7 strong authentication practices for zero trust

As organizations grapple with protecting data and infrastructure in the era of cloud technology and remote working, Yubico’s Chad Thunberg argues that strong authentication should sit at the heart of zero trust plans.
As organizations grapple with protecting data and infrastructure in the era of cloud technology and remote working, Yubico’s Chad Thunberg argues that strong authentication should sit at the heart of zero trust plans.

Zero trust is built on the principle that organizations should frequently reestablish trust with individuals and devices attempting access to information. It’s a departure from a perimeter protection framework in which gaining access from outside is difficult, but everyone inside is implicitly trusted (or at least trusted more). Such traditional IT network security contributes to the frequency and impact of security events; the model is untenable in most use cases.

Why authentication matters

The rise in high impact incidents and evolving infrastructure should have us all assessing our authentication protocols. Although littered with buzzwords and competing stories based on what vendors are trying to sell, zero trust concepts are compelling. Indeed, our day to day conversations with customers is often focused around supporting their zero trust initiatives. 

With zero trust, it is imperative to establish a strong proof of identity. Every user attempting to access data will have to be authenticated. Every device will have to meet minimum security and health requirements, even if they are known assets. Users should re-authenticate more frequently, so the method should not only be effective, but efficient. 

First, consider how users prove their identity and how much confidence can be placed in the proof. One thing is sure, passwords on their own are not strong enough in the face of techniques attackers currently employ. Neither are passwords particularly user-friendly when we consider storage, length, complexity, and rotation requirements (which is no longer a best practice).

The following best practices should be considered as part of the zero trust journey: 

1. Phishing-resistance

Phishing is commonly used to extract credentials from unwitting targets to gain access to data, systems or applications. Passwords are obviously not resilient to phishing attacks but neither are one-time passwords fully resilient against some attack types. Despite this, research tells us that SMS one-time passcodes (OTPs) and mobile authentication apps are the most popular two factor authentication (2FA) methods. Authentication needs to be phishing-resistant and should work across multiple device types, and support higher security work environments that restrict mobile devices. Solutions that meet all of these criteria and don’t require deployment of client-side software, are ideal!

2. Secure

It goes without saying but the authentication method should be resilient to attack from a capable and persistent attacker. Dedicated and purpose-built devices include hardware security keys. With this form of authentication, users register their key with the applications and devices they use. To log-in, they present the key during the authentication process to prove their identity. Complex cryptographic actions that take place in the background, confirm that the user and service they are connecting to are genuine.

Such strong authentication supports a zero trust approach but even with this, the hardware security device should still be validated. That’s where attestation comes in. It validates that the device comes from a trusted manufacturer and that the access credentials it generates haven’t been cloned.

3. Identity and Access Management

Federated identity enables highly automated centralized management of identity and access management across the enterprise and cloud. Choosing an identity platform that supports FIDO authentication protocols, in addition to OpenID Connect and SAML 2, will enable the use of a strong proof of identity solution across a majority of applications including on-premise, cloud-hosted, and SaaS. The user experience will also improve with the use of single-sign on and reduced password management headache. This in turn should lead to wider adoption with improved security. 

4. Non-user accounts

Securing user accounts is often not enough. Service accounts often rely on static long lived credentials that can end up in source control platforms, network file systems, and on laptops. Asymmetric cryptography with a hardware security module (HSM) mitigates the threat of stolen credentials. HSMs can also provide attestations to increase confidence in where the keypair was generated and of its non-exportable status.

5. Digital signatures

Most organizations are now familiar with digital signing of electronic documents. The same principle can extend to other artifacts such as email, code commits, and software releases. Digital signatures can provide assurances that an authenticated person did the work and provide a means to detect if the work was modified after it was signed. Hardware-based authenticators and HSMs make signing electronically easier and stronger. 

6. Step-up authentication based on risk

Risk-based access control policies based on signals and risk scores protect users and the organization while increasing productivity. It is possible to implement automated controls that increase authentication requirements and expectations about the client endpoint based on the type of information being assessed, the location of the individual, and whether the behaviour deviates from expected patterns. Authenticators that can support a multitude of authentication protocols provide flexibility in the implementation and a gradient of security appropriate for the moment. 

7. Plan towards secure passwordless login

Passwords are vulnerable to compromise. As part of a zero trust framework, organizations can plan towards secure passwordless login for stronger authentication. To achieve this, they will need a consistent authentication framework and should opt for an ecosystem built on open standards such as FIDO2/WebAuthn. These standards pave the way for interoperability.

READ MORE:

Despite the hype, many organizations may struggle with zero trust. This is to be expected; after all, perimeter protection has been the go-to for a long time. However, it takes a different mindset to validate every access attempt instead. A strong starting point is to assess authentication practices and boost these where needed. Shared secrets, such as passwords, are easily stolen or phished. Strong authentication is a cornerstone of zero trust because it ensures that users are properly validated before granting access.

 For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

An image of zero trust, Security & Data, 7 strong authentication practices for zero trust

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

The critical role of data integrity in generative AI

Anjan Kundavaram • 23rd November 2023

The quest to harness the full potential of generative AI relies on finding trustworthy data to achieve outstanding results for diverse use cases. With the continued growth and transformative impact of generative AI, business leaders need to ensure that the data being fed into it has integrity.

Navigating a CTO-as-a-Service arrangement

Cyril Samovskiy • 21st November 2023

Attracting a top-tier Chief Technology Officer (CTO) can be challenging at the best of times, but for tech startups – who often have limited resources, a yet-to-be-proven product-market fit, and financial instability – it can be even more so. Add tech’s ongoing talent shortage to the mix, and it’s easy to see why CTO-aaS is...

The Importance of SBOM and CVE in Medical

Diego Buffa • 18th November 2023

This article explores the critical landscape of medical device cybersecurity, focusing on the IMDRF’s “Principles and Practices for Medical Device Cybersecurity.” It advocates for a holistic approach throughout the product life cycle, with particular emphasis on the vital role of the Software Bill of Materials (SBOM). The article addresses the FDA’s stringent postmarket vulnerability reporting...

AI powered fused spurs unveiled by measurable.energy

Diana Kamkina • 15th November 2023

measurable.energy, experts in eliminating wasted energy, are proud to announce the launch of their latest innovation – fused spurs. This highly anticipated addition to their product line is set to transform the landscape of energy management in construction and commercial buildings.

Technology for a Sustainable Tomorrow

Mark Robison • 09th November 2023

We currently face the critical challenge of reducing carbon emissions in an effort to reach net zero targets. This is the challenge of our lifetime and for many more generations to come. Fortunately, this challenge has ushered in a new era of innovation, where technology plays a leading role in creating a sustainable future.

Preparing UK Businesses for the Coming PSTN Switch Off

Chris Wade • 01st November 2023

The PSTN Switch Off will require a robust framework of action as all business sectors will be impacted. In order to stay ahead of this significant change, businesses must start considering new, digital alternatives such as VoIP based communication technology.

Dark Fibre’s Role in Supercharging Edge Data Centers

Sean Lowry • 18th October 2023

In response to Proximity Data Centre’s e-book, Glide’s CTO, Sean Lowry explores the impact of low latency on gaming, the Metaverse, and AI. He explains how dark fibre and Glide’s “Fibre Cities” are primed to support the evolving needs of edge data centres and seamless connectivity.

Smart Labels and the intersection of technology and logistics

Sam Colley • 13th October 2023

The delicate fabric of the ever-evolving technological landscape is being rewoven with the introduction of game-changing elements like smart labels, which are bringing the logistics industry to the forefront of innovation. These technological wonders are not only transforming the landscape of logistics, but they are also unlocking a multitude of options where precision, discretion, and...