Users need to be able to access all the applications they require on agency networks. It’s security’s job to make sure the right people are logging on.
While security staff is tasked with keeping these applications safe, it can’t be at the expense of accessibility. An easy login experience for users is essential for productivity.
To ensure that only legitimate users access an application, users must first authenticate. Authentication compares the credentials that users provide to a single source of authority, like a database. If the credentials match the database, it’s reasonable to believe users are who they say they are.
But bad actors know lots of tricks to get around login protections.
Consider Agency ABC. It uses a single-sign-on system, or SSO, that checks every box on the user convenience list. With SSO, after logging in initially, users can switch from one application to another without having to sign in again and again.
Lately, Agency ABC has been under attack. A bad actor recently launched a password spray attack. That’s where the same password is “sprayed” across many accounts. When one password didn’t work, the attacker tried another. There were also several attempts to access an application by bypassing multifactor authentication, or MFA, credentials.
To identify bad actors and enforce stricter security on compromised accounts, ABC needed to review its logs – which was a manual, time-consuming process. Security staff couldn’t connect the dots because analyzing so much data made it difficult to both identify the attacks and distinguish them from mistakes.
This same scenario plays out in agencies across the country every day. Most of the time bad actors don’t get in. But every so often, they do.
Identity and access management, referred to as IAM, lets you manage user roles and access privileges. It defines the circumstances under which users can access an application. When you integrate IAM with a behind-the-scenes data system, you turn volumes of log data into readable, actionable information that shines a floodlight on bad actors.
With login details stored in a central database, it’s easy to run a quick data analysis to identify abnormal login activity, like failed login attempts by a bad actor. Depending on the information you capture, you might have clues as to who and where they are.
Automation can help too. As the number of attempts exceeds a threshold, a violation is triggered and security personnel are alerted. A solid IAM solution gives you some flexibility with thresholds. For instance, you should be able to set them for a number of failed password attempts or a number of failed attempts to provide valid MFA credentials.
This type of solution also enables security personnel to either require MFA for a specific user (if only a password was required before) or to disable the user’s account. Disabling an account without user permission has historically been a pain point, mired by mistakes and bureaucracy. Not anymore. An audit trail provided by the backend data system provides details on each user’s attempted logins, giving security personnel a valid reason to disable fraudulent or compromised accounts. From there, they can take legal action if necessary.
A related piece of technology is the cybersecurity data lake. It’s a single source for log data. You could combine that data with data gathered from related sources, like firewalls and VPNs, and then use artificial intelligence, machine learning and visualization tools to find aggregated, logical insights. You can even apply geography-level filtering with a blacklist IP to make sure that users aren’t logging in from IP addresses that are either spoofed or known as malicious.
Security staff shouldn’t waste time playing catch-up with bad actors. And that experience shouldn’t inconvenience users either. IAM with analytics and alerting can raise the danger flag early, strengthen login security and, ultimately, keep the bad guys out of agency systems.
This article is an excerpt from GovLoop Academy’s recent course, “Strengthening Application Login Security With Data Analytics,” created in partnership with Snowflake. Access the full course here.
