Security today announced it is extending its artificial intelligence (AI) technology originally developed to protect users in the financial services industry, to clients in all industries via the company's identity-as-a-service (IDaaS) offering. IBM Cloud Identity now features AI-based adaptive access capabilities that help continually assess employee or consumer user risk levels when accessing applications and services. The solution escalates suspicious user interactions for further authentication, while those identified as lower risk are “fast tracked” so they can access applications and services they need.

Using AI for a holistic view of context of user access

With data breaches on the rise, traditional means of securing access, like passwords, are often not enough to prevent unauthorised access. The rise of credential-stuffing attacks, where a malicious actor obtains a list of credentials and tests them at various other sites using a bot, demonstrates that many password combinations have been leaked.

Companies are constantly trying to optimize both security and user experience"

According to a 2019 report, compromised and weak credentials are cited as the cause for more than 80% of data breaches. Meanwhile, 2017 research found that large companies are managing hundreds of applications - up to 788 custom applications on average for companies with more than 50,000 employees. Considering the amount of programs and passwords that employees are managing between their professional and personal lives, it is increasingly important that new security measures do not hinder user experience.

“Companies are constantly trying to optimise both security and user experience, but the trick is ensuring security is not disrupting the everyday user journey” said Jason Keenaghan, Director, IBM Security. “IBM Cloud Identity with adaptive access is using AI to give organisations a holistic view of context for user access, based on indicators like malware and risk indicators, device insights, and user behaviour, to help them focus security on high risk logins and give the majority of user’s seamless access to their accounts and applications.”

IBM Cloud Identity

Many organisations continue to rely on older username and password methods to provide employee and consumer users access to services. Due to the patchwork of applications and solutions organisations are working with, they may not be able to deploy more modern security layers. This can create a blind spot that prevents security teams from easily implementing rules that flag suspicious indicators like malicious logins, unknown locations, unrecognized devices, and whether a user is on a company’s network VPN.

IBM Cloud Identity is an identity-as-a-service solution that helps organisations connect every user to every application using adaptive access. Through the use of AI, the service helps simplify access management and security for users by assigning user risk levels based on a defined set of factors. With these risk levels, administrators can create rules that level up or level down authentication - implementing strong authentication but only when needed.

Artificial Intelligence

IBM Cloud Identity with adaptive access leverages IBM Trusteer AI technology to assess users

The service leverages the following features to determine risk and enable adaptive access decisions: A user behaviour score is assigned based on the level of trust or risk assessed for each user. A number of factors are assessed including web intelligence, location data, malware and risk indicators, and device insights. For example, using AI, the system can detect irregular mouse movements or flag a user trying to login from a browser infected with keylogging malware. IBM Cloud Identity with adaptive access leverages IBM Trusteer AI technology to assess users based on a fraud evidence database, fraudulent pattern analysis, and cross-organisational patterning.

Smart access and seamless login

Since AI capabilities are able to assign risk levels, only users considered to pose a higher threat are prompted to go through multifactor authentication or denied access. By only prompting specific users to further verify their identification, rather than all users, organisations may be able to reduce operational expenses related to items such as two-factor authentication and help desk password resets for both current and new users. This can potentially lead to cost cuts considering organisations spanning different sectors have allocated more than $1 million per year to password-related support alone.

Low-code deployment

Adaptive access policies can be created and applied to applications and APIs with little to no development effort, and without application changes.“According to our primary research results, the establishment of low-friction end user experiences has the potential to help boost security effectiveness while reducing management efforts and related costs,” said Steve Brasen, Research Director, Enterprise Management Associates. “By injecting intelligence into access processes, IBM is helping its customers implement the appropriate level of authentication enforcement for users while minimising impacts to their productivity.”

 

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

In case you missed it

What is the biggest change in the security industry since 2010?
What is the biggest change in the security industry since 2010?

Ten years is a long time, but it seems to pass in an instant in the world of security. In terms of technology, 2010 is ages ago. Changes in the market have been transformative during that decade, and we called on our Expert Panel Roundtable to highlight some of those changes. We asked this week’s panelists: What was the biggest change in the security industry in the 2010-2019 decade?  

SIA composing code of conduct for U.K. private security, seeking comments
SIA composing code of conduct for U.K. private security, seeking comments

The Private Security Industry Act of 2001 gives the Security Industry Authority (SIA) the function of setting standards of conduct in the United Kingdom’s private security industry. Time is winding down to provide input during the SIA’s six-week consultation on a new draft code of conduct for SIA licence holders and applicants for SIA licences. The authority is inviting the industry, licence holders, and anyone with an interest in private security to have their say on the draft code of conduct by taking part in a survey. The consultation will end on 23 February.   “The ethos of the code of conduct is that it will improve standards and public safety by setting out the standards of conduct and behaviour we expect people to uphold if they are entrusted with protecting the public, premises and property,” says Ian Todd, Chief Executive, Security Industry Authority (SIA). Security's Code of Conduct A code of conduct sets out what standards of behaviour professionals have to meet in order to work in the profession In security as in many professions, a code of conduct sets out what standards of behaviour professionals have to meet in order to work in the profession. SIA is suggesting Six Commitments of behaviour that will apply to all licensed security operatives and to applicants. If the code of conduct is sanctioned by the U.K. Home Office, it would become mandatory and incorporated into SIA’s licensing criteria Get Licensed. A commitment to certain standards of behaviour is fundamental to what it means to be fit and proper, and to being part of a profession. The six commitments are: Act with honesty and integrity Be trustworthy Protect the people and property you are entrusted to protect Be professional at work Act with fairness and impartiality at work Be accountable for your decisions and actions “We will review the comments from the consultation once it concludes on 23 February, analyse the results and publish a report on our findings,” says Todd. “The SIA will then use the comments it has received to write a final version of the code of conduct. The introduction of a code of conduct will be subject to final approval by Home Office Ministers.” SIA’s current Standards of Behaviour provide guidance on professional behaviour but are not mandatory. The draft code of conduct builds on the Standards of Behaviour. Upholding SIA's Standards The SIA’s Partnership and Interventions team is the unit that enforces the Private Security Industry Act “The majority of licence holders uphold the standards of behaviour that the SIA, their employers and the public expect of them,” says Todd. “Their professionalism and dedication keep the public safe and tackle crime. However, there are incidents in which some licence holders do not behave in this way. This minority lower the standard of service the public receives, harm public safety, and bring themselves and the rest of the private security industry into disrepute.” The SIA’s Partnership and Interventions team is the unit that enforces the Private Security Industry Act. It is likely that they will be required to enforce the code of conduct should it become mandatory. The draft code of conduct is currently out for consultation and the proposal has been shared widely to licence holders, private security businesses, and enforcement partners encouraging them all to take part. “Once the consultation has concluded, we will analyse the findings from the feedback, produce a report and publish it on our website and share this widely via social media,” says Todd.

Satisfaction criteria differ for DIY vs. pro-install companies, says J.D. Power
Satisfaction criteria differ for DIY vs. pro-install companies, says J.D. Power

J.D. Power is a well-known name when it comes to measuring customer satisfaction, and they have been measuring satisfaction in the home security industry since 2016. Changes affecting the marketplace – both in terms of disruptors and technology – make this a unique time. For example, in 2019, J.D. Power expanded the Home Security Satisfaction Study to not only measure the traditional pro-install/pro-monitor companies, but to separately evaluate self-install/pro-monitor brands.  “At J.D. Power our rankings are meant to support an industry in two key ways,” says Christina Cooley, J.D. Power's Director, @Home Intelligence. “First, we provide consumers who are shopping for products and services with a ‘report card’ of who provides customers with high levels of customer satisfaction. Second, we provide companies with actionable insights to help them prioritise their initiatives to improve and maintain high levels of customers satisfaction that drive loyalty and growth.” Differentiating between companies The traditional Pro-Install/Pro-Monitor companies are challenged to differentiate from one another In home security, J.D. Power is in a unique position to report on the changes taking place in the evolving industry. The 2019 rankings show that the traditional Pro-Install/Pro-Monitor companies are challenged to differentiate from one another, as each have their individual strengths and opportunities, but overall the score range is relatively tight. On the do-it-yourself (DIY) side, there is more differentiation. A set of brands has been able to challenge the traditional industry by achieving extremely high customer satisfaction levels. Price is always an important factor that impacts customer satisfaction, whether for security or another market J.D. Power serves. The equation is simple, says Cooley: does the price paid equal the value the customer feels they have received from the product or service? “For Home Security, we didn’t specifically look at price until this year,” says Cooley. “With the changes that have occurred in the market, price can be a differentiator as we’ve seen with the emergence of DIY-installed systems. However, lower pricing does not have a direct relationship to quality of service.” The price factor For example, there are some higher-priced pro-installed brands that perform lower on customer satisfaction than lower-priced competitors. And DIY-installed systems as a whole are less expensive, and price is the customer satisfaction driver in which the DIY segment most outperforms the pro segment. Price is the customer satisfaction driver in which the DIY segment most outperforms the pro segment The equation is: performance minus Expectations equals Customer Satisfaction. “Obviously, price point will be a factor in the purchase decision and the expectations the customer has about the product and service,” says Cooley. “Any pro or DIY system has the opportunity to differentiate the customer experience regardless of price point.” There are clear differences in the pro vs. DIY experience, which is why J.D. Power evaluates the brands in separate rankings. However, Cooley says the drivers of satisfaction are consistent across both groups. The key to each group goes back to the equation above.  Evaluating the purchase process For the both pro and DIY companies, J.D. Power evaluates the purchase process the same. Though the customer may take a different path to purchase based on the offering they seek, the drivers are still the same: Usefulness of information provided Reasonableness of contract terms Professionalism of sales representative Ease of purchasing home security system. For installation, there are clear differences. DIY systems are evaluated based on: Ease of completing installation Quality of installation instructions provided Timeliness of receiving home security system. Pro systems are evaluated based on: Professionalism of technician Timeliness of completing installation Quality of work performed. Interestingly, purchase and installation are the customer satisfaction driver where both pro and DIY providers (as a whole) are most closely aligned on performance. Customer loyalty The price a customer is paying must align with the quality of the system they receive What drives a customer to purchase a home security system initially will often be very different than what will keep them as a loyal customer, Cooley notes. The price a customer is paying must align with the quality of the system they receive, and the service provided through the professional monitoring and customer service. “With the expansion of home security offerings, it’s more important than ever for home security companies to understand the motivations, intentions, and usage patterns across different customer segments to ensure that regardless of the decision to go pro or DIY-install, they are able to meet their customers’ needs and differentiate in the very competitive market. The J.D. Power Home Security Study provides these actionable insights.” The study is focused on the companies/brands that comprise the top two-thirds of market share in each segment, pro and DIY installed. A number of the brands included may work with local dealers or retailers for sales and install, but the customer is essentially evaluating those services as part of the system purchased. It is one and the same from the customer’s perspective, and the sales/install process can either delight or frustrate a customer from the beginning, which can then set the foundation for the entire experience moving forward. Reasons for shopping for a security system tend to differ between pro and DIY shoppers: Both sets are most focused on wanting a newer, more up-to-date system Between the two, pro customers are more often moving into a new home or wanting to take advantage of a discount or bundling opportunity with other products For DIY customers, they are shopping for a system to give them more peace of mind and to protect their property. Reasons for selecting the provider also vary: A pro company is often selected based on brand reputation or a special offer/promo A DIY company is primarily chosen based on price or a positive review. In terms of brand image, we see that customers see both pro and DIY providers similarly in terms of reliability. However, when it comes to being customer-driven, DIY providers receive higher image ratings compared to pro-installed companies.