Continuous Authentication Builds a Zero-Trust Foundation for State and Local Agencies

“Continuous authentication is really an advanced security approach that verifies the identity of a user during a session rather than simply at login,” says Dave Smith, senior director for the U.S. and Canada public sector at Citrix.

Historically, systems may have verified user identities at a program’s launch, then assume they are clear afterward. By contrast, “continuous authentication really leverages a variety of factors, such as the kind of user behavior, device health, location and even things like biometrics to ensure that a user is who they claim to be, and continuously is who they claim to be so that they remain authorized the entire time they’re accessing an individual system,” Smith says.

Frazier adds, “These things are kind of peas and carrots when you think about security, enabling the right security posture and dealing with threats at the identity layer.”

How Does Continuous Authentication Help State and Local Agencies?

Prior to continuous authentication technologies, government agencies might have issued an identity token with a long life to enable multiple access queries to an application from an individual, Frazier explains. Such a token might remain useful for 24 hours or a week.

But attackers could hack these credentials and then potentially could access resources authorized by those tokens for the life of the token. Now, with continuous authentication, systems evaluate an individual request and determine if it can be trusted. If all factors relating to the work of an individual employee seem correct, the system grants extended access to authorized resources.

“You don’t want to punish your users,” Frazier says. “You don’t want your users having to log in every five minutes, because then your users will hate you. You have to build a model that does this evaluation mostly based on context behind the scenes. If the user’s location doesn’t change, if they’re coming from the same device, if their transactions look exactly the same, you’ll evaluate that all the time. But you only prompt the user for authentication if any of those context pieces change.”

With continuous authentication, a system may require employees to provide credentials again if their location changes, if their work behavior appears different in an application, if they log in with a new device or if other factors change.

“We are using a least-privilege model, where the user gets only the privilege that they require to do their job. Because of that, their privilege might go up and down all the time, where we might pull the privilege away, but again, based on context,” Frazier says.

“If all the context signals are saying ‘bad,’ we’ll pull the privilege away,” he adds. “If all the context signals are saying ‘good,’ we’re just going to let the user in.”

Smith emphasizes that state and local governments hold a lot of sensitive information in the form of citizen data and other intelligence, and they are responsible for protecting that information.

“Continuous authentication not only ensures that users have authorized access to critical systems by monitoring what they’re doing, but also adjusts security levels based on risk factors such as unusual activity or maybe an untrusted location,” he says.

LEARN MORE: IAM addresses the complexities of today’s IT environments.

How Do Open Standards Support Continuous Authentication?

Working behind the scenes, continuous authentication becomes an important element of zero-trust security, Frazier says.

“It’s important to think of zero trust not as a product. I call it a lifestyle choice or behavior,” Frazier says. “What I mean is that it dictates how you deliver capabilities to users in a secure way.”

Thus, continuous authentication, or sustained validation, is a core tenet of establishing identity for zero-trust environments. “Identity is the thing you absolutely have to get right in your trust model,” Frazier says.

A government system ideally should understand the context of a request to access authorized resources before granting that request, he adds. And it must do that very quickly to provide the user with an uninterrupted workflow.

By validating requests this way, continuous authentication also supports hybrid work. To do that, the multiple tools working together seamlessly within a government IT environment must rely upon open standards.

DIVE DEEPER: Chart your organization’s hybrid work future.

“Any agency you talk to will have anywhere from 30 to 130 different technologies in their IT environment. And open standards play a really important role from the point of a user logging in to the system — from identity proofing who they are to landing them into the system and then removing them from the system,” Frazier says. “That entire lifecycle has to be built with open standards.”

Important open standards protocols include:

• System for Cross-domain Identity Management (SCIM), which automates the exchange of user identity information
• Security Assertion Markup Language (SAML), which allows access to multiple applications with one set of credentials
• OpenID Connect (OIDC), which allows users to sign in to multiple applications with one set of credentials

“It’s important for us as a collective industry to align on a secure profile around these things,” Frazier says. As such, Okta is leading a charge for alignment on the Interoperability Profile for Secure Identity in the Enterprise (IPSIE), an open standard for managing identity security across various Software as a Service applications.

“Whether you’ve got Google or Amazon or Okta or Microsoft, we’re all singing from the same sheet of music,” Frazier says. 

Smith adds, “Really, at every stage of a user’s interaction, continuous authentication validates identity at multiple points rather than just trusting the user after initial login. So, instead of looking at just the one-time identity of the user, it’s the context — again, device, location, behavior — and that aligns perfectly with zero trust.”

DISCOVER: Get the most out of zero-trust initiatives.

Does Artificial Intelligence Play a Role in Continuous Authentication?

As for the future of continuous authentication, artificial intelligence will play a role, Frazier says.

“We’re already leveraging artificial intelligence in our identity threat protection,” he says. AI currently aids Okta users in determining which authentication requests are risky and which are not. Okta partners receive that information “downstream.”

“AI technologies analyze a vast amount of data and detect really subtle differences in patterns and user behavior, device characteristics and things that might not have been noticed otherwise,” Smith says. “AI can help refine the process of risk in real time and identify abnormal activities.”

Also, AI plays an important role in log analysis to identify trends, and government agencies can use it in policy development, Frazier says.

“Does the policy manifest itself the right way? If it doesn’t, can AI help me manifest a policy that matches what I think my policy should be? There are all kinds of opportunities for AI across everything that we do,” Frazier says.

UP NEXT: State CIOs discuss AI’s challenges at NASCIO 2024.