Cookie Consent
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Organizations today are challenged to create a truly resilient and secure identity framework for both employees as well as customers. One widely recognized information security strategy for securing enterprises and applications is defense-in-depth (DiD).
Integrating people, technology, and operations capabilities, DiD operates on the principle that deploying multiple layers of security ensures that if one layer fails, another can step in to mitigate the threat. The more diverse and robust these layers, the stronger the overall protection.
While this approach has proven effective, Identity and Authentication are often treated as just one of these layers. The gold standard for this layer, albeit increasingly outdated, remains multi-factor authentication (MFA). By implementing MFA, organizations achieve a marginally stronger assurance that users are who they claim to be.
However, it’s time to challenge this traditional thinking. Identity should not merely be a single layer within a DiD strategy. Instead, it deserves its own multi-layered approach and what I propose calling identity-in-depth (IiD).
Today’s identity and access management (IAM) systems largely follow a uniform approach. If a user successfully authenticates through the required checks (e.g., passwords, MFA), they are granted access and can move seamlessly through additional security layers.
Some IAM platforms claim to analyze contextual attributes, such as location or login velocity, as part of adaptive authentication. While this adds value, these measures often fall short because attackers have learned how to bypass them.
IAM platforms primarily rely on three types of authentication layers:
This usually involves a password. Despite advancements in security, passwords remain the most common and weakest form of authentication.
MFA typically uses SMS texts, push notifications, or apps like Google Authenticator. While concepts like phishing-resistant MFA exist, these remain variations of the same layer.
Methods like fingerprints, retina scans, and face recognition form this layer. While effective, they ultimately serve the same goal: generating an authentication token.
At their core, these layers serve one purpose: creating a token. Once a user possesses that token, they are considered authenticated. However, attackers often focus their efforts on stealing or replicating these tokens to bypass security. This token-centric approach leaves a critical gap in the system.
The real opportunity lies in adding a Behavioral Layer as part of Identity Threat Detection and Response. This layer focuses on monitoring and analyzing user behavior to detect anomalies in real-time. While some IAM platforms touch on this concept, few implement it deeply or effectively beyond their own ecosystems.
As an example, imagine you’ve started a new job at a large corporation. On your first day, you meet the front desk security guard, provide proof of your identity, and are issued a keycard. On subsequent days, the guard sees you regularly, learns your schedule, and becomes familiar with your typical behavior cues such as your demeanor, dress, and even routine.
One day, you arrive acting noticeably different. You are wearing a trench coat, carrying a bulky backpack, and appearing nervous. The guard, recognizing this unusual behavior, stops you for additional verification. Despite possessing a valid keycard and being the same person physically, your behavior raised red flags, prompting further scrutiny.
People excel at recognizing these behavioral shifts but traditional IAM does not. This highlights the importance of monitoring digital behavior alongside traditional identity verification methods.
Monitoring a user’s digital behavior as they interact with IAM systems is arguably more critical than initial Know Your Customer (KYC) checks. KYC provides a point-in-time assurance, but evolving behavior can signal potential risks.
For example:
These behavioral indicators should trigger additional authentication measures or responses, much like the guard stopping a suspicious individual.
Today, the standard approach is far too simplistic: “If they have the password (or token), let them in.”
This mindset must evolve. Behavioral analysis should become a core pillar of IiD, ensuring that identity verification isn’t a one-time event but an ongoing process.
Identity cannot remain just one layer in a broader defense-in-depth strategy. Protecting the access token is no longer sufficient. Instead, organizations must adopt an “Identity in Depth” framework that incorporates:
Combine authentication methods with continuous behavioral analysis.
Actively monitor and respond to deviations from normal user behavior.
Prompt additional authentication journeys when behavioral anomalies arise.
By embracing IiD, we can shift the paradigm from simply verifying tokens to understanding and adapting to the nuanced behaviors that define digital identity. This approach is essential for creating a truly resilient and secure identity framework.
-------
Looking for more information on IiD or have other questions on stopping attacks? Contact us to discuss how Verosint solutions can boost the resilience and security of your identity framework today.
