2023: Zero Trust authentication is on the horizon
Trust in corporate networks has never been more important. The rapid adjustment to more distributed workforces -- and an associated explosion of devices -- has dramatically increased cyber threat levels. As a result, Zero Trust has emerged as the de facto cybersecurity framework for operating in the business.
The NCSC (National Cyber Security Center) defines a Zero Trust architecture as "an approach to system design where inherent trust in the network is removed. Instead, the network is assumed hostile and each access request is verified, based on an access policy."
Zero Trust requires strong validation of users through phishing-resistant, passwordless MFA. It also requires the establishment of trust in the endpoint device used to access apps and data. If you can trust the who or the what, all the other parts of a Zero Trust approach are for nought. Authentication has therefore become critical for successful Zero Trust initiatives as it prevents unauthorized access to data and services as well as making access control enforcement as granular as possible.
Five authentication requirements:
It’s essential that enterprises on a Zero Trust journey address authentication as early as possible, using the below requirements as a guide:
- Strong user validation -- If an unauthorized user gains access to your system, your cybersecurity efforts are then limited to reducing further risk and preventing access to additional resources.
- Strong device validation -- with strong device validation, organizations limit unauthorized "bring your own device" (BYOD) and grant access only to known devices.
- Low-friction authentication for users and administrators -- reducing friction is critical. Passwords and MFA are time-consuming tasks and a drain on productivity. Advanced authentication is easy to adopt and manage, verifying users via a biometric scanner on their device within seconds.
- Integrations with IT management and security tools -- collecting as much information about your users, devices, and transactions really helps when deciding what access to grant. A Zero Trust policy engine will require integrations to data sources and tools to properly communicate decisions, send alerts to the SOC, and share trustworthy log data for auditing purposes.
- Advanced policy engines -- the use of a policy engine with an easy-to-use interface allows security teams to define policies such as risk level and risk scores that control access. Automated policy engines help collect data from tens of thousands of devices, including multiple devices for both employees and contractors.
Limiting risk in the evolving threatscape
Designing an authentication process that is both phishing resistant and passwordless must be a key component of a Zero Trust framework. While it’s a no-brainer in reducing cybersecurity risk, it shouldn’t be underestimated as a way to improve user productivity and efficiencies of the tech team and the wider organization.
As authentication solutions that rely on passwords and phishable MFA have become irrelevant to serious Zero Trust initiatives, advanced authentication provides enterprises with effective Zero Trust initiatives based on the continuous assessment of risk and offers leaders confidence in their tech ecosystems as they evolve, grow and scale.
Jasson Casey is Chief Technology Officer at Beyond Identity.