Key features
Advanced Identity Cloud add-on capability
Contact your Ping Identity representative if you want to add Autonomous Access to your Advanced Identity Cloud subscription. Refer to Add-on capabilities. |
Autonomous Access features
Feature | Description |
---|---|
Fully-native Advanced Identity Cloud deployment |
Ping Identity’s Autonomous Access and its components are fully cloud-native, deployed into your new or existing development, staging, and production tenants. The data collected by Autonomous Access is stored for three months in the Risk dashboard and six months in the cloud to ensure optimal artificial intelligence/machine learning (AI/ML) analytics. |
Machine learning-based anomaly detection |
Autonomous Access uses AI/ML-based detection analytics centered around user behavior and geospatial contextual information at authentication. Anomaly detection includes location, time of day, operating system version, device model and type, browser type and version, and other data. Autonomous Access’s AI/ML decisions are designed to be explainable, providing clear reasoning for its scoring instead of generating black box results with limited transparency. |
Fully GDPR compliant |
The General Data Protection Regulation (GDPR) is a collection of European Union (EU) regulations designed to protect the privacy and personal data of users. GDPR grants an organization’s users greater control over their personal information and requires organizations to obtain explicit consent to access and remove their personal data. It also requires organizations to provide clear information about data processing and security measures to safeguard user data. Autonomous Access stores user data in the cloud for six months. Users can request to access or remove their personal data processed through Autonomous Access. Refer to Handling GDPR requests. |
Real time threat detection |
Autonomous Access AI/ML analytics engine discovers the risk threats described in Real time threat detection. |
Autonomous Access presents multiple UI dashboards providing insights in the online behavior for tenant and individual users.
|
|
Three Autonomous Access nodes integrate within your journeys. No custom coding and connectors are required for these nodes. The following Autonomous Access nodes are available:
The nodes are all specific to the realm that you are in. For further customizations, you can leverage the more than 100 Ping Identity nodes within your journeys to implement in your use cases. For more information, refer to Learn about the Autonomous Access nodes. |
|
Advanced Identity Cloud provides a preconfigured Autonomous Access journey with nodes. You can use this journey as a starting template for your specific use cases and requirements. Advanced Identity Cloud Analytics dashboard also reports successful or failed Autonomous Access journeys. For more information, refer to Create journeys. |
|
Custom features |
Autonomous Access lets you add custom features using YAML-based risk configuration and scripted nodes. For example, you can configure Autonomous Access with the following custom features:
|
Real time threat detection
Autonomous Access AI/ML analytics engine discovers the following risk threats:
-
Anomaly detection. Autonomous Access’s User and entity behavior analytics (UEBA) signal effectively identifies online anomalies in a user’s behavioral profile. UEBA is a powerful security tool that utilizes machine learning to analyze network activity, detecting any deviations from a user’s typical online behavior. This complementary tool can be seamlessly integrated with other threat signals for enhanced security measures.
-
Prevent double jeopardy. Avoids flagging a user for the same reason or risk score if they already passed multifactor authentication. For example, if a user in France visits Singapore and gets flagged for an unusual location but successfully completes multifactor authentication, Autonomous Access will not flag the user again during their next login within a default time window (60 minutes) from the same city (Singapore).
-
Credential stuffing: Identifies instances where a single IP address attempts to access multiple user accounts over a period of time by counting the total number of users accessed by that IP.
-
Suspicious IP: Tracks the overall count of authentication attempts made by a single IP address across all users. An IP is flagged as suspicious if it exceeds a certain threshold of authentication attempts within a specified timeframe.
-
Automated user agent filter: Detects if automated bots exist in the user-agent string. An automated bot is a program that operates independently, performing tasks automatically without the need for human interaction. Hackers utilize automated bots to launch large-scale attacks, such as distributed denial-of-service (DDoS) attacks or credential stuffing, by leveraging the bots' ability to carry out malicious activities rapidly and at scale. can detect such malicious activity using its automated user agent filter heuristic.
-
Impossible Travel: Detects if users are authenticated from two locations too far apart for a person to travel between these points at an impossible speed.
-
Brute force: Detects the frequency of authentication attempts for a user over a period of time. If the frequency is high, then Autonomous Access flags the event as a possible brute force attack.
-
Distributed attack: Detects whether the number of authentication attempts by a single user exceeds a predefined threshold of unique IP addresses within a specified time period. For example, if the threshold is set to 7 and the window is set to 10 minutes, Autonomous Access raises a distributed attack flag if the same user makes authentication attempts from 8 or more distinct IP address within a span of 10 minutes. The only action is to display the risk score on the Risk dashboard, so that the administrator can adjust the login journey to block or challenge this activity.
-
Allow/block IP addresses: Autonomous Access provides two important features to mitigate against cases where known IPs can be triggered as false positives and known malicious IP addresses that are associated with harmful activities on the Internet: allow IP lists and block IP lists.
-
Allow IP Addresses. This feature allows you to override a risk score when dealing with specific IP addresses triggering high-risk scores. Instead of assigning a high-risk score, it sets the risk score to 0. For example, many users and organizations use VPNs to access online services. However, VPN usage can often trigger a false positive related to credential stuffing because multiple users are coming from the same IP address. To address this, you can add the VPN’s IP address to an allow list. When an IP address is on this list, Autonomous Access assigns it a risk score of 0, bypassing heuristic and machine learning processes.
-
Block IP Addresses. This feature allows you to override any calculated risk score and set it to 100 for IP addresses known to be malicious. For example, if you want to block access from known malicious IP addresses completely, you can add them to a block list. When an IP is on this list, Autonomous Access subjects it to all configured heuristics and machine learning processes, calculates a risk score, and then overrides the calculated risk score by assigning a score of 100, indicating a high-risk state.
Autonomous Access is not a firewall. You must consume the output risk score in a succeeding node in the journey for actionable outcomes. Autonomous Access cannot allow or block any IP address by itself.
-