A New Form of Fraud Prevention
One company doing something different in the identity space is Arkose Labs, which aims to prevent account takeovers, fraudulent logins, spam, ticket scalping, and multiple payment authorization attempts by identifying and blocking attackers. Companies including Electronic Arts, Singapore Airlines, and GitHub use its tool to prevent abuse before it occurs.
"One recurring issue in identity is verifying users are actually who they say they are," says Arkose Labs co-founder and CEO Kevin Gosschalk. Businesses have tried to make authentication easier for users with fingerprint logins and multifactor authentication; now they're trying to remove passwords altogether. "People generally don't like to do extra steps when they log in to do things online," he adds.
The tool aims to verify the person logging in is the account holder. If the system sees a user attempting to log in and doing something suspicious (credential stuffing attack, for example), it will look at the behavioral signals and trigger enforcement when it notices unusual patterns.
The goal is to make it more expensive for actors to conduct attacks that leverage users' identities. The tool never blocks or drops a user, even if it's suspicious. It instead presents them with increasingly complex challenges – things a human could complete effectively but are difficult for a script to get around. For example, it will present an image of a dog, but the image is a 3D model that commercial software won't be able to interpret in real time.
Grossman, who is on the Arkose Labs board, joined the company over two years ago because he says it's tackling the problem is ways other companies have not – and it's changing the game for attackers, who can't get past it. He describes Dark Web message boards, where a community of cybercriminals express frustration over what they call "Funcaptcha."
"Any time Arkose comes up, you really see them whine and complain because they can't get past it, and the cost is going up," Grossman says. He expects the company's approach, which uses computer-generated avatars, will work long-term to prevent account takeover abuse, generating fake accounts, airline price scraping, and other forms of online fraud.
Case Study: Identity in the Cloud
Brunswick shifted its approach to identity management when it switched from a data center-centric model to a cloud-first approach.
"People are scared of moving to the cloud," Mitchell says. "In order to embrace and utilize that technology, one of the things Brunswick has done is focus on identity as the new edge. We're focusing on using identity as the point of protection for its new form of infrastructure."
Every company undergoing a tech transformation has different challenges depending on their infrastructure. For Brunswick, a 175-year-old corporation, Mitchell says there was a challenge in managing identities across myriad disparate systems and applications. As more people continue to adopt cloud, it's going to be a "natural transition" for many.
"They're going to need to have identity and access and access governance in place in order to protect that infrastructure," he explains. Brunswick, which struggled with access management and governance, realized it had to treat its cloud and SaaS platform as part of its identity management platform.
Access management and governance require more than just a tool, Mitchell continues, but a technology that implements smoothly with established processes and workflows so employees can manage access, identities, and governance. A few years back, Brunswick began installing SailPoint's identity governance tools and realized its widespread influence on how employees operate. People were used to doing things with manual processes, he adds, and were shifted to a single portal.
Change management came easy for them, he adds, which he attributes to strong communication with SailPoint and education tools for employees accessing and using the system. "You can have the best tool in the world, but if you don't educate people on how to use it, it won't be as effective as you hoped it to be," Mitchell says. In 18 months, the company saw an increase in the access provisioning efficacy; employees also had more time for other projects.
"The main thing I would recommend to folks is understand your applications well," he advises other companies struggling with identity in the cloud. Much of the work relates to ensuring an application works and the process associated with provisioning is running smoothly.
"Take the time to understand your applications and how it affects business processes. Take the time to make sure you have robust method for onboarding applications and testing to make sure onboarding works well," Mitchell adds.