Jasson Casey, CTO at Beyond Identity, outlines Zero Trust Authentication – a brand-new concept that seeks to revolutionise how we think about the relationship between authentication and security.
For many years, organisations and their internal systems have been overly reliant on the use of passwords, which is a completely inadequate method of validating users. Representing the weakest link in an organisation’s security chain, passwords can easily be guessed or obtained through social engineering tactics or easily stolen while they are unencrypted.
Not to mention, whilst security teams have looked to introduce more secure authentication methods, first-generation MFA solutions that use passwords and a second factor like one-time-passwords via SMS/email or push notifications are now regularly bypassed, even by relatively novice adversaries using freely available toolkits.
This is putting organisations at risk. The Verizon Data Breach Report 2022 found credentials were the most likely form of data to be compromised in both the US (66%) and EMEA (67%) whilst more than 80% of data breaches are the direct result of passwords. As a result, authentication and security measures remain a top priority for business leaders worldwide.
So how can businesses ensure their authentication stacks up in today’s threat landscape?
About Zero Trust Authentication
Zero Trust Authentication is a brand-new concept that seeks to revolutionise how we think about the relationship between authentication and security. It was developed in response to the failure of traditional authentication methods.
The traditional approach to security was to establish a perimeter around the network and trust users and devices within that perimeter.
However, the shift to the cloud coupled with new hybrid and remote working models means users are working and accessing resources from anywhere. As a result, the perimeter-based model has failed.
With a zero trust approach, there is no network-based perimeter, and no implicit trust is granted. Instead, each user and each device need to prove it is trustworthy, therefore, Zero Trust Authentication is a core element of any complete zero trust strategy.
However, until now, authentication has been a neglected component of many zero trust strategies, leaving organisations vulnerable. Indeed, if an organisation implements most of the zero trust elements perfectly but continues to rely upon failed methods of authentication, their efforts will not yield the intended result – stop adversaries from breaching systems, taking over accounts, or deploying ransomware.
By adopting the Zero Trust Authentication framework, organisations can expect to overcome the limitations of passwords and legacy multi-factor authentication (MFA) and instead focus on implementing more robust security strategies to provide greater protection.
The seven key principles of Zero Trust Authentication
The Zero Trust Authentication approach includes a set of practical requirements that any organisation can use to measure their current identity practices and adopt to insulate their workforces and customers from everyday attacks.
1. Passwordless
According to Verizon, 81% of hacking-related data breaches in 2022 were the result of weak or stolen passwords. Clearly, greater protection is required to keep businesses and customers safe.
The solution? Go Passwordless.
The best way to employ a cybersecurity strategy is to remove password use or other shared secrets that can be easily obtained from users, captured on networks, or hacked from databases.
2. Phishing resistant
The attacks employed by cybercriminals to access important information from companies and their users remain rife. In fact, AI technology such as ChatGPT means attackers can generate realistic phishing emails in a matter of seconds. Therefore, it is crucial that businesses have a security strategy that gives no opportunity to obtain codes, magic links, or other authentication factors through phishing, adversary-in-the-middle, or other attacks.
Products meeting this test use only strong credentials like FIDO passkeys and biometrics built into the device – which are both securely stored on the device and don’t move keys across networks.
But to meet the full ‘phishing resistant’ test, the architecture of these products has to provide what is called ‘verifier impersonation protection’ – a fancy way of saying that they are resistant to proxy-based attacker-in-the-middle tactics.
3. User device validation
Many cyber risks arise from bots, and automated systems seeking to find a way to access sensitive information through the appearance of a user device.
To ensure complete protection, cyber prevention software must validate requesting devices, ensuring these are bound to a user and authorised to access information assets and applications.
4. Assessing device security posture
To operate effectively, systems need to be able to determine whether devices comply with security policies by checking that appropriate security settings are enabled, and security software is actively running.
This can be achieved through a NAC or Network Access control system to prevent risky devices from connecting to an organisation’s network.
5. Risk signal analysis
From a cybersecurity perspective, risk signals can arise in several ways from malware to software supply chain attacks.
Therefore, it is important that security systems can ingest and analyse data from endpoints and security and IT management tools.
6. Continuous risk assessment
Even once users have confirmed their identity and signed into their computer system, hackers are still capable of obtaining information and control.
To prevent this, the security system must be able to evaluate risk throughout a session rather than relying on one-time authentication.
7. Integration with the security infrastructure
Lastly, modern MFA must integrate a variety of tools with the security ecosystem to improve the level of protection provided – by incorporating additional risk signals and taking action such as quarantining a suspicious device or kicking it off the network before harm can be done.
This integration should also help accelerate responses to suspicious behaviours and improve audit and compliance reporting.
Whilst implementing Zero Trust Authentication and its seven key principles might appear a lengthy task for an organisation’s cybersecurity team, adopting this approach is crucial for any company that seeks to have full protection through a robust security strategy.
The seven key practical requirements provide vital insight into measuring current identity practices and continuing to insulate companies and their workers from everyday attacks.
For every organisation, no matter the industry or sector, cybersecurity strategy must remain one of their key priorities.
The Zero Trust Authentication concept helps to ease their strategy and simplifies the understanding of protection. Adhere to these seven principles and you ensure complete defence.