How Organizations Can Achieve Seamless User Authentication
We spoke to François Lasnier, VP of Identity and Access Management at Thales, covering IAM and what how threats are adapting and taking advantage of surprising attack vectors.
Long gone are the days when a single set of credentials would be enough to keep user sessions–and indeed company data–secure. Identity and access management tools are now seen as critical and fundamental parts of any robust security solution, especially as networks become more and more porous with the increase and ebb and flow of users and devices.
Access management and authentication helps make sure that users really are who they say they are, and that these users don’t have access to anything they shouldn’t. This access control also prevents–in the event of compromised credentials–that the attacker can’t cause more damage than what’s already been done by having access to more data and information.
Yet for all their benefits, identity and access management and authentication solutions are not without their fair share of problems. Adding extra layers of authentication can be taxing and annoying for end-users, and there’s certain gaps in authentication and access management solutions that are often forgotten. The key to overcoming these issues is figuring out who needs what level of protection, when does authentication need to be applied, and who should have access to what and when?
We reached out to Thales’s Senior Vice President of Identity and Access Management products, François Lasnier, to find out more about how his company is addressing these problems and trends in the current market.
Lasnier has been part of Thales for a long time through a series of acquisitions. He harks from Schlumberger when he worked as Vice President for the banking, access and identity side of the organization. His role has grown since then, with Lasnier honing his experience in the identity and access management field as the company transitioned from Sclhumberger, to Gemalto, to eventually Thales.
Read on to find out about Thales’ authentication and access management products, modern authentication methods, and attack vectors that are often critically overlooked in certain industries.
Please introduce yourself and tell us more about your background and your role at Thales?
I’m currently in charge of the identity and access management products in the Cloud Protection and Licensing business line of Thales. Within this business line there are two primary functions, one side is about identity and access management and the other side is all about data protection.
I’ve been in this role for quite some time, and I’m based in Austin, Texas. I worked at Gemalto — which was acquired by Thales in 2019 — first as a manager for the basic banking and payment side of the business, as well as some telecom and governmental sides as well. I’m now the Senior Vice President of Identity and Access Management products at Thales.
Can you give us an overview of the authentication methods and access management products that Thales offers?
If we talk purely about the type of authentication methods that we support, this is an area we really believe is one of our strengths. We have strong DNA in identification and authentication across multiple industries and verticals. We’re doing authentication for employees, authentication for consumers, and we really support a very wide range of authentication methods.
It starts from our simplest authentication method, which is almost a scrambled grid where you create your own pattern on the screen or you can create a code based on the pattern that you’ve memorized. This type of authentication is very useful and is very popular for customers that need to enroll external users that are not employees, because there’s no complex onboarding.
Then we support all types of hardware authentications, including smart tokens, traditional tokens, PKI type devices, and one-time password tokens such as dongles. Then there’s our mobile authentication methods and—perhaps the more popular method we have—push technology.
And how do your target markets come into play here?
Financial services and insurance companies are definitely our biggest customer segments. But those are followed very closely by governmental agencies and healthcare institutions.
Manufacturing is also a very, very big market. Ransomware has been one of the main drivers for manufacturing companies to turn to us. Many manufacturing companies have found themselves very exposed and vulnerable to ransomware attacks.
But overall, we serve a wide range of industries and companies of all sizes. Our smallest customer is a law firm of five people, right up to corporations of 500,000 to 2,000,000 million users.
That’s an interesting point you made around ransomware and manufacturing. Typically, when we do these interviews and talk about ransomware, it’s very much focused on the endpoint security side and so on. Can you expand a little bit more on how authentication can help to protect organizations from ransomware?
Definitely. This is something that we’ve noticed, especially in the last, I would say, 12 to 18 months after the surge of ransomware attacks that we saw in the US recently. These ransomware attacks aren’t the same as the traditional security attacks that have come before—they have different motivations.
What we have now is ransomware targeting organizations that are vulnerable because they are publicly exposed—and if an attacker can disrupt the organization, then they can create a public threat, disruption, or large economic loss. If you stop the production line of a car manufacturer, for example, you’re going to create a lot of harm.
The problem a lot of companies have is this lack of security oversight into all aspects of how the company functions. So, you’ve got traditional office worker applications that are protected—which is great—but the attack vectors for ransomware always come through the back door.
This is either through contractors or directly on the manufacturing floor, with manufacturing systems, Enterprise resource planning systems, for instance, and from there they do what is called a lateral move or privilege escalation. Their goal is to disrupt these operational systems that typically are not protected by traditional IT.
There’s a space called operation technology or OT, so you have OT and then you have IT. Now, all these manufacturing companies used to typically manage OT in a silo mode because these systems were typically not part of the traditional IT network, but they’re starting to realize more and more that ransomware specifically targets OT. So there needs to be a convergence on OT and IT to protect against ransomware. But the challenge with that is that while most of the solutions are really relevant for the traditional IT space, there’s less relevance for the OT space either in terms of the personnel or users.
For instance, there’s a problem with frontline workers in the manufacturing plant. These people may not even be in an active directory of the enterprise. They might be managed in a local user database or may be managed directly outside of the enterprise. They may be managed in a local user database, or they may be managed directly out of work. Many of the traditional MFA or access management solutions for the enterprise market rely on integrating and synchronizing users in active directory. So, you need to now adapt your solution to be able to recognize this category of users and manage them from a different type of user database.
And finally, we talked about push notification being one of the most popular forms of authentication for office workers because everyone sitting in an office has access to a smartphone. But in manufacturing—especially when you rely on temp workers—there is a significant portion of users that don’t have a smartphone. There are also plenty of manufacturing facilities that don’t allow mobile phones on the manufacturing floor for safety and security reasons. So, you need to rely on different solutions and adapt your solutions to these environments.
Can you tell us a bit more about modern authentication and how it works? What is the driving need for organizations to change their approach to authentication? And where do you see this trend going?
When we started the authentication journey, the main drive for authentication was remote access for virtual private networks—or VPNs. So, essentially remote users connecting to a VPN where authentication was applied at the perimeter, which we referred to as “perimeter defense”. Either the user is within the network and they rely on domain or network login, or if they’re outside of the network then MFA was applied. It was a very binary decision.
This has changed in the last several years because it’s become much more difficult for companies to define what their network perimeter is—especially as they add more and more resources to the cloud. Is the user really part of the network at that moment when they’re currently operating outside of it trying to access apps that are also on the outside of the network? Do you really want to force a user to come on premises to connect to the enterprise network before they can connect to any cloud resources? A surprising number of companies are still doing that. And it’s not only insecure, because you’re bringing a lot of traffic through your network that you don’t need to, but from a UX standpoint you’re creating issues with latency and performance which is contradictory to the value of the cloud.
So, I define modern authentication into two very simple terms: it must be both pervasive and adaptive. It must be pervasive in the sense that it’s not just MFA at the border anymore. You need to change the security model to something more akin to a zero-trust architecture. The decision to apply or not apply MFA shouldn’t be based on whether the user is in or outside the network, it should be all the time—with this zero-trust architecture assessing the need and access level when a user is trying to access a resource.
That’s the first part of “pervasive”. The other part of pervasive is that it includes all users. This is because, in the past, most enterprise policies for MFA were only applied to remote users. So, users who needed to access the VPN typically were the people that were forced to use some form of MFA. But there were many other users within an organization that didn’t have to do this because they were accessing other types of resources or they were always sitting on premises.
Frontline workers are a very good example of this. I mentioned manufacturing because now manufacturing is very exposed to ransomware and we’re finding that attackers are using machines on the manufacturing floor as attack vectors. These machines are not traditionally protected by standard IT, and users were often thought of as office workers and not frontline workers. What you need to now consider as an enterprise are the gaps in coverage that you have in terms of users and resources.
That’s the pervasive path. The adaptive path is probably one of the big evolutions in the authentication space. Because you want to make authentication pervasive but cannot afford to have authentication applied all the time, you have to only have it when it’s absolutely required, or the situation dictates it.
So, now there’s a concept of managing sessions, following users across their journey as they connect to a resource then move from that resource to another. At the same time, you need to assess user risk and context—for example, has the user changed device? Have they changed from PC to mobile device, which means re-authentication is needed? So, it’s the notion of following that user and adapting as they traverse the network, coming to the decision of whether authentication is needed and what method of authentication you want to deploy in relation to what device the user is using.
With pervasiveness and adaptiveness, how do you see these two tenets impacting user experience? How do you make that process manageable for the end user?
The whole notion of adaptive is to improve the end user experience.
As I mentioned, there’s often a temptation to apply MFA to all users all the time and that becomes very, very painful for end users. Many organizations also tend to implement MFA in silos, meaning that they will have a different MFA solution for remote users for VPN access, then a different authentication solution for domain logins, then another for cloud applications, and obviously that becomes very chaotic very quickly and, from an administration standpoint, very unmanageable. It’s painful for end users, too.
So, the whole notion of being adaptive is to be able to remove all these siloed MFA solutions that are only applicable to a set domain and move towards an access management solution that works across domains, providing MFA only when it’s absolutely needed.
At the minute, we’re seeing MFA moving away from traffic signaling to being integrated into smart single sign-on solutions that make it more of an access management solution. To make the right choice about when you need to authenticate users, you need to be able to digest and absorb more signals about what the user is doing and what device they’re using, where they are coming from, and so on.
The ability to absorb third-party signals in your risk policy and decision policy engine is a trend. There’s a lot of investment in that space. Then there’s been a lot of investment in the concept of continuous authentication, which is about constantly assessing the trust of each user and monitoring the changes that can eventually trigger different types of authentication decisions.
Would you say these trends would provide greater security as more and more companies are switching to the cloud?
Absolutely, yes. And that’s definitely the goal. Because environments are becoming more complex, many organizations are struggling to adapt. And it’s not just that organizations have the luxury of being able to start with a blank sheet of paper. There are very few companies that can say, “Hey, we got our security model wrong so we’re going to start from scratch.” That’s not the reality.
The reality is that many of these organizations—especially large organizations—have invested a lot of time and money into legacy identity systems and access management solutions, and so on. They can’t just start from scratch; they need to try to take advantage of what they have and add layers on top of it to eventually improve their security posture.
The cybersecurity architecture is helping customers go in that direction, meaning they can take solutions that will benefit the legacy solutions already in place.
What is your advice to companies implementing modern authentication frameworks?
My recommendation is to stop now, then take programmatic steps. There are so many companies that take a “deer in the headlights” approach because they’re afraid of moving due to the complexity of what they have and they’re not sure where to go.
We do something called a discovery workshop, where we help customers discover internal assets or external assets that are completely unprotected and where MFA isn’t applied, and we show them all the end-users that aren’t included or served in their security frameworks. So, we’re getting them to think about their user categories and their oversights.
Helping them discover these gaps can help companies to take baby steps, because then you can actually map out a journey for them that’s manageable. They can go in the direction of increasing security coverage and filling these gaps. There are many ways we can show customers how they can get to that point step by step without having to do the Big Bang.
My main recommendation is to be pragmatic.