by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : October 2015
40 GCN OCTOBER 2015 • GCN.COM continuous process of managing access to resources. In other words, instead of applying risk evaluation and response techniques only during the authentica- tion process, they are applied as part of the process of determining whether to allow any request for a resource, trans- action or interaction. The importance of a continuous process of managing ac- cess is one of the lessons from the mas- sive Office of Personnel Management data breach. Consider, for example, an agency user who has been authenticated for access to an online government system, per- haps one that manages personal infor- mation for applicants to an agency ser- vice. Before the first screen showing the list of applicants is displayed, the risk of a compromised credential is evaluated in order to determine whether that data should be shared. If the list is shared and the user selects one of those ap- plicants, risk might be evaluated again (factoring in the greater impact of ex- posure of the details for an individual before displaying the information). In that case, additional authentication might be required, such as requiring the user to answer challenge questions. That model of continuous adaptive authentication and access control is extremely valuable across agency re- sources, where the risk for a given in- teraction can vary significantly depend- ing on the value of the information, the impact of fraudulent access to that in- formation and the level of difficulty of remediation. Adaptive authentication has clearly emerged as an effective technology and as a paradigm that reflects the risk- based world in which we live. Phishing and other kinds of social engineering attacks were the most common at- tacks on enterprises in 2014, according to joint research published in April by ISACA and RSA on the current state of cybersecurity. Nearly 70 percent of respondents cited phishing as having resulted in exploits in the enterprise, while 50 percent cited other social en- gineering attacks, including watering- hole attacks, SMS phishing and voice phishing. In a world in which end users are be- ing so aggressively targeted by fraud- sters, adaptive authentication with its risk-based approach is an essential technology for authentication and ac- cess control. • — Robert Griffin is chief security architect at RSA. A risk-based approach to ongoing authentication Adaptive authentication applications evaluate context (device, IP address and user location) before allowing an authorized user to perform an activity. If any of those factors do not match, the application can require step-up authentication (answering challenge questions, using an authentication token or entering a code provided via other means). Login or Post-Login Activity Case Management Risk Engine Behavior Device Fraud Policy Management Authenticate Feedback Feedback Continue Step-up Authentication ADAPTIVE AUTHENTICATION 1015gcn_039-040.indd 40 10/2/15 9:16 AM
January and February 2016