Too often, the weight of ensuring an organization’s digital security falls on the shoulders of the poor end user. Burdened with the responsibilities of remembering multiple passwords, juggling countless devices that receive codes and keys, and trying their best not to lose their laptops, it’s no wonder there are so many security breaches in the news.
It’s high time for a new approach that shifts that responsibility somewhere more appropriate. Fortunately, a new concept in enterprise security now exists to do exactly that. It’s called Zero Factor Authentication (ZFA) and, when done right, it makes the long-sought-after reality of Zero Trust Network Access (ZTNA) achievable for organizations.
Before we dive into these groundbreaking approaches and how they are helping businesses worldwide consistently repel the many threats posed by hackers, thieves and other online ne’er do wells, let’s take a step back in time and look at how we got here.
Moving Away From the Perimeter
Traditional perimeter security has been on the ropes for years now. I recall that one of my main takeaways from the 2016 RSA Security Conference was that “perimeter security is dead; firewalls cannot keep the bad guys out anymore. The gates have been stormed and IT security has to regroup. Most big enterprises are constantly being breached, and should assume that their networks are, or will be, compromised. As a result, new strategies and technologies are needed.”
That was six years ago. Today, more people than ever are working from home and are more likely to be accessing cloud-based applications. The internet is the new corporate network and the concept of having your users and applications inside a secure network perimeter seems quaint.
This is where the concept of Zero Trust Network Access comes in. ZTNA is based on the idea of ‘Never trust, always verify.’ It shifts the focus away from the perimeter, hence it’s oft-used pseudonym, “perimeterless security.”
As defined by the U.S. National Institute of Standards and Technology (NIST), “Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.”
Zero Trust, NIST asserts, is a response to enterprise network trends that include remote users, bring your own device (BYOD) and cloud-based assets that are not located within an enterprise-owned network boundary.
“Zero Trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”
Never trust, always verify. That means a constant verification of the device and its health – and the user accessing the services.
The Path Forward
Today, organizations are adopting Zero Trust architecture as their way forward. Even an entity as large and influential as the U.S. government is incorporating Zero Trust cybersecurity principles.
“Approaching an application from a particular network must not be considered any less risky than approaching it from the public internet,” the government states in its Federal Zero Trust Strategy. “Agencies must steadily de-emphasize network-level authentication by their users, and eventually remove it entirely in their enterprise. In mature Zero Trust deployments, users log in to applications, not in to networks.”
When they do log in to those apps, strong authentication is required to verify them. This means MFA (Multi-factor Authentication), but not just any MFA: “MFA will generally protect against some common methods of gaining unauthorized account access, such as guessing weak passwords or reusing passwords obtained from a data breach.
“However, many approaches to MFA will not protect against sophisticated phishing attacks, which can convincingly spoof official applications and involve dynamic interaction with users. Users can be fooled into providing a one-time code or responding to a security prompt that grants the attacker account access.”
The strategy further states that U.S. agency systems must discontinue support for authentication methods that fail to resist phishing, such as protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.
The good news is that there are mainstream MFA technologies that are phishing-resistant. Certificate-based authentication (e.g., smart cards) and FIDO2 are the two main ones. Both are based on asymmetric cryptography, but with FIDO not requiring a PKI to deploy and manage.
FIDO, or something like FIDO, is a good candidate to implement the “Never trust, always verify” principle. The idea is to strongly authenticate the combination of user and device at the time of computer login and then constantly verify the device, its health, and the user each time they request access to a new remote service or web application. Unfortunately, while this unceasing verification is an example of Zero Trust, it is also onerous for the user. Constantly asking someone to authenticate creates a poor user experience and simply trains them to do it mindlessly.
Unburdening the User
This is where Zero Factor Authentication (ZFA) comes in. Its defining quality is that no action is required from the user. It is based on recognition signals that work silently in the background. After the initial device log in, intelligent endpoint software running in the background of the user’s device monitors the user, device and device health.
Most importantly, ZFA monitors user intention. If anything is amiss, such as the user not showing intent, the endpoint will not signal that the verification has been successful when the user tries to access a new service. In the case of a legitimate user, this will mean that another multi-factor authentication is required. For the remote attacker, it means a dead stop.
ZFA, done right, makes achieving Zero Trust Network Access (ZTNA) possible without putting an undue burden on the user. The “done right” part can be achieved by leveraging the cryptographic underpinnings that are in place for the initial FIDO MFA on subsequent, transparent, seamless, single sign-ons into remote applications and services.
Most identity and access solutions are server-based and don’t have the capability on the endpoint to be this intelligent. WinMagic, with over 20 years of deep endpoint security experience, does.