Do You Need Risk-Based Authentication? (RBA)

Do You Need Risk-Based Authentication? (RBA)

October 24

If you’ve tried to access your online bank account while on a vacation in Canary Islands, there’s a good chance you were asked for further proof of identity before you were granted access to your account. I recently experienced this while trying to make a payment on my Visa card while in Las Vegas over public WIFI. The issuer of my Visa didn’t recognize my IP address, and I was asked to provide a password sent to my phone to verify my identity before I could access my account.

What is RBA?

What I experienced is an example of risk-based authentication (RBA). RBA is a system used to apply degrees of stringency to the authentication process based on the sensitivity of the data the user is asking to access. RBA takes various factors into account such as a user’s location, login time, device, and IP address to determine a risk score. If the risk score is too high, access to the network will be denied. A moderate risk score may grant access to a companies shared calendar but block access to that same company’s financial system.

Below is an example of RBA across three different users. Notice how the hacker in scenario 3 meet some criteria, but not enough to gain access.

risk-based authentication

Photo courtesy of CMSWire.

Growing Interest in RBA Solutions

RBA has been around for a while, so why are more MSPs showing interest today than before? Because 2014 has been a banner year for thieves. Cyber-criminals have gained access to private data at some of the largest companies in the world that include Home Depot, Target, and JP Morgan.

When these high-profile breaches make national and local news, CEOs begin asking questions of their IT staff to better understand what risks their own companies face. This provides an opportunity for MSPs to help companies evaluate their risks and match them to an appropriate RBA security solution.

A number of companies currently provide RBA solutions. Generally, RBA is provided through the implementation of a suite of products that promise added layers of protection. These solution tend to be quite easy to understand, but time-consuming and complex to setup and configure properly.

3 RBA Solutions

  • CA Technologies offers a product called CA Risk Authentication that comes with pre-built rules which cover typical fraud patterns for both consumer and enterprise online services. CA Risk Authentication can be layered on top of other CA products such as CA Strong Authentication and CA Single Sign-On.
  • EMC offers RSE Adaptive Authentication, which is an RBA product focused on keeping sensitive data secure. EMC claims their product is being used by over 8000 companies that cover both big and small businesses in healthcare, insurance, and financial services to name a few.
  • Oracle offersAdaptive Access Manager which helps organizations prevent fraud by strengthening existing authentication flows. This product is geared towards enterprises that already have invested in Oracle products.

Each of these products provide out-of-the-box rules that cover the most common security breaches, but that’s only going to take them so far. MSPs can provide further value by helping IT staff assess the risks associated with their current security plan, and help them tailor a solution that covers their unique situation. By keeping up on latest security solutions on the market, MSPs can become indispensable partners to those companies whose reputations rely on keeping their customer’s data safe and secure. That’s an awful lot of companies.

User authentication has always been a balancing act. You want to keep the crooks out while not frustrating your good customers with complicated security details. Managing hundreds or thousands of profiles makes this a real challenge. MSPs can help IT understand the tradeoffs to make sure customers remain happy and thieves are kept at bay.

Photo Credit: Steven Depolo via Flickr.