With the Now Platform’s recent Quebec release, ServiceNow has introduced adaptive authentication. This framework allows enterprises to enforce more contextual authentication policies that better adapt to the types of environments where today’s employees get work done.
This is an important step forward for security within ServiceNow. Clear Skye is happy to see it being addressed at a platform level. We also see ServiceNow’s adaptive authentication framework as a key stepping stone for more robust and flexible policies.
Let’s take a closer look at what adaptive authentication can do today – and what it has the potential to do.
Adaptive authentication on the Now Platform
Quebec enables the use of contextual authentication controls, which will evaluate incoming authentication requests and approve or deny them based on specific policy conditions – IP address, user groups, roles, and so on. Enterprises can configure adaptive authentication properties according to their own security requirements and policies.
This has some clear security advantages. One is segregation of duties: A user who has the authority to cut checks can be easily denied access to the authority to approve checks. Another is preventing unauthorized access from untrusted IP addresses. If a user in New York logs off, and the same “user” then tries to log on from an IP address in London 15 minutes later, authorization can be immediately denied. Policies can also approve authorizations only from office-based IP addresses for certain critical tasks, such as releasing company funds.
Traditionally, individual identity and access management products have applied their own adaptive authentication policies. For enterprises that use different IAM products for different enterprise systems, this can lead to a hodgepodge of policies. That makes access difficult to manage, which can easily lead to confusion, frustration, and cutting corners.
That’s why applying adaptive authentication at the level of the Now Platform is an important step forward. This lets enterprises set an overarching policy instead of applying individual policies in a piecemeal fashion. That makes it harder for attackers to gain unauthorized access – but it also makes it easier for authorized users who have completed the necessary authentication steps.
Adaptive authentication as another step forward for digital transformation
At Clear Skye, we see potential for adaptive authentication to evolve to be even more flexible than simple approval or denial. The ability to coalesce software and hardware data across the entire Now Platform could further expand the capabilities of adaptive authentication, with some steps skipped and other steps required depending on the context.
Consider the following scenario.
- Sam from Marketing logs on from home. Because Sam isn’t on an office-based IP address, Sam must log in using multi-factor authentication (MFA).
- Sam logs off when stepping away for lunch. When Sam returns, since it’s the same IP address from the previous log-in, no MFA is needed.
- Sam logs off and brings the corporate laptop to a local café to meet Dana, a colleague from the Sales office.
- Sam fires up the corporate laptop and logs on. The IP address is different, but Sam’s antivirus software and other security settings are up to date, so for now MFA isn’t needed.
- Dana pulls out a personal device and tries to log on. At the very least, Dana is required to use MFA, since it’s an unauthorized device and an unrecognized IP address.
- To access certain enterprise systems, such as the quarterly sales figures or the shared server, Sam may need to use MFA on the corporate laptop – and Dana may not be able to use the personal device at all.
Here, adaptive authentication is indeed adaptive. Using an up-to-date corporate device, Sam doesn’t have to use MFA a second time to log on from home and will only need to use MFA from the coffee shop to access sensitive information. On the other hand, Dana’s personal device will be watched closely, and Dana will be reminded that the device poses a security threat.
These potential future use cases for adaptive authentication are another example of how workflow automation can power digital transformation in the enterprise. When data is removed from its silos, workflows can become intelligent. Employees can dictate the business processes that give them the flexibility to get work done – while enterprises can leverage the ServiceNow data plane to identify risk indicators, such as outdated antivirus software or log-ins from personal devices, and stop risky behavior in its tracks. Adaptive authentication in the Now Platform’s Quebec release is the first step toward making this happen.