 |
There is a popular conversational game that children play typically known as “Would You Rather,” in which someone asks you to choose between two options and explain your reasons for making that choice. For example, “would you rather be rich or famous?” Or “if you could have one superpower, would you rather have superhuman strength or be able to fly?” The fun is in discussing and debating your reasons with friends. Now imagine you’re playing the IT security version of this game, and you get asked this question: would you rather authenticate users or monitor transactions? Or, stated another way: which matters more, the identities or the activities? Traditionally, authenticating the user has been the first choice. (Technically, we should probably say authenticating the user’s online identity, because authenticating that users “are who they say they are”—the process known as initial authentication, or vetting—is what happens as part of provisioning an online identity in the first place. But for the sake of simplicity, when we discuss authenticating the user, let’s just stipulate that we all know what we really mean.) Of all the online applications and resources that you access day in and day out, the vast majority continue to rely on usernames and passwords. But we all know that passwords can be compromised. There has been a long line of examples just in recent memory. Sometimes, even if customers’ financial information was not affected by a security breach, the attackers can still obtain access to their names, physical addresses, email addresses, phone numbers, and dates of birth. That personal information can then be used to make up phony accounts, pump up credit ratings, and run up fraudulent debt. This is why, in recent years, more and more attention has been given to augmenting the authentication of users/identities with the monitoring of transactions/activities—effectively combining a level of assurance about who the user is with a level of assurance about what the user is doing. Solution providers such as RSA have been supporting these kinds of defense-in-depth strategies for quite a while now, starting with risk-based authentication back in 2005 (see the recent blog post on Risk-Based Authentication: Debate or Done Deal?) and today including solutions such as RSA Transaction Monitoring and RSA Web Threat Detection. All of these are consistent with the bigger industry trend of using “big data” to establish a baseline for activities that are “normal” to enable faster recognition and response for activities that are “not normal.” As we move deeper into the era of the Internet of Things, these types of behavior-oriented security and counter-fraud capabilities will become even more important. It turns out that “would you rather” is the wrong question—the best practice for today’s online businesses is to do both. That is, a combination of authenticating identities and monitoring activities is the best practice—part of a defense-in-depth strategy for reducing security-related risk and fighting fraud. Organizations that are thinking only in terms of authenticating users should expand their thinking to also include capabilities to monitor transactions. Photo Source: Flickr The post Would You Rather, Part 1: Authenticate Users or Monitor Transactions? appeared first on Speaking of Security - The RSA Blog and Podcast. |
