Context-Aware Authentication with Cloud Radius
Forrester, an analyst firm’s report, suggests 80% of data breaches occur due to weak credentials. There were simpler days when data on a network was believed to be safe, but it is not so in the present. The stakes are higher now with more and more threat factors and Layer 2 attacks.
Organizations are constantly trying to secure their network through better authentication protocols. Lately, there has been much noise about two-factor and multi-factor authentication for better network security. Still, there is a lot of drag in the MFA process, making a good case for context-aware authentication.
What is Context-Aware Authentication?
Context-aware authentication may sound tricky, but it is what it says it is. Context-aware authentication adds more context to authentication by basing network access decisions on factors like user behavior, device management status, or location. The idea behind it is to establish a certain degree of confidence that it is the intended user accessing the network and not a malicious actor.
Context-aware authentication offers the following benefits:
- Context-aware authentication adds an additional layer of security in conjunction with the other security methods.
- Organizations that deal with highly sensitive information can set time-based, demographic-based, or user-based access policies for granular control over the network.
- Context-based authentication will streamline the process of monitoring the identities of users and systems closely and streamline business needs by decreasing the risk of network sabotage and malicious attacks.
How does Context-Based Authorization work?
As an organization, you can use certain conditions to restrict access to the network or resources for a certain set of users. Admins can setup access security based on one or a combination of the following conditions:
- Users geographic location
- The user’s device
- Role in the organization
- Login time
- Last login time
Context-Based access parameters are also called policies. As an admin, you can set a policy requiring multi-factor authentication for an employee who signs in from a different device than the usual one. The authentication takes place as soon as a user meets the authentication policies set by the organization.
Context-based authorization helps improve network security without putting the users at an inconvenience. It adds more context to MFA since it helps authenticate users as per the pre-set conditions.
How do you add identity context to network traffic?
Adding Identity Context with X.509 Certificates
An X.509 certificate is considered the holy grail of personal identity in network security. An admin can configure an X.509 certificate with many attributes that add identity context to an authentication request. Some common attributes are:
- SAN (actually a group of several identity-related attributes)
- UPN or an email address
- First and the last name
- Device ID, which is unique to each device in an MDM
- Group to which a user is assigned, like Human Resource or Engineering etc
- MAC address (less common now as they are often randomized)
Implementing Context-Aware Authentication with Certificates
SecureW2 has added more value to RADIUS authentication by implementing identity context with X.509 digital certificates. Our Managed PKI enrolls managed devices through our gateway APIs and frees you from configuration woes. The managed PKI is fully configured to run out of the box, thus preventing any setup complexities. The Extended Key Usage (EKU) section specifies the purpose of the certificate instead random issuance.
Our Managed PKI can also customize policies based on identities based on attributes. The PKI describes the steps from authentication and enrolment to identity lookup and enhances access control rules. Admins can configure security policies and set up the Cloud RADIUS server to dynamically authorize users and devices to their respective groups.