Risk-based authentication means using different authentication based on a risk analysis of a system, rather than simply slapping a user ID and password on all your systems, no matter where they're located or how they're used. The higher the risk, the stronger the authentication should be. When performing a risk assessment of a network or system, consider the following questions:
- Who has access to the system? Is it a small, restricted group of employees in one department, or thousands of customers around the country? The larger the circle of users, the greater is the risk.
- What type of data does it hold? If it has sensitive customer information – names, addresses, social security numbers and the like – increase the security level. If it's marketing data that can't be traced back to your customers or employees, lower the security level a bit.
- Where are the servers hosting data located in your network? Are they publicly accessible Web or application servers sitting in your firewall's DMZ, or are they buried deep inside your network in a dark corner of your data center where cobwebs dangle from the ceiling?
- Is the application Web-based and what does it do? If it's a catalog with a shopping cart, or a banking application, increase the security level. If it's a picture of your product, or "brochureware," you can lower the security level.
For higher risk applications – those with customer data access, Web applications for financial institutions – then a two-factor authentication method may be in order. For other systems in your network, where the risk is lower, the venerable user ID and password might be just enough.
This was first published in July 2006