History repeats itself. Whenever added value is created somewhere, those who try to profit from it unfairly are not far behind. Whereas in the Middle Ages it was robber barons and highwaymen who battled with nobles, clergy and merchants for goods and money, today it is highly organized, sometimes institutionally supported hackers (gangs) or cybercriminal individuals who compete with state authorities and corporations for both digital and real assets.
And so the security issue is a familiar one: Whenever someone increases protection, sooner or later someone looks for and finds a way to circumvent the new hurdles. It is an incessant, mutual arms race against time, with the diversity and complexity of today’s ICT infrastructures increasing almost exponentially in parallel. The global World Wide Web has long since ceased to be comparable with the “idyllic manageability” of an English county.
Value creation on the Internet is booming. Annual online retail sales are in the billions. According to the German E-Commerce and Mail Order Association bevh, almost one in eight euros is spent online. The PWC study “Total Retail 2016” shows that 54% of all consumers already shop online; increasingly often directly via mobile devices. A third see the smartphone as their main shopping tool of the future: developments with far-reaching consequences that are quite attractive and unfortunately also lucrative for (cyber)criminals as well as for government and commercial data and information collectors.
Two-factor authentication
Multifactor authentication has found its way into most companies as a security control. In addition to the username and password (knowledge), a successful login requires an additional factor (possession). However, these access control mechanisms have become outdated. In practice, the tried-and-tested two-factor authentication is not always able to guarantee that the identity owner is actually behind the actions and transactions carried out.
In addition, there are new business models relating to digital (premium) content, whose legal and regulatory framework conditions are not usually compatible with the limitless global availability provided by the Internet.
So what to do? Simply continue to expand the security system stereotypically? If necessary, at the expense of usability?
May the fourth factor be with you…
One way to increase security without negatively impacting usability is to take into account the environment or location in which the user is currently located, as a fourth factor in authentication, so to speak. The inclusion of location features or the so-called “IP reputation” of the user is a tried and tested means of taking established access control mechanisms to the next level. The basic idea behind this is anything but revolutionary: in the past, data access was already controlled based on the network in which the user was currently located. If the source network was trustworthy, access was granted, otherwise it was denied. Now the whole principle is simply applied to the World Wide Web. Where authorization decisions used to be based solely on the IP (internal/external), information such as country, location, spam source, botnet member, DDoS attacker, etc. is now available. The possible evaluation criteria are far greater today, and the possibilities correspondingly more diverse. This results in completely new use cases in access control, which can be implemented with the inclusion of IP reputation information.
Risk-based authentication
The concept of risk-based authentication enables access control to be adapted in stages depending on the risk of the client environment and the sensitivity of the data provided. IP reputation information, such as the geographical location or the “trustworthiness[1]” of the client IP, supports the decision as to which authentication strength and means are required. For example, authorities, companies or e-commerce operators can prevent any access to their online services from abroad, or at least only grant access from across the border with additional authentication factors.
Risk-based authorization
Alternatively or additionally, risk-based authentication can also be combined with risk-based authorization. In this case, the user’s IP reputation information dynamically determines the access rights and therefore whether and what information is available or can be edited. Content is therefore not only adapted based on the user’s authorizations, but also based on the risk of the client environment.
Dispensing with a “one policy fits it all” strategy has two advantages. On the one hand, the security of sensitive information is guaranteed in the event of a high risk by increasing the strength and means of authentication and restricting access. At the same time, the majority of regular users – who do not usually have a high-risk profile – can dispense with highly complicated and secure authentication and the restriction of data access. This in turn significantly improves usability while maintaining a high level of security. In short: risk-adapted authentication and authorization is crucial for achieving the optimum balance between security and usability.
Geolocation and the ubiquitous premium content
Another classic example of the use of IP reputation is the distribution of premium content. For copyright reasons, commercial providers such as Netflix, as well as public media institutions and publishers, are usually obliged to make digital content accessible only in the target countries or regions licensed for this purpose. The geographical location of the user is analyzed for this purpose. This is also known as “geolocation” and is one of the most common and established criteria in the IP reputation context, as it is relatively easy and relatively reliable to determine.
Detect attacks thanks to IP reputation
Just how efficient the use of location information is for global access to protected content is demonstrated by the wide range of existing circumvention solutions. The TOR network, anonymizing VPN and proxy services, as well as the use of globally distributed cloud infrastructure data centers, are the attacker’s answer to geolocation-based access restrictions. But anyone who prematurely believes that the advocates of an unrestricted flow of information on the Internet are the winners here is mistaken. IP reputation is not only a means to an end in risk-based authentication and/or authorization, but also offers a second line of defence to thwart attacks. Just like information on the geographical location of an IP address, IP reputation can also provide information on whether it is presumably part of the TOR network, a cloud data center or an anonymizing VPN or proxy service. And of course, this information can in turn be used as an additional layer in the access decision.
And finally, a fifth factor
Last but not least, information obtained via IP reputation can be incorporated into the analysis of user-specific behavior patterns. These can then be evaluated as a fifth factor(behavior) in the context of online activities and transactions in order to detect identity theft and misuse. Alternatively, the data profiles can of course also be analyzed – security atypically – in the context of “know your customers” for marketing purposes.
Read also: FIDO 2.0 – password-free authentication
Conclusion: The golden mean is the key
The question remains as to where and how the use of IP reputation information can best be implemented. One possibility is to build the corresponding logic into each application in a dedicated manner. Although this gives the applications the greatest possible flexibility, it also causes costs that potentially increase proportionally with each additional application. From a cost perspective, this is hardly attractive. There must also be a certain degree of self-control over the applications. Purchased third-party applications, on the other hand, make cross-application use more difficult and therefore often prevent a standardized, business-wide access policy from being ensured.
Another alternative is the use of IP reputation on the classic perimeter firewall. This has the advantage that access restrictions can be defined and applied centrally on an infrastructure component. In return, however, you lose a large part of the flexibility and usually also granularity, as the radius of action of commercially available port firewalls is normally limited to the middle OSI protocol levels. For risk-based authentication and authorization in particular, however, finely graduated applicability at application level is indispensable.
The third option is to use IP reputation for access control on the web application firewall. This corresponds to the happy medium between a classic firewall and application-specific integration. IP reputation information can be introduced here in almost any granularity – and if necessary in combination with the classic protection mechanisms of the web application firewall. This not only avoids inflexible “black and white” decisions and unnecessary “false positives”, but also offers plenty of scope for user and application-specific exceptions. Not to mention the many possibilities of centralized reporting, which also serves up attacks and user behaviour in a geographical context.
[1] the IP is known, for example, as a source of (DDoS) attacks, spam source or part of a botnet