Policy Engine & Manager

Security and compliance are vital when verifying that someone is who they say they are – but turn the dial too far and it starts to impact customer experience. Callsign’s policy engine helps organizations balance and deliver the two.

What Policy does for Identification

Policies help organizations leverage all the data available to make more effective decisions. For Callsign, this is all about determining what kind of authentication journeys are used in what circumstances, based on what action is being performed, by who, and how. It’s about keeping digital identities safe and helping organizations comply with regulations, while making sure users can get on without obstacles (unless there is legitimate cause for concern).

On our platform, policies are built using policy manager and executed by the policy engine. This means we can deliver dynamic decisioning via policies that adapt in real time, based on available data and information. All of which makes for quick, seamless, secure identification. Helping people get on.

How the Policy Engine works

Callsign’s policy engine takes the confidence score from the intelligence engine, as well as data from internal sources and third party applications, and uses it to determine the set of steps a user will go through to confirm that they are who they say are, where they say they are, and doing what they say they are doing. Or to trigger an alert when something doesn’t seem right. To do this seamlessly and securely, the policy engine has multi-layered capabilities:

Authentication Factors

The policy engine can deploy a number of authentication factors (i.e. the confirmation steps the end user is faced with). These sit across possession, knowledge and inherence. In other words, something the user owns (card or device), something they know (password or PIN), or something inherent (biometrics or behavioral biometrics). Using these, organizations can build multi-factor authentication journeys that are uniquely tailored to their own business, customers, products or services.

Contextual Intelligence

Policies can be built and run using contextual intelligence to define when a particular set of authentication factors will be required – or when to trigger other systems. This can be tailored on a case-by-case basis, whether it’s by brand, channel or customer segments, so policies can be built around your organizational requirements. To gather this context, the engine looks at who is attempting a transaction, through what channel, and with what characteristics.

Dynamic Policies

Unlike with static policies, dynamic policies can respond to contextual intelligence, adapting accordingly in real time. They’re also built using natural language. Meaning users only go through easy-to-understand confirmation steps that are appropriate to the context of what they’re doing.

Regulatory Compliance

Via the policy manager, organizations can easily build policies that align to regulations like PSD2. The manager includes features like PSD2 specific rules, configurable and scalable SCA rulesets. Helping to support crucial compliance, all while reducing friction for the end user.

Engine Visibility

The policy engine platform gives organizations greater visibility into their own authentication landscape. A transparency that delivers huge cost and time savings – helping to reduce costly API calls to third parties, for example. We’ve also built workflow and approval models that are adaptable to the business for 1/2/4/6 eye approvals via role based access. And to top that off, you’ll have full visibility of your policies and the number of instances they’re used in. Allowing you to make better, data-driven decisions.

What’s more, as the intelligence engine learns more over time, policies can be adapted to ensure the error rate is constantly being reduced. Helping organizations to react at the same pace as the external factors that are affecting their business – like zero-day exploits, for example. This is where the engine really shows off its adaptability, allowing users to robustly test policies before implementing to ensure they’re robust before being fully rolled out. All of which minimizes impact on the end user.

Testing capabilities include

Champion | Challenger

Unsure on which is the better policy? Passively test an updated or entirely new policy (challenger) against your existing incumbent one (champion), and use performance analytics to decide which one should be deployed.
Technology and industry challenges addressed: currency, supportability, confidence in deployments, accuracy

A | B Testing

Unsure which change will be more effective? Test two variants of a policy in production by randomly passing a percentage of real traffic through each to determine which version is more effective.
Technology and industry challenges addressed: real world testing, multivariate analysis

Time Machine (Simulation)

Making complex changes? Thoroughly test a new policy offline using legacy data, prior to pushing it into production.
Technology and industry challenges addressed: fine tuning and tweaking, large scale analysis

Policy Engine Audit Timeline

Looking for greater insight? Get a visual representation of a user’s journey including what rulesets, policies, external services and resources were called as part of the decision making process.
Technology and industry challenges addressed: investigation and support