Trust in corporate networks has never been more important. The rapid adjustment to more distributed workforces – and an associated explosion of devices – has dramatically increased cyber threat levels. Organisations are challenged to protect their wildly complex cloud-based tech ecosystems, as employees, systems and even their partner organisations can pose a threat to securing valuable systems and data. As a result, Zero Trust has emerged as the de facto cybersecurity framework for operating in the business.
In fact, so much so that ‘Markets and Markets’ predicts that worldwide spending on Zero Trust based software and services will grow from $27.4 billion in 2022 to $60.7 billion by 2027. The 2022 government initiatives to back Zero Trust frameworks have helped drive adoption, such as the UK National Cyber Strategy and President Biden’s executive order mandating Zero Trust architectures.
Yet despite an uptick in heightened security awareness, organisations that use passwords – even with traditional multi-factor authentication (MFA) – are leaving businesses exposed to cyber threats. Passwords-based authentication and the most widely deployed first-generation MFA is now a very low hurdle for adversaries. Cybersecurity-first businesses have realised that phishing-resistant, passwordless authentication is a must-have to achieve Zero Trust and protect against the risk of a costly and potentially devastating breach.
What is Zero Trust?
The NCSC (National Cyber Security Centre) defines a Zero Trust architecture as “an approach to system design where inherent trust in the network is removed. Instead, the network is assumed hostile and each access request is verified, based on an access policy.”
A true Zero Trust framework combines multiple tools and strategies and is based on one golden rule – trust no one. No entity (person, device, or software module) and any request to access technology assets must provide enough information to earn that trust. If granted, it is afforded only to that specific asset required to perform a task, and for a limited timeframe. Equally, the process of providing information to earn this trust must be secure, reliable, and easy for the requestor.
The role of Zero Trust Authentication
Zero Trust requires strong validation of users through phishing-resistant, passwordless MFA. It also requires the establishment of trust in the endpoint device used to access apps and data. If you can trust the who or the what, all the other parts of a Zero Trust approach are for nought. Authentication has therefore become critical for successful Zero Trust initiatives as it prevents unauthorised access to data and services as well as making access control enforcement as granular as possible.
But on a practical level, this authentication must be effortless for user acceptance and to prevent them from trying to circumvent or degrade security or bombard the helpdesk for support.
The advantages of authentication
By eliminating passwords and replacing legacy MFA strong, phishing-resistant authentication methods, CISOs and team leaders can build the first layer of their Zero Trust architecture. Replacing passwords with FIDO-based passkeys that employ asymmetric cryptography, and pairing them with secure device-based biometrics creates a phishing-resistant MFA approach. Users are authenticated by proving they possess the enrolled device that is cryptographically bound to their identity through a combination of a biometric challenge and an asymmetric cryptographic transaction – using the same approach as transaction layer security (TLS) that we use daily to ensure the authenticity of a website and to establish an encrypted tunnel we can trust before we share private information.
Not only does this type of strong authentication provide significant protection against cyber attacks, but it can also reduce costs and administrative challenges related to password resets and lockouts with traditional MFA tools. Most notably, there are long-term benefits in terms of improving productivity and employee workflows by removing friction from user authentication experiences.
Five authentication requirements to implement Zero Trust authentication
It’s essential that enterprises on a Zero Trust journey address authentication as early as possible and make five key considerations as part of this process:
- Strong user validation – If an unauthorised user gains access to your system, your cybersecurity efforts are then limited to reducing further risk and preventing access to additional resources.
- Strong device validation – with strong device validation, organisations limit unauthorised “bring your own device” (BYOD) and grant access only to known devices. During the validation process, the network verifies that the device is bound to the user and also verifies the device for security and compliance.
- Low-friction authentication for users and administrators – reducing friction is critical. Passwords and MFA are time-consuming tasks and a drain on productivity. Advanced authentication is easy to adopt and manage, verifying users via a biometric scanner on their device within seconds.
- Integrations with IT management and security tools – collecting as much information about your users, devices, and transactions really helps when deciding what access to grant. A Zero Trust policy engine will require integrations to data sources and tools to properly communicate decisions, send alerts to the SOC, and share trustworthy log data for auditing purposes.
- Advanced policy engines – the use of a policy engine with an easy-to-use interface allows security teams to define policies such as risk level and risk scores that control access. Automated policy engines help collect data from tens of thousands of devices, including multiple devices for both employees and contractors.
Because leveraging risk scores instead of raw data makes sense in many situations, the engine must also access data from a range of IT management and security controls. After collection, the policy engine evaluates the data and takes the action defined by the policies, such as approving the access request, blocking the access request, or quarantining a suspicious device.
Minimising risk in the evolving threatscape
Designing an authentication process that is both phishing-resistant and passwordless is a key component of a Zero Trust framework. While it’s a no-brainer in terms of reducing cybersecurity risk, it shouldn’t be underestimated as a way to improve user productivity and efficiencies of the tech team and the wider organisation.
As authentication solutions that rely on passwords and phishable MFA have become irrelevant to serious Zero Trust initiatives, advanced authentication provides enterprises with effective Zero Trust initiatives based on the continuous assessment of risk and offers leaders confidence in their tech ecosystems as they evolve, grow and scale.
