Best practices for zero-trust authentication
The rapid shift towards more remote working and the associated explosion of devices has dramatically increased the number of cyber threats. Against this backdrop, organizations face the challenge of protecting their highly complex cloud-based technology ecosystems, as employees, software and even partner organizations can pose a threat to the security of valuable systems and data. As a consequence, the zero-trust approach has established itself as a popular security framework.
In a zero-trust architecture, the inherent trust in the network is removed. Instead, the network is classified as hostile and each access request is reviewed based on an access policy. An effective zero-trust framework combines multiple tools and strategies and is based on one golden rule: trust no one. Instead, each entity (person, device, or software module) and each access request to technology resources must provide enough information to earn that trust. If access is granted, it applies only to the specific asset needed to perform a task and only for a limited period of time.
The role of zero trust authentication
Because password-based, traditional multi-factor authentication (MFA) can be easily exploited by cybercriminals, an effective zero-trust approach requires strong user validation through phishing-resistant, passwordless MFA. It also requires establishing trust in the endpoint device used to access applications and data. If organizations cannot trust the user or their device, all other components of a zero-trust approach are useless. Authentication is therefore critical to a successful zero-trust architecture, as it prevents unauthorized access to data and services and makes access control enforcement as granular as possible. In practice, this authentication must be as frictionless and user-friendly as possible so that users do not bypass it or bombard the help desk with support requests.
The advantages of passwordless authentication
Replacing traditional MFA with strong, passwordless authentication methods enables security teams to build the first layer of their zero-trust architecture. Replacing passwords with FIDO-based passkeys that use asymmetric cryptography, and combining them with secure device-based biometrics, creates a phishing-resistant MFA approach. Users are authenticated by proving that they own the enrolled device, which is cryptographically bound to their identity, through a combination of biometric authentication and asymmetric cryptographic transaction. The same technology is used in Transaction Layer Security (TLS), which ensures the authenticity of a website and establishes an encrypted tunnel before users exchange sensitive information, for example in online banking.
This strong authentication method not only provides significant protection against cyberattacks, but can also reduce the costs and administrative tasks associated with resetting and locking passwords with traditional MFA tools. Most importantly, there are long-term benefits through improved workflow and employee productivity, as authentication is designed to be particularly user-friendly and frictionless.
Zero trust authentication requirements at a glance
It is important that organizations looking to implement a zero trust framework address authentication as early as possible. In doing so, they should pay attention to the following points:
1. strong user validation: A strong factor to confirm the identity of the user is the proof of ownership of his assigned device. This is provided when the authorized user verifiably authenticates himself on his own device. To do this, the device's identity is cryptographically bound to the user's identity. These two factors eliminate passwords or other cryptographic secrets that cybercriminals can retrieve from a device, intercept over a network, or elicit from users through social engineering.
2. strong device validation: With strong device validation, organizations prevent the use of unauthorized BYOD devices by granting access only to known, trusted devices. The validation process verifies that the device is bound to the user and meets the necessary security and compliance requirements.
3. user-friendly authentication for users and administrators: Passwords and traditional MFA are time consuming and impact productivity. Passwordless authentication is easy to deploy and manage, and verifies users within seconds via a biometric scanner on their device.
4. integration with IT management and security tools: Gathering as much information as possible about users, devices, and transactions is very helpful in deciding whether to grant access. A zero-trust policy engine requires integration of data sources and other software tools to make correct decisions, send alerts to the SOC, and share trusted log data for auditing purposes.
5. advanced policy engines: Deploying a policy engine with an easy-to-use interface enables security teams to define policies such as risk levels and risk scores that control access. Automated policy engines help capture data from tens of thousands of devices, including multiple devices from both internal employees and external service providers. Because using risk scores instead of raw data is useful in many situations, the engine must also access data from a range of IT management and security tools. Once collected, the policy engine evaluates the data and takes the action specified in the policy, such as approving or blocking access or quarantining a suspicious device.
Traditional password-based multi-factor authentication is now a very low hurdle for attackers. An authentication process that is both phishing-resistant and passwordless is therefore a key component of a zero-trust framework. This not only significantly reduces cybersecurity risks, but also improves employee productivity and IT team efficiency.
