It’s true that the principle of Zero Trust might be right for this moment; after all, work-from-home and hybrid work policies are becoming the norm, as are cloud applications. However, many organisations may struggle with the reality of what’s involved with a Zero Trust framework or infrastructure. Having protected the boundary for so long, it takes a change of mindset to verify every connection attempt.
At its core, Zero Trust should start with strong user authentication and the chosen authentication method should not hamper user productivity. Therefore, organisations need to look first at how users establish their identity and consider the level of trust that can be attributed to that mechanism. The truth is, if authentication is by passwords alone, there is no assurance of security, no matter how robust the rest of the Zero Trust strategy is. Yet despite this, a recent survey of work-from-anywhere cybersecurity practices at companies in the UK, France and Germany revealed that less than a quarter (22%) of respondents had implemented two-factor authentication (2FA). That’s a problem for Zero Trust, because going forward with such a model depends on having a strong level of trust in the authentication mechanisms of every user, from every device.
Strong authentication needs to be a foundational building block of the Zero Trust strategy. With that in mind, what are the key strong authentication best practices organisations need to adopt in order to ensure Zero Trust is correctly supported?
1. Choose strong authentication based on open standards
By decoupling authentication from the identity and access management (IAM) platform, and by choosing an authenticator based on open standards, authentication will work with a wide array of IAM solutions. That way, users are empowered to be productive on a new IAM system, or non-federated access point, using the same authenticator within minutes instead of weeks.
2. All accounts must be considered
Service accounts, as well as user accounts, need to be heavily protected, monitored, and properly scoped. Too often, these types of accounts are protected with static passwords. That isn’t sufficient, but unfortunately a number of IT and other systems have limitations on authentication options. However, they can often make use of cryptographic certificate-based authentication – private keys that should be stored in hardware security modules (HSMs), dedicated security hardware that come in different sizes, from large physical appliances to small USB devices.
3. Cryptographically-based signing is key
It has been possible for quite some time to digitally sign electronic documents and personal authenticators and inexpensive HSMs make this easier and stronger. Cryptographically-based signing, backed by hardware, ensures that content was in fact created by the signer.
4. Validate devices
Strong authentication, such as that provided by a hardware device, supports a Zero Trust approach but it is still very important to validate the device itself to ensure it is not compromised. Attestation
validates that the authenticator hardware is from a trusted manufacturer and that the credentials generated on it have not been cloned. Attestation is a key pair that is burned into the device during manufacturing, providing important details such as manufacturer and device model. Attestation concepts are built into the FIDO standard and some vendors also include attestation capabilities for smart card deployments.
5. Remember risk
A trusted strong authentication approach allows for step-up authentication based on risk. This protects the user and the organisation while increasing productivity. Real time risk-based access policies, such as those implemented in a Zero Trust framework, are based on signals and risk scores. A strong authentication solution that is hardware-based, and highly trusted, can elicit a high trust score, thus allowing for higher privileged access.
6. Purpose build phishing resistance
The earlier cited survey into working from home cybersecurity tells us that, where companies have implemented 2FA, mobile authentication apps and SMS one-time passcodes (OTPs) are the most popular.
It’s true that these basic forms of 2FA provide higher levels of security than username/password alone, but they are not invulnerable to some threats, such as sophisticated phishing and man-in-the-middle attacks. OTPs via SMS can also fall into the wrong hands as a result of ‘SIM-swap’ fraud, and employees can be tricked into providing them to a would-be hacker if they’re persuaded it’s a legitimate request.
A strong, phishing-resistant authentication solution should be purpose-built. It should also reduce, not add to, authentication complexity. A dedicated security-focused device that is simple to use heightens security without an impact on productivity and also allows for easy and consistent monitoring.
7. Plan for a passwordless future
Achieving secure passwordless login across desktop and mobile requires a rich ecosystem and a consistent framework for authentication. An ecosystem built on open FIDO2/WebAuthn standards is best placed to deliver security and usability, while also satisfying the need for portability, compatibility, interoperability and scale.
Modern multi-factor authentication (MFA) is essential to prevent network access through stolen passwords. Now that the industry is moving away from symmetric based secrets (passwords, OTPs) to more advanced asymmetric solutions bound in physical devices, it’s more important than ever to start with strong authentication if Zero Trust is to become a reality.