Using Machine Learning To Make Identity & Access Management Systems More “Intelligent”

We have been losing the war on cybercrime for some time now. Research firm Forrester reports over a billion accounts stolen in 2016 alone. We are having to wade through more incident data and people cannot keep up. Could machine learning help solve the problem?

For over the years Identity and Access Management (IAM) systems have evolved from simple “white pages” applications to the complex IAM systems available today supporting plethora of features/capabilities like Risk-based authentication (RBA), Context-aware Authentication (CWA), Multi-factor Authentication (MFA), Single Sign On (SSO), Access Control, Lost Password Management, Consumer/Customer Identity Access Management (CIAM), etc.

However, most of the security controls in IAM systems are inherently rule-based due to increasing relies on a growing number of factors – from physical and behavioral biometrics to geolocation data — to determine the identity and authorizations of an individual, and companies are turning to algorithms to process and judge those factors for IAM systems. For example – multi-factor authentication is applied in conjunction with risk-based authentication, wherein RBA indicates Authentication risk score and if this risk score is above a certain threshold, then step-up the authentication process to include additional factors as required. Similarly, context-aware authentication relies on configured rules based on the context derived.

Rule-based systems have their own disadvantages:

  • Time zone challenges – Consider that there is a rule which allows employees to log in during business hours. However, this rule does not work well when the employee travels to a different time zone.
  • Rule-based systems increase the friction in terms of user experience. Let us take an example – say you have a rule which steps up the authentication if your last login location and current location do not match. While it seems to work for most cases without issues, consider the situation encountered by your sales person who travels frequently. The sales person almost always ends up being compelled to use multi-factor authentication.
  • There is no one rule that fits all in the organization. learning-based results in growing number of Rule which eventually becomes a management nightmare and results in security holes.
  • Handling rule conflicts – how to handle scenarios wherein Rule #1 indicates opposite of Rule #2.

A machine learning based IAM system will enable organizations to do away with some of these rules. The system will itself learn based on past patterns and accordingly, it can decide how to grant someone system access under different conditions or require trust elevation. There are two things that make machine learning ideal for this process.

First, it’s difficult to code explicit rules for, it’s people. They are unpredictable. They access different applications from different locations, and at different times.

For example a machine learning based system will correctly profile a sales person as one who is constantly traveling and hence ends up accessing the system from different geographies and at different times. His profile is different from a floor manager who ends up logging in from the same geography and typically in the same time window most of the times.

The learnings from such a system can be augmented with intelligence like taking travel time into considerations. For example, if the sales person has logged in from India and then in the next half an hour he is trying to log in from the USA, then the system will be smart enough to determine that it is not possible to travel that far in the given time. Thus it will consider the access as suspicious and ask for an additional factor in the authentication process.

Second, the whole process of access authorization needs revising.

For example, the machine learning-based system will automatically learn that people in the sales roles request for access to the web expense management system. Based on this learning it can automatically request access to the required system on behalf of the user.

With Machine Learning, IAM systems will be able to learn user behaviors and this will result in better user experience and improved security as well.