Early this month (Dec. ’18), Gartner held their annual conference on Identity and Access Management (Gartner IAM) in Las Vegas. For those who don’t know, IAM is an umbrella term used to cover everything from identity provisioning, management, governance, authentication, etc. One of the topics that dominated their talking points was their self-coined term CARTA — Continuous Adaptive Risk and Trust Assessment. While they have been using the term at least since summer 2017, it was the sheer number of talks and topics in which the term was used (by my count over 80%) that drove home the analysis firm’s emphasis on its importance.
While CARTA as a concept can, and should, be applied across all levels of security, one of the largest areas of impact is around authentication. In fact, in their “Seven Steps to CARTA” self-help kit (paraphrasing) step number 1 is:
Imperative №1: Replace One-Time Security Gates With Context-Aware, Adaptive and Programmable Security Platforms.
Two things are fascinating here. First, this calls for continuous authentication, arguing for continuous de-risking, rather than one big identity check followed by a session with a fixed expiration. Second, Gartner clearly states that to accomplish the above, we need to be adaptive to real-time context. I wrote a PhD dissertation on context-aware systems, and it is my expert opinion that the vast majority of system context that relates to the user and their identity is synonymous with user behavior. In fact, in his talk on the subject, Ant Allen mentioned that we should be looking for the solution in the direction of what Behavioral Biometrics has done for consumer fraud prevention.
At TWOSENSE.AI, we have been pushing for a rethink of authentication. First, we hate sessions, and have been vehement about eliminating them in favor of continuous authentication. The main issue we have identified, is that no form of traditional authentication can be used continuously without some form of continuous user work. For authentication to be continuous, it must be effortless, and if it’s effortless it must be using what the user is doing anyway, and therefore be behavior-based. We have made it our mission to implement these principles in the workplace, bringing consumer behavioral biometrics technology to enterprise employee authentication, and we’re super excited to see industry thought leadership aligning with our own vision.