Security threats are becoming increasingly sophisticated, and fraud is rampant. How do you protect your business from bad actors with minimal impact to your customer journey?
Closely examining a website or application to identify risks is only half the battle. After potential issues or vulnerabilities are detected, solutions must be devised and implemented.
This article will explore some strategies for mitigating common risks that modern applications face and defending against future similar risks.
Security Orchestration, Automation, and Response (SOAR) enables you and your security team to automate incident responses by managing data flow between security and productivity tools. Fraud detection, for example, performs real-time individual session analysis using behavioral biometrics and device fingerprinting to detect and block fraudulent transactions.
You can use insights collected from fraudulent activities to orchestrate seamless customer journeys while protecting your business. PingOne DaVinci offers a drag-and-drop solution, mitigating the risk of fraud and solving other significant identity challenges.
While some mitigations are performed silently, it’s often helpful to receive and manually react to anomaly alerts triggered by particular behaviors or patterns of data deviating from the norm. Modern anomaly detection often leverages machine learning advances to help discover anomalies within the large, complex, and evolving datasets facing enterprises today.
Additionally, you can reduce your server’s direct attack surfaces. A reverse proxy is a server that intercepts requests from the client to the origin server such that clients do not directly communicate with the origin server. In this way, a reverse proxy serves as a layer of protection from attacks since the origin server IP addresses do not need to be publicly accessible.
PingAccess, deployed under the gateway model, implements a high-performance reverse proxy that enables single sign-on (SSO) for any number of web applications and APIs from any number of origin servers.
Geolocation fencing can limit access based on an estimated geographical location of a device. For example, you can set it up such that a user’s device must be located within an appropriate radius from their office locations.
A session approval by manager workflow will trigger an actionable notification to the manager of the identity associated with the authentication request. You may implement this workflow to force a human component to authorize new sessions. This adds friction to the user journey, but it may be an appropriate trade-off for high-value sessions.
If one device from a particular user is compromised, security teams can terminate sessions only for the affected device. Moreover, security teams can freeze users if the vulnerability persists beyond the session. And if risk results from a compromised password, forced password resets with stringent password rules that ensure sufficient entropy may be enough to restore the user to a secure state.
You should implement file encryption to protect sensitive files. You can also take this a step further with full disk encryption. Encryption uses mathematics to scramble data such that only users with a password can reveal the true contents of a file. When the data is encrypted at rest, it will look like random data to most people. Forensics may reveal that encrypted data is present, but it’s unlikely to be broken when guarded by a password with sufficiently high entropy.
A session timeout after an interval of inactivity can reduce the risk of unattended or forgotten sessions. However, this will likely introduce friction for users who multitask and fail to remain active within the application. Session timeouts also have limited protection if the user walks away from the device.
Balancing data security and regulatory compliance is complex and risky. Fortunately, Ping Identity’s dynamic authorization platforms—PingOne Authorize, a SaaS offering, and PingAuthorize, an on-premises offering—centralize context-aware access controls, abstracting complexities while allowing a pleasant user journey.
A policy-driven, centralized API access and authorization security layer ensures that only authorized users can access specified API resources. The ideal API access and authorization solution uses open standards to ensure maximum flexibility and portability.
With access rules, you can permit or deny access and modifications to your applications and resources based on user properties, time, geographical location, source IP address, OAuth access token scope, or another parameter. Additionally, safelists can be created to permit access in groups—such as a list of source IP addresses—while everything else is denied by default. A comprehensive solution, called a policy, will offer reusable rule sets and groupings of these sets.
One particularly common type of access rule is a rate-limiting rule. These rules can limit a client from overloading an application or particular action with too many requests over a specified period.
Multi-factor authentication (MFA) is where the user must authenticate by providing at least two of three factors: something they know, something they have, and something they are. For example, a password and a time-based one-time password (TOTP) token are something you know and have, respectively.
An “MFA-everywhere” approach to authentication effectively mitigates most attacks but can add unnecessary friction to the user journey in low-risk sessions. Depending on your requirements, you may choose a transaction-value access approach that requires MFA only for higher-value transactions. Ping’s MFA policies consider session risk and context to determine whether the session needs the second factor.
While passwords are commonly the primary—if not only—means of authentication for many websites and apps, they are also one of the top security threats for modern enterprises and a source of friction for users. Today, various passwordless login solutions exist across many use cases and regulatory requirements. Many organizations choose to settle on Fast Identity Online (FIDO), an open standard for passwordless login, which can be paired with an MFA approach.
One of many problems with passwords is the initial password issuance. You often need to configure an initial password for new users of a password-based application. When passwordless login isn’t an option, a random password should be generated and communicated to the new user without human intervention. In addition, a time limit for the initial login should be enforced, along with a forced password reset to limit the duration for which the initial password is valid.
Finally, use identity verification to ensure your customers are who they say they are. Cloud services like PingOne Verify can be embedded into your mobile application to combine advanced live facial recognition technology with a government ID to verify your customer's identity quickly.
When determining your mitigation strategy, it’s essential to clearly define your threat model by examining what you want to protect—and from whom you want to protect it. Consider the entire user journey, not just the point of login. Smarter mitigations don’t necessarily have to introduce friction in the user journey. Once you’ve fully examined your risks, you can implement your mitigation strategy.
An intelligent MFA-everywhere approach can stop most attacks and is a great place to start. From there, you can choose to add a risk-based, context-aware, adaptive approach, thereby reducing the friction felt by the user.
Security finds strength when applied in layers. Consider the trade-offs between security and usability for your particular use case, and then layer in other approaches explored in this article as needed.
Start Today
Contact Sales
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a FREE Demo