See why Gartner® named SessionGuardian as an innovation trigger in the Endpoint Security Hype Cycle™ Learn more.
Throughout the evolution of information technology and access control solutions available for organizations to implement to support their security infrastructure, heavy emphasis has been placed on ensuring authorized access by intended users. These efforts align primarily with the Confidentiality prong of the information security “CIA Triad ‘’ model (Walkowski, 2019) which guides security decisions to address the Confidentiality of information by addressing which users should be authorized access to sensitive material or resources. Strict policies that enforce access controls, when properly configured, provide a strong interface for end users and protect critical resources through guarding against attacks caused by unintentionally allowing unauthorized and unrestricted end users the ability to read, write, and copy restricted information.
Demand for robust access control solutions has risen significantly through movements towards distributed workforces who access sensitive information and restricted workspaces remotely. This movement has raised valid concerns and discomfort within organizations regarding authorization of intended users to not outsource their own work, such as in academic settings (Amigud and Lancaster, 2019), or employees outsourcing their responsibilities in remote environments (Chappell, 2013). To combat these concerns, efforts such as Multi-Factor Authentication (MFA) have been implemented, however when used as the only protection largely cannot accommodate scenarios in which an end user may provide an unauthorized party with the code in order to access and work on the system remotely. Instead, Continuous Identity Authentication efforts which are similar to and build upon biometric facial recognition access control methods are now able to be implemented for confirmation on end user authentication throughout a protected session. More importantly, these methodologies for continuous verification are able to in some cases, such as with SessionGuardian, bypass the need for recording videos or saving photographs of the end user throughout their session, with verification calculated consistently while the application is in use.
As a response to the COVID-19 pandemic, and even earlier for many technology-focused or dispersed industries, remote work has become far more commonplace in the average organization than previously seen. Due to the rapid nature of requiring remote work as a direct result of the pandemic, many organizations found themselves not prepared for the security demand that remote infrastructures required, with “most organizations’ digital ecosystems [being] placed under high stress” (OECD, 2020). The level of readiness relating to a dispersed workforce was previously not often a concern for smaller organizations, and only often seen within the context of a business continuity plan for environmental disaster recovery of critical business operations. The COVID-19 pandemic accelerated this requirement, and forced widespread, varied industries into immediate remote work, testing information security infrastructures and policies globally as remote work became standard. With this accelerated schedule for remote work growing, it is important to note that in a 2020 study, “Gartner projected that 47 percent of employers plan to let workers work remotely full time moving forward. In addition, 82 percent of business leaders … plan to allow employees to work remotely at least some of the time as they reopen closed workplaces” (Zielinski, 2020). The zeitgeist of work environments has been permanently changed to be largely inclusive of fully remote or hybrid work environments, and is a movement current literature and organizations are confident is not changing moving forward.
Remote work, in its current state, is viewed by information security experts with concern, with “77% of SMEs See[ing] Remote Work as a Security Risk” (Cawley, 2022). Largely, Cawley’s study identified that primary risk concerns were due to an inability to confirm that resources were being securely used, and were not left unmonitored. Specifically, the underlying concern boils down to a direct security concern related to verifying that authorized users were the ones accessing sensitive material, and were restoring its security through locking the system or logging off safely once the need to access the systems concluded. The abundance and push towards remote work has been further fueled socially through many employees requesting remote opportunities over in-office employment, and coupled with the COVID-19 pandemic push towards this work format, has become a permanent stay in the global economy. Coupled with the seen security hesitation, it has become clear that remote work will continue, and requires robust solutions such as continuous identity authentication to protect organizations in their dispersed security postures. With reference to SessionGuardian’s continuous authentication approach, the ability to continually authorize an end user predetermined by the organization to have access to a virtual machine or web-based work such as specific applications and websites fills this security need. By performing continuous authentication and authorization checks paired with liveness detection, the application is able to ensure the three primary goals identified, by:
By definition, a data leak can be caused intentionally or accidentally by an internal or external party. Often the perception of a data leak and the fear of damages associated are geared towards protecting against external intentional attacks, however a 2017 study found that internal accidental leaks caused “43% of corporate data leakage [incidents], and half of these leaks are accidental” (Cheng et al., 2017). Accidental employee data leaks have grown in concern for information security departments during the COVID-19 pandemic with remote work, with 97% concerned specifically about internal data leaks (Stealthlabs, 2020). With remote work unquestionably growing year-over-year with an explosive increase due to the COVID-19 pandemic, concern over internal data leaks is a component of risk management efforts that requires immediate addressing.
The largest risks of unintentional internal data leaks lies in causes that may not seem like overtly dangerous actions at the time, however have financial, reputational, regulatory, or competitive advantage damages as a possible outcome. Organizations losing trade secrets or incurring expenses to correct errors are obvious damages, however for regulated industries a compliance incident such as violating HIPAA unintentionally can bring further damages. These include accidentally emailing sensitive information, leaving restricted applications unlocked and able to be accessed by unauthorized users, or through accessing sensitive information in areas where unauthorized users are also present and can ‘shoulder surf’ to view the information without being authorized. While previously remote work has found it difficult to protect against these accidental data leaks, continuous identity authentication technology has allowed for endpoint security measures to help end users avoid accidentally causing organizational damages. In instances of biometric security such as when using the SessionGuardian application for remote or on premises work, workspaces and sensitive information can be restricted to protect against shoulder-surfing through identifying more than only the authorized user. Additionally, these secure sessions provide secure email capabilities for end users that restrict the ability to send sensitive information accidentally to unauthorized users, and through continual identity authentication, lock down all sensitive information should the authorized user not be found. With these capabilities available to protect against accidental data leaks, these damages are largely able to be guarded against when using secure continuous identity authentication applications as part of an organization’s security infrastructure.
The importance of Continuous Identity Authentication in a security infrastructure is shown through the need of protecting sensitive information remotely during the push towards remote work. Additionally, with the usage of any security solution that interfaces directly with end users, questions related to end user privacy and data protection arise. Socially conscious workplace efforts have been demanded more consistently by employees and end users of platforms, especially in remote work environments. Through a 2021 study, it was identified that the end user’s trust in coworkers, employer and/or contractor directly influences their work productivity and quality when working remotely (van Zoonen et al., 2021). A large component of employer and contractor focused trust during the COVID-19 pandemic remote environment and persistent remote work opportunities is a concern over employer spyware in which employers and contractors monitor the behavior and actions of employees whether disclosed or secretly. In a recent study of remote work during the COVID-19 pandemic (Zielinski, 2020) it was identified that “73% of employees feel that introducing technologies to monitor the workplace would damage trust between them and their employers.” With review of the study by van Zoonen et al. (2021), it is noted that employee trust directly relates to their work quality, by which these monitoring tools pose a significant risk. Additionally, “43% [of employees] are concerned that the introduction of workplace monitoring technology could make it easier for their privacy to be violated” (Zielinski, 2020) which strengthens the data privacy and trust concerns employees are presenting for remote work opportunities. Due to these concerns, it is vital that organizations select an access control and authorization solution that does not infringe upon end user trust or data privacy.
Continuous Identity Authentication software is a term that can bring hesitation to the discussion when spoken or written, however may be largely misunderstood in the software solutions they are implemented alongside. Certain employee monitoring applications exist and are regularly implemented with “26% of HR leaders report having used some form of software or technology” (Zielinski, 2020) to monitor their employees. These softwares and others that claim Continuous Identity Authentication may be able to record or stream video of the end user accessing sensitive information or a restricted workspace as the “continual” portion of identity authentication, however these solutions largely fall short and damage employee trust and subsequently performance. Instead, Continuous Identity Authentication methodologies implemented such as in the case of the SessionGuardian application perform biometric identity verification checks on the local machine where the application is installed. Therefore, under no circumstances is there a video or photographic stream recorded or sent of the end user, as the software works under the same framework as facial verification for mobile device “passwords,” or facial scans completed to instantly analyze an authorized user in a restricted facility. These biometric points are, when viewed, immediately compared against data points associated with the user locally, and therefore have no recording potential. Continuous authentication proves to be a consistently developing field of access control study, and the impacts of choosing the incorrect solution are dire with a loss of employee trust and decrease in work performance. Therefore, while a critical technology to review for business application, it is important to consider applications such as SessionGuardian that fill gaps in an organization’s security posture without negative impact to the end user.