resources, over several hours or days, is no longer a good mitigation of access control risk. Attackers today can take control of a device and use the security context of the authenticated user to collect and retrieve sensitive information. When we do require separate authentication to each high-value resource, users usually need to create and remember multiple passwords, since security best practice is not to use the same password for all accounts: and single-sign on has its own challenged.

Continuous authentication addresses these issues by using device, application, and user behavior over time to ensure the proper entity is using each resource. It also helps determine when and if an additional PiT authentication event is needed.

Standard Access Control

Most organizations use two types of access control: basicOpens a new window and risk-basedOpens a new window . Figure 1 shows the standard access control process.

In weak basic access control, the human subject uses a user ID and a single factor of authentication to verify identity. This is a PiT event, providing access to the accounts receivable application, email, and file server as authorizedOpens a new window by profiles, security groups, access control lists, etc. at a specific point in time. The application subject (accounts receivable application) also authenticates to the database server.

The organization likely logs access to all resources and might have monitoring solutions to detect anomalous network or device behavior. However, the user subject behavior is not usually analyzed. When it is, security teams must react to alerts. Further, much behavior associated with account compromise is difficult to detect on mobile devices.

We can strengthen basic access control by adding a second authentication factor. Using multiple factors, known as strong authentication, significantly reduces identity verification risk, but it still only checks identity once.

Risk Based Access Control

Risk-based access control is traditionally implemented in roughly two ways: basic and strong. A basic approach causes a user to log into the network for general access and then into additional resources considered high risk. See Figure 2.

In this example, the organization requires any user already authenticated to the network to authenticate again before accessing the receivables application. This helps ensure that someone accessing a user workstation, for example, is actually the person represented by the authenticated identity. If a user walked away from her desk without locking the desktop, and someone else sat down at the keyboard, they would have to know the receivables password to access the high-risk resource… unless, of course, the authorized user was already signed in to the receivables app.

Strong risk-based access control might use additional device and user characteristics, including

• The role of the user
• The type and owner of the device used
• The time of access and the day of week
• What is being accessed
• What is being done with the data

While risk-based access control is better than standard access control—basic or strong—it still does not go far enough to address today’s threats targeting all attack surfaces. We need to know throughout any session that the identityOpens a new window authenticated continues to be the person, application, or other entity we expect.

Challenges of Basic and PiT Risk-based Access Control

According to the October 2017 Global Fraud Index study released by PYMNTS.com, account takeover losses jumped 45% in Q2/Q3 2017. This resulted in $3.3 billion in losses. According to the study, attackers bypass authentication methods (including multi-factor) through credential theft, man-in-the-browserOpens a new window Trojans, and social engineering (PYMNTS.com, 2017).

Credential Theft

We usually think of credential theft as an attacker stealing user credentials and then using them to gain unauthorized access. This is always a risk associated with man-in-the-browser and social engineering attacks. However, a large number of today’s attacks have no need to steal credentials.

When a subject authenticates, we tend to believe that it is the authorized human or application. We have a confidence level based on the strength of the authentication process. Use of two factors, for example, significantly raises the level of confidence. Use of strong risk-based authentication raises the level still higher. However, how do we know that an attacker has not compromised the subject’s machine or identity and is now surreptitiously using the subject account to gather information that is used daily by the subject or accessible via tools and techniques implemented on the compromised system?

Use of social engineering and other methods enable attackers easily to gain control of a machine and use authenticated user security contexts (Olzak, 2014). This is often accomplished as users download and install malicious code when performing some seemingly harmless activity.

Rogue Employees

In addition to attacks from the outside, trusted users can go rogue, removing sensitive data from internal networks with various devices. PiT authentication does not prevent this. User behavior monitoring can, but how long until it is detected? How many resources are compromised by a rogue user before security receives an alert and subsequently responds?

Cell Phone Theft/Lending

Finally, use of cell phones to access sensitive information is common. If a cell phone is compromised, how long does it take to remove its access? What if a user loans his phone to a friend or family member who then uses the information inappropriately? In other words, how do we always know that the person using the phone is actually the authorized subject?

These are a few of the challenges we face today. It is not enough to use standard or traditional risk-based authentication. We need to know that whoever or whatever is using an authenticated account continues to be the identity authorized to do so in ways compliant with security policy.

Authentication Factor Challenges for Risk-based Access Control

We generally recognize three authentication factors:

• Something we know
• Something we have
• Something we are

Something We Know

Something we know is the primary means of authentication. We enter a password or passcode, and we are authenticated. The strength of the thing we know directly affects level of confidence about who or what is authenticating with the identity. However, it is not nearly as strong as using something we know with one of the other factors.

Passwords are not safe enough for anything but general use. Users share them, use the same passwords for multiple access logins (including their social network pages), and are prone to provide them in social engineering attacks. Unless a second factor is used, organizations should always have some other way of ensuring correct subject behavior.

Something We Have

Tokens are factors that we have, like one-time password apps, and they can be hard or soft.

Examples of hard tokens are shown in Figure 3. These tokens simply provide a one-time passcode (top token). The passcodes provided in these types of solutions change about every 30 to 60 seconds, and the codes provided are randomly generated.

A second type of token is one that must be inserted into a USB port to work. It includes smartcard capability, providing the ability to couple digital certificatesOpens a new window with the tokens.

Smartcards are another hard token used by the U.S. military. Each has a chip that contains the user’s digital certificate. The user inserts the smartcard into a reader, the certificate is accessed and verified, and the identity is authenticated.

Figure 4 shows soft tokens. In these examples, applications run on a user’s cell phone and provide the one-time password needed for authentication. The advantage of soft tokens is the slim chance that they will be left at home or lost. There is less chance of a user forgetting his cell phone than of forgetting a hard token. Further, the cost of maintaining hardware tokens is eliminated or reduced.

Another type of soft token is the Microsoft virtual smartcard. This consists of the user’s private digital certificate residing on the trusted platform module installed on the mother board of the user’s device. A PIN/password is required to access the certificate. While this helps strengthen authentication, and helps protect possession of the private key, any attacker with physical access to the device and with the user’s password,still has a good chance to access network resources.

One-time passcodes or smartcards alone also are not enough security. They are usually used with either passwords or biometrics. Further, they only protect during each PiT authentication, not throughout authenticated sessions.

Something We Are

During the past several years, biometrics solutions associated with physical characteristics (hard traits) have been touted as a great solution to prevent unauthorized access. While these solutions do strengthen PiT authentication, they still come with challenges.

Physical biometrics sense and compare human body traits to authenticate an identityOpens a new window . Biometric Hard Traits include:

• Fingerprints
• Veins
• Eyes (iris or retinas)
• Faces
• Voices

Some of these traits are more secure than others, and all require a sensor of some kind. Costs and challenges associated with use of physical biometrics include:

• Purchase of solution
• Training of all staff
• Help desk calls when authentication fails
• Sensor purchase and maintenance
• Enrollment

Risk management principles dictate that management incur biometrics costs only where risk requires it. Further, these solutions only authenticate an identity once for each resource accessed. If the user of the logical subject changes or is piggy-backed, it is very difficult to manage the business impact.

Finally, requiring users to use a biometrics sensor alone is not strong authentication. This means that in a risk-based access control process, a user might have to authenticate with a password and a physical scan multiple times to perform daily tasks. This is frustrating to the users and causes production issues when sensor scans fail.

Up to this point, we have looked at authentication factors that enable PiT authentication. Next, we look at behavior traits that enable continuous authentication.

Biometric Soft Traits are not measurable with a scan of some body part. They are, instead, a measure of human or device behavior over time. In this paper, we explore two categories of soft traits: human and cell phone.

Measurable human behavior traits can be divided into five categories (Yampolskiy & Govindaraju, 2008):

• Authorship biometrics. When person writes a document, like this paper, he uses predictable word, sentence, and punctuation patterns.
• Human computer interaction. One of the primary biometrics that falls into this category is keystroke dynamics. Each of us types on our physical keyboards and our cell phone virtual keyboards with recognizable patterns (Olzak, 2006)
• Human interaction with resources. Users have a daily pattern of how they use network and computer resources. For example, files are accessed in specific folders. Data is moved in certain ways. Applications are accessed in a certain order for and during certain periods.
• Motor skills. How a user moves a mouse or uses a touch screen are unique behaviors.
• Physical behavior. How we walk and how we hold our mobile devices helps to identify us.

In addition to how we interact with our desktops, laptops, and network resources, the way we physically and logically use our cell phones also measurable, as shown in Figure 5.

Scores of metrics exist for cell phone and other device metrics, but some of the most common are:

• Facial recognition
• Gait
• Which hand you hold your phone in
• Locations when normally using the device
• How you interact with the touch screen
• How you type

If we combine soft trait continuous authentication with other risk-based authentication characteristics, it becomes very difficult for an attacker to use an authentication subject for an attack.

When using continuous access control, at least several of these is measured and checked throughout the device’s use, and the user simply works without noticing.

One downside is potential resource issues. The phone has to have the memory and processing speed necessary to perform these tasks without significant performance degradation. The same is true of workstations. Further, it takes time to collect enough information to avoid high numbers of false positives and false negatives. Finally, there is the cost of purchase, implementation, and management of the solution. As always, it’s all about the cost of risk vs. the cost of mitigation.

Continuous Access Control (Continuity)

Continuous access control is, as its name implies, a way to use a set of metrics to continuously verify subject’s identity. See Figure 6.

Continuous authentication, combined with strong risk-based authentication, tends to become a fourth authentication factor: continuity. It uses the soft traits of both the user and the user’s device to determine the probability that:

• The identity attempting to authenticate, and that is using one or more of the first three factors, is actually the authorized identity, or
• The authenticated identity, the subject, continues to be the authorized identity.

Refer to Figure 7 as we step through the continuity process. When still using traditional login factors, the identity information holder attempts to authenticate. In our example, we will use a password. The user name and password are checked against stored identity information (e.g., Microsoft Active Directory). If valid, we have a moderate probability that the identity information holder is authorized to access our network.

We can significantly increase our probability, our level of confidence, by using one of the other PiT factors in Figure 6. In Figure 7, the user is required to provide a hard trait.

As the user works, soft trait information is gathered into a template that becomes more reflective of the user over time. In fact, use of the template in continuous authentication with just a moderate-strength password can provide very strong access control once enough soft trait information is gathered. Further, risk-based access control is strengthened without having a user sign into multiple resources. The user, or subject, is either trusted or not based on behavior over time.

As the user soft traits are gathered, they are compared to the user’s template. If the user’s behavior moves away from what is expected, one or more of the following may happen, depending on the solution used and how the organization configures it:

• The subject might be completely logged off the network and required to log back in using a PiT factor
• The subject might be required to use a PiT factor to log into the next object it attempts to access
• The subject might be logged out of a sensitive application and required to reauthenticate using a PiT factor
• The subject might be temporarily suspended from access, without being logged out, until a PiT factor is provided
• The event is logged, and security is notified

These steps are immediate upon level of confidence falling below a defined threshold. They significantly increase the strength of risk-based access control when used with other session characteristics.

Conclusion

Most organizations should be going beyond standard access control. Any one of the traditional authentication factors is not enough. Even if an organization uses multifactor authentication, attackers today are more than capable of taking control of machines. Once the attacker owns a machine, it is not a big jump to take over the user’s account. We have to be looking for this.

Risk-based access control is the direction in which all organizations should be heading. Even without continuous authentication, use of session characteristics and user/device behavior monitoring is key to protecting the most sensitive information.

When combined with continuous authentication, risk-based access becomes a very strong control for preventing, detecting, and immediately responding when levels of confidence in authenticated subjects fall below a threshold.

Solutions

The following is a list of some of the vendors providing continuous authentication solutions.

• BehavioSecOpens a new window
• BioCatchOpens a new window
• GemaltoOpens a new window
• ZighraOpens a new window

Works Cited

• “Digital Certificate”. (2018). Retrieved October 2018, from YourDictionary.com: http://www.yourdictionary.com/digital-certificate
• Olzak, T. (2006, October). ResearchGate. Retrieved October 2018, from Keystroke Dynamics: Low Impact Biometric Verification: https://www.researchgate.net/publication/228368894_Keystroke_Dynamics_Low_Impact_Biometric_Verification
• Olzak, T. (2012, November). Chapter 12 – Applications of Biometrics. Retrieved from InfoSec Institute: https://resources.infosecinstitute.com/chapter-12-applications-of-biometrics/
• Olzak, T. (2014). Advanced Malware: How it works. Retrieved from Toolbox (Tech): https://it.toolbox.com/blogs/tolzak/advanced-malware-how-it-works-080714
• Patel, V. M., Chellappa, R., Chandra, D., & Barbello, B. (2016). Continuous user authentication on mobile devices: Recent progress and remaining challenges. IEEE Signal Processing Magazine, 33(4), 49-61.
• PYMNTS.com. (2017, October). Global Faud Index. Retrieved from PYMNTS.com: https://www.pymnts.com/indexes/
• Srinivasa, K. G., & Gosukonda, S. (2014, June). Continuous multimodal user authentication: coupling hard and soft biometrics with support vector machines to attenuate noise. CSI Transactions on ICT, 2(2), 129-140. Retrieved from SpringerLink: https://link.springer.com/article/10.1007/s40012-014-0054-4
• Yampolskiy, R. V., & Govindaraju, V. (2008). Behavioral Biometrics: a survey and classification. Int. J. Biometrics, 1(1), 81.

Glossary

• Authentication. Verification of the identity of a subject via user ID and one or more authentication factors
• Authentication factor. Something a subject knows (e.g., password), something a subject has (e.g., one-time passcode), or something a subject is (e.g., physical or behavioral biometrics)
• Authorization. Determination of what an authenticated subject can access and what can be done with what is accessed
• Basic access control. One-time authentication… a subject only authenticates once to access all resources to which it is authorized; includes weak (single authentication factor) and strong (two or more authentication factors)
• Behavioral biometrics. Measure of how an object is accessed and used; what objects are accessed by a subject and how they are used; typing characteristics; movement and location of user device; and many other measures of subject behavior when using information resources
• Continuous access control. Use of behavioral metrics to initially authenticate a subject, and then to assess over time the probability that a) an authenticated subject has been compromised or b) an authorized subject is behaving in a high-risk manner
• Digital certificate. “An encrypted and digitally signed attachment that authenticates a user on the Internet or an intranet. A digital certificate is issued by a certificate authority (CA), and attests to the legitimacy of an identity, an online transfer of information, funds, or other sensitive materials through the use of encryption. A digital certificate includes the sender’s name, a serial number, expiration dates, a copy of the certificate holder’s public key, and the digital signature of the issuing CA. A digital certificate holder has both a private key and a public key. The private key is held only by the user and is for signing outgoing messages and decrypting incoming messages. The public key is available to anyone for encrypting data to send to the holder of that public key, who then uses the private key to decrypt the message. Many digital certificates conform to the X.509 standard” (“Digital Certificate”, 2018) .
• Identity. Information given/provided to a subject that an access control process uses, when presented by the identity owner (human, application, service, etc.), to authenticate and authorize object access and permissions; an authenticated identity is an authenticated subject
• Man-in-the-browser. Usually implemented by installing a proxy Trojan, this type of attack modifies transaction content, web pages, or inserts additional transactions using the authenticated user’s account
• Object. Any information resource accessed by a subject (applications, databases, printers, files, email, etc.)
• Physical biometrics. A biological characteristic, including recognition of fingerprint, face, voice, veins, etc.
• Risk–based access control. Use of authentication practices commensurate with associated risk, including ensuring the subject’s identity continues to be checked and confirmed; questionable situations require a new authentication
• Subject. Any entity (human, application, etc.) that attempts to access an information resource (an object)