Original Article

Whether it’s prohibiting the online sale of alcohol to underage users, challenging users from a particular geographical region in response to unusual traffic patterns in that area, or creating allowlists for certain trusted IPs, writing and orchestrating simple rules should be a straightforward task. However, fraud innovation and the complexity of applications and systems underpinning identity management today can make orchestrating simple decisions an incredibly complicated process. That’s why we’re excited to announce the launch of our new Identity Decisioning service: a centralized decisioning service that lets you quickly create no-code rules that can be easily tested and safely deployed in real time by leveraging our platform’s security and risk intelligence capabilities.

Identity decisioning is a process that evaluates the risk associated with a given user against a predefined set of rules to determine how to interact with that user. To effectively evaluate these risk signals, a platform or service must have access to a variety of different data sources, such as PEP and AML watchlists, background checks and threat detection mechanisms such as behavioral biometrics, network analysis and global intelligence. These data sources — along with information collected directly from users, telemetry collected during user interactions and data extracted from documents provided during identity proofing — can all help to validate the authenticity of a user’s identity claims and the risk associated with their requests…

The Cyber Hut Comment: CIAM vendor Transmit Security have pivoted in recent years to add a more platform-centric set of capabilities covering risk, fraud and “identity decision making” features. The addition of contextual analysis to all parts of the identity life cycle is not particularly new. Either at the on-boarding and proofing level, or at login and post-login access control the use of extra information (typically none-identity related) helps improve decision making. Credential analysis is no longer enough during authentication. Identity claims analysis is no longer enough to deliver security during access request events.

So what information are we talking about? Device and location data seems the most obvious. This will include network information, device operating system information and so on. This can not only help bind the physical device to an identity assigned credential, but also start to look for changes in behaviours too.

Transmit basically has a rule-based system with conditions and operators to analysis these data signals at different parts of the user’s journey. The result provides the foundation for identity risk analysis, with responses such as denying access, blocking accounts at registration time or limiting service access due to being under-age.

Clearly signalling provides greater intelligence and risk-aware information to a host of different parts of the identity life cycle. The flip-side of course is that those rules need to be managed - created, updated and analysed. That analysis aspect should include coverage, applicability and effectiveness. Any rule-based system may give way over time to a more self-generating and self-adapting model (enter the AI/ML buzz word bingo) in order to avoid rule-explosion and visibility issues.