Risk-Based Authentication for Your Critical Business Processes

For many years, companies have often been required to allow access to critical business data from outside their corporate network. For example,  employees go on business trips or work remotely, or partner consultants need to gain access because of a new project. In addition to this security challenge, a new and more complicated scenario has been in high demand for the last several years: Mobile access. Easy and flexible, it allows users to connect and work from anywhere and on any device. All these challenges require a revision of corporate security policies as well as new security tools for an effective mitigation of the newly defined risks.

With the latest support package (SP04) for SAP Single Sign-On, released on Nov. 03, 2014, SAP offers a solution that will help companies to mitigate such risks by implementing Risk-Based Authentication, improving security for all critical business processes.

Risk-based authentication helps companies capture and evaluate centrally the authentication circumstances based on custom-defined access policies. As a result, you can allow or forbid the access, or if necessary enforce Two-Factor Authentication mechanism based on One-Time Password (OTP).

Sample scenario:

Security policy of Company “A”: Access to HR systems, when requested from outside the corporate network and/or outside normal working hours, is considered a very high risk.

Such a risk could be easily mitigated with the implementation of risk-based authentication: When the user tries to access the systems from outside the corporate network/or when the time is between 6:00 PM and 9:00 AM of the respective for the user time-zone, two-factor authentication will be enforced.

How Risk-Based Authentication Works:

The solution is based on custom-defined access policies. Many companies develop a set of access policies, based on their corporate security standards. The access policies are implemented in a configuration UI or in the SAP NetWeaver Administrator by writing the logic in JavaScript. The access policy logic is based on a set of contextual information (for example: time, origin, authentication method, device, and others) and the risk, defined by the company with regard to the values of this contextual information.

The Access Policies are available as implementation for two authentication methods:

• For authentication with Time-Based One-Time Password Login Module (TOTPLoginModule) – here the Login Module processes the specified access policy script and decides which one of these two types of authentication to use – single or two-factor authentication.
• For authentication through an Identity Provider (IdP) – here the access policies are specified for IdP extensions and policies can be set for a specific trusted service provider or for all trusted service providers

When a user tries to log-in to a resource, where the Risk-Based Authentication has been implemented, the authentication request is sent to the Access Policies Engine, running on the SAP NetWeaver AS Java.

The Access Policies Engine performs the following steps:

1. Collects the context information
2. Applies a rule to straighten authentication – here based on the context information the access policy script is executed. Based on the result, the access is allowed or denied, or two-factor authentication is enforced.
3. Persists the context – this step is performed only when the access is allowed. The relevant information (context, authentication procedure, risk level, etc.) is stored in the authentication token and the token is sent to the client.

How to Implement Risk-Based Authentication:

Risk-Based Authentication requires installation of the SSO AUTHENTICATION LIBRARY 2.0. and configuration, dependent on the authentication method.

If you choose to implement authentication with Time-Based One-Time Password Login Module (TOTPLoginModule), you need to:

1. Create an access policy and define its script
2. Configure the TOTPLoginModule to use this access policy

    For more details, see Access Policies Implementation Guide. Here you will find an example access policy script.

    You can find example scripts also in the SAP Note 2225027 – Policy Scripts for Risk-Based Authentication

If you choose to implement authentication through an Identity Provider (IdP) you have two options:

• to configure access policies for an external adapter by implementing authentication and assertion policies
• to configure access policies for an attribute provider by implementing a script for policy-based assertion attributes

Implementation steps include:

1. Set the IdP extension, choosing one of the extension types: External Adapter or Attribute Provider
2. Implement an access policy for the extension type, selected on previous step.

     For more details, see Configuring Access Policies for Identity Provider Extensions

Risk-Based Authentication with SAP Single Sign-On:

• Centrally evaluate and mitigate the risk of allowing access to the IT landscape, based on context
• Dynamic authorization restriction on service and transaction level using pre-defined rules
• Risk-based enforcement of two-factor authentication
• Available also for authentication through the Identity Provider
  

The new SAP solution that helps companies to offer access from anywhere and on any device by controlling and mitigating risk successfully!

See also:Stronger security for your business data at risk   (sample access policies included)