New Multi-factor Authentication Offering Seeks Balance Between Strong Security and Ease of Use
The correct balance between strong security and excessive control is difficult. Without strong security, such as multi-factor authentication (MFA), organizations will be breached. With excessive control (such as MFA always and everywhere), business will be impeded, employees will be disgruntled, and controls will be bypassed. A new behavioral authentication product announced today by security firm Preempt allows optional MFA, based on user behavior, on any application.
Preempt’s new “Any App” offering seeks to solve the growing concern over the insider threat by allowing policy to dictate whether user access to any application should be challenged by multi-factor authentication requirements, or simply allowed. This increases security without increasing unnecessary impediment to business.
The insider threat is insidious. It can come from innocent users, ‘malicious’ users motivated by curiosity or worse, or hackers inside the network with stolen credentials. While modern network analytics can detect ‘unusual’ behavior, they cannot automatically distinguish between simple unusual and malicious unusual. The result is a large number of alerts that need to be investigated but are often false positives.
Preempt’s Any App takes a different approach by imposing strong security in the form of multi-factor authentication requirements on any specified application whenever — but only if — ‘unusual’ user behavior is detected. This is an advance on the more usual and common approach of applying MFA to web applications only.
“Security teams want to better protect their organization and application from threats and breaches by adding policies that require users to validate their identity via authentication techniques before accessing corporate applications,” explains Ajit Sancheti, co-founder and CEO of Preempt. But while adding MFA to web applications is relatively simple, protecting on-premises applications is more complex. Integrating secure authentication into each application requires significant resources, which typically leads to the majority of internal applications not being protected by MFA.
Any App, he continues, “removes the need for application customization, and turns the task of adding MFA support to applications into a simple matter of defining policy, which saves both time and money, while also protecting the organization from security breaches.”
Any App works at the network layer for both Windows and Linux environments, and acts as an LDAP or Kerberos proxy. When a user first seeks access to an application, the application will attempt to verify the user. Any App proxies this request, and based on security policy can either allow access or require MFA.
If policy requires additional authentication, the organization’s MFA solution is automatically triggered. Since Any App is vendor neutral, the MFA can come from the existing deployment of a range of vendors such as Duo, OKTA, and SecureAuth.
The behavioral policy engine within Any App allows the security team to define the conditions necessary to invoke MFA. For example, if the access request comes from an unmanaged device, or if the user is connecting to a new asset or from a new location or new device. This allows the security team to automatically apply more stringent controls without requiring individual alert analysis.
Any App attempts to allow the security team to define and control the balance between strong security and ease of use. It reduces the cost of strong security while activating it only where policy decides it is necessary.