Persona based Adaptive security

In the interconnected cyber world, access and privileges to sensitive information and critical infrastructure, uniformly based on user authentication alone is becoming risky. 

“A persona in the word's everyday usage, is a social role or a character played by an actor. The word is derived from Latin, where it originally referred to a theatrical mask.”

In our personal life, we have different personas or mask on the same day or at the same time. Like of an employee, privileged user, boss, subordinate, husband, father, friend, son/daughter, etc. Many adopt their behaviors, responses, tone, role, language-based on the persona you are at that point in time while the basic individual remains the same.

Like in personal space, IT users accessing the same resources has different personas on the same day, potential risk and threats on each of this persona vary considerably. It is required to enforce dynamic adaptive security, keeping zero-trust approach.

“Adaptive Security is an approach to cybersecurity that analyzes behaviors and events to protect against and adapt to threats before they happen.” 

One of the critical success factors of security is visibility and control on the environment hosting and accessing sensitive information and services. Which are of

• Users
• Systems
• Information

Digital transformation and cloud adoption, enabled information and services available to anyone, at any time, from any device, from anywhere.

In this state from a security perspective, control and visibility of these becomes critical

• Identity of the user
• Details of the system connected (managed / un-managed), security posture
• Origin location of the access 
• Connection details
• Information and service accessed

In the current federated digital environment, it is difficult to have control of all the above factors, which is one of the rational for a persona-based adaptive security approach.

Typical persona, a single IT user could take while accessing corporate resources are

1. Corporate asset, Corporate network
2. Corporate asset, Personal network
3. Personal asset, personal network
4. Corporate asset, public non-trusted network
5. Customer asset, customer network
6. Customer asset, personal/public network
7. Contractor's 3rd party asset, corporate network
8. Contractor's 3rd party asset, public non-trusted network

While the user is the same, accessing the same sensitive information and services, devices it connects and location it connects from, changes.

Enforcement of security control (especially information protection) at the trusted managed endpoint is the ideal best choice. In most of the above-mentioned persona, the managed trusted endpoint system is missing, even the location it is accessing from may be unknown.

Persona-based adaptive security approach at a high level, is limiting the privileges or enforcing additional controls based on the persona at the time of access request.

An example to this is

User having full access to corporate email while connecting from office network through corporate asset may not have the full privilege (downloading attachments) while accessing mail from personal systems. The same user may have an email attachment download option while accessing from home using corporate assets.

Or as another example, a user connecting from a different country from normal access is prompted for two-factor authentications. 

Or while connecting from non-managed systems, access to sensitive information or command execution on systems, restricted.

Enterprises taking persona-based adaptive security approach, should

• Identify and define, type of personas allowed
• Access and privileges granted to each of these personas
• Technology to identify and enforce adaptive controls based on personas
• Control enforcement required for each these personas
• Continues monitoring to identify potential threats and attempts

Let us work together for a secured Cyber World.