As organizations grapple with protecting data and infrastructure in the era of cloud technology and remote working, Yubico’s Chad Thunberg argues that strong authentication should sit at the heart of zero trust plans.
Zero trust is built on the principle that organizations should frequently reestablish trust with individuals and devices attempting access to information. It’s a departure from a perimeter protection framework in which gaining access from outside is difficult, but everyone inside is implicitly trusted (or at least trusted more). Such traditional IT network security contributes to the frequency and impact of security events; the model is untenable in most use cases.
Why authentication matters
The rise in high impact incidents and evolving infrastructure should have us all assessing our authentication protocols. Although littered with buzzwords and competing stories based on what vendors are trying to sell, zero trust concepts are compelling. Indeed, our day to day conversations with customers is often focused around supporting their zero trust initiatives.
With zero trust, it is imperative to establish a strong proof of identity. Every user attempting to access data will have to be authenticated. Every device will have to meet minimum security and health requirements, even if they are known assets. Users should re-authenticate more frequently, so the method should not only be effective, but efficient.
First, consider how users prove their identity and how much confidence can be placed in the proof. One thing is sure, passwords on their own are not strong enough in the face of techniques attackers currently employ. Neither are passwords particularly user-friendly when we consider storage, length, complexity, and rotation requirements (which is no longer a best practice).
The following best practices should be considered as part of the zero trust journey:
Phishing is commonly used to extract credentials from unwitting targets to gain access to data, systems or applications. Passwords are obviously not resilient to phishing attacks but neither are one-time passwords fully resilient against some attack types. Despite this, research tells us that SMS one-time passcodes (OTPs) and mobile authentication apps are the most popular two factor authentication (2FA) methods. Authentication needs to be phishing-resistant and should work across multiple device types, and support higher security work environments that restrict mobile devices. Solutions that meet all of these criteria and don’t require deployment of client-side software, are ideal!
It goes without saying but the authentication method should be resilient to attack from a capable and persistent attacker. Dedicated and purpose-built devices include hardware security keys. With this form of authentication, users register their key with the applications and devices they use. To log-in, they present the key during the authentication process to prove their identity. Complex cryptographic actions that take place in the background, confirm that the user and service they are connecting to are genuine.
Such strong authentication supports a zero trust approach but even with this, the hardware security device should still be validated. That’s where attestation comes in. It validates that the device comes from a trusted manufacturer and that the access credentials it generates haven’t been cloned.
3. Identity and Access Management
Federated identity enables highly automated centralized management of identity and access management across the enterprise and cloud. Choosing an identity platform that supports FIDO authentication protocols, in addition to OpenID Connect and SAML 2, will enable the use of a strong proof of identity solution across a majority of applications including on-premise, cloud-hosted, and SaaS. The user experience will also improve with the use of single-sign on and reduced password management headache. This in turn should lead to wider adoption with improved security.
4. Non-user accounts
Securing user accounts is often not enough. Service accounts often rely on static long lived credentials that can end up in source control platforms, network file systems, and on laptops. Asymmetric cryptography with a hardware security module (HSM) mitigates the threat of stolen credentials. HSMs can also provide attestations to increase confidence in where the keypair was generated and of its non-exportable status.
5. Digital signatures
Most organizations are now familiar with digital signing of electronic documents. The same principle can extend to other artifacts such as email, code commits, and software releases. Digital signatures can provide assurances that an authenticated person did the work and provide a means to detect if the work was modified after it was signed. Hardware-based authenticators and HSMs make signing electronically easier and stronger.
6. Step-up authentication based on risk
Risk-based access control policies based on signals and risk scores protect users and the organization while increasing productivity. It is possible to implement automated controls that increase authentication requirements and expectations about the client endpoint based on the type of information being assessed, the location of the individual, and whether the behaviour deviates from expected patterns. Authenticators that can support a multitude of authentication protocols provide flexibility in the implementation and a gradient of security appropriate for the moment.
7. Plan towards secure passwordless login
Passwords are vulnerable to compromise. As part of a zero trust framework, organizations can plan towards secure passwordless login for stronger authentication. To achieve this, they will need a consistent authentication framework and should opt for an ecosystem built on open standards such as FIDO2/WebAuthn. These standards pave the way for interoperability.
- 17 IT leaders on why your organization needs zero trust, with tips on implementation
- Don’t pay the ransom: Rubrik’s Zero Trust Data Management
- Zero trust architecture is not just ‘nice to have’
- The zero trust blindspot
Despite the hype, many organizations may struggle with zero trust. This is to be expected; after all, perimeter protection has been the go-to for a long time. However, it takes a different mindset to validate every access attempt instead. A strong starting point is to assess authentication practices and boost these where needed. Shared secrets, such as passwords, are easily stolen or phished. Strong authentication is a cornerstone of zero trust because it ensures that users are properly validated before granting access.