What's the difference between Adaptive Authorisation and Adaptive Authentication? And does it matter?
Definition: Adaptive: serving or able to adapt; showing or contributing to adaptation.
In essence Adaptive Authentication is a process applied by an IAM (Identity and Access Management) product whereas Adaptive Authorisation is a process applied by a PAM (Privileged Access Management) product. Here's a quick summary:
• Adaptive Authentication This is based on the 'posture' on the incoming user. Are they using a different device, in a different location or have a different typing cadence. In these cases a higher level of risk is assumed and Adaptive Authentication will ask for another factor to Authenticate. This is why it is generally in the IAM realm.
• Adaptive Authorisation This is based on the task or process that the user is undertaking. It is based on dynamic risk assessment. If, at the time of execution, the task will have consequences, for example terminating user sessions Adaptive Authorisation will ask for an authentication factor. The dynamic knowledge of risk and privilege puts this in the PAS Realm.
You could think of Adaptive Authorisation as an intelligent version of the 'sudo' command in that you asked for authorisation based on the outcome of the process rather than the individual commands that make up that process.
Authorisation workflow is another subject! It has to be designed carefully, otherwise it can get in the way and is most often meaningless. This is because it is defined up front and tends to be applied to any process that may have consequences. The workflow considers all outcomes. We believe in the simplification that comes with dynamic risk assessment built into the privileged processes.
Why would we, of all vendors, say this? Well, 'Real World' authorisation workflow looks more like this:
• Your job is to keep these services running, here's what we need to to do under various conditions - if they happen, please remediate. The workflow is implicit: someone has been trained and understands the work. There should be no delay between an issue occurring and that person dealing with it.
• Upgrades and Changes. Staff will be telling management that systems and services are either running out of capacity, or need upgrading for security reasons. The upgrades and changes are agreed with management. In bigger or financial organisations the work will be ticketed. Here the work is again implicit - the management already expects their staff to do this work. For improved security, the ticket can be used to authorise access, i.e. no ticket no access. The only delay is in working with the ticket system and even this can be minimised with a Privileged Access Management system that is integrated with the ticketing system (e.g ServiceNow or Remedy).
• Problem solving. The management ask the staff "what is the best way of getting 'x' achieved with 'y' budget?" Once again the workflow is implicit. Management expect staff to test and trial various systems until they solve the problem.
• Sensitive Systems These would seem the ideal candidates for workflow. However, higher degrees of authorisation and monitoring are better for governance and compliance.
A key assumption of the Authorisation Workflow is that managers need to know what is going on. In reality, it is far more common that colleagues need to know. For example, if a version of an application is changed, or the startup sequence of a server is modified it is highly like that colleagues will be affected and need to take action.
This is why our Privileged Access Management profiles can be configured so that members of the profile can also authorise access through that profile. This is on the basis that your colleague is far more likely to understand why you need access and the ramifications of what you intend to do with that access.
There is a pyramid of detail
In any sizeable organisation there is a lot of detail. Staff teams understand that detail and team managers understand most of that detail and some of the detail in running the organisation. The managers are often the link between teams. Asking a manager to authorise individual access to systems is mostly impractical because the manager cannot be expected to keep track of all the details of every staff members workload. If they did, it would amount to micro-management and excessive time consumption for very little output.
There are of course edge cases. HR and finance systems tend to be very sensitive, and this kind of every step management makes sense. Unfettered access to systems is a bad idea, and we all know that human error is costly. A scheme is required that balances the business and security requirements.
A note on Adaptive Authentication
This is something different, this is the process of requiring an extra stage of authentication if the user has an unusual posture. For example, if the user is on a VPN or has a different typing cadence. Adaptive Authentication is the process that frustrates people when they need login fast and keep getting asked for extra steps.
More Security, Less Effort for everyone
Managers need to manage, and colleagues need to know what is going on, Privileged Access Security needs to be a light touch for staff, a safety net for human error, and an impenetrable wall for attackers. This is where the combination of Privileged Process Automation (PPA) and Adaptive Authorisation (AKA "Step-up Authorisation") delivers wins on multiple fronts:
• An automated process will separate the human operator from the systems, the privileges and the credentials. This one step is a major contribution to security.
• Automation ensures that the task is always done in a consistent and secure way. This virtually eliminates human error.
• Automation can test that systems, devices and applications are in the right state before running the tasks. This will help with consistency.
• Automation can communicate! It can raise and close tickets, it can conditionally send emails and alerts to colleagues that may be affected.
• Automation tends to be at least twenty times faster than manual operation.
• Automation can call upon itself.
There are always times where systems are not in the preferred state for tasks. For example, the results of running a task could mean that users are disconnected from system, or have e-commerce baskets reset. These tasks happens frequently out of hours and the business goal is to get back to normal operation as quickly as possible.
In these cases the managers would authorise the tasks anyway - but at least they would know. With Adaptive Authorisation we can anticipate that event. The Automation (PPA) can check for live users and ask the operator for an extra level of authorisation as both a warning as to the consequences of running the task, and let the operator know that managers and colleagues will get emails and alerts. This simplifies the overall workflow since dynamic assessment only steps in when it needs to. Therefore it takes less work to define and less work to operate.
Plan to succeed
Automation always requires up-front work. Of course, we are here to help with that. Here are some typical guidelines for getting the best from any Privileged Process Automation project:
• Identify the regular high impact tasks your staff need to do. These can be time costly or have potentially high costs where there is human error.
• Identify the conditions under which these tasks are needed. Can these be monitored and dealt with under automation?
• Identify the edge cases. When should this task absolutely not be run? - e.g. during a backup, maintenance and upgrades.
• Identify who needs to know that the tasks has run. Who will it affect and how? This is the input to the outbound communications.
• Identify the reporting needed. Should a ticket be raised and closed? Is a ticket for this already open? etc.
• Identify when Adaptive Authorisation would be needed. For example systems with current user calls and sessions, systems in particular states etc.
Once you have these factors, you can decide where is the best place to delegate an automated process. Because it is so safe it can go much closer to the front line, and Adaptive Authorisation lets you delegate one step up for those awkward states and conditions.
Hopefully, you can now see that Adaptive Authentication and Adaptive Authorisation are both valuable and applied at very different times and places. For IT Operations and more, Automation will always deliver the best security. With a little planning it can deliver many benefits to business as well.
If you'd like to know more - please get in touch.