Why Zero Trust Is All About Identity

* Share to Facebook
* Share to Twitter
* Share to Linkedin

Michael Engle is CSO at 1Kosmos, and was previously head of information security at Lehman Brothers and co-founder of Bastille Networks.

getty

It’s nearly impossible to escape the tractor beam of zero trust. These days, the security framework touches almost every corner of the enterprise. However, one component that serves as an especially crucial piece of zero trust is identity management. Knowing exactly who is accessing the network and what devices they are using is ground zero for system and data protection.

Unfortunately, many organizations continue to rely on passwords and other ineffective methods. Passwords are easily lost, stolen and compromised, yet poor password hygiene is just part of a much larger problem. Even excellent passwords can be cracked, and multifactor authentication (MFA) methods and biometrics are not created equal. Without the right components, these protections can be easily defeated.

To be sure, attack methods are increasingly sophisticated. Once cyber gangs infiltrate systems, they typically move laterally across a network and capture additional and more highly privileged credentials. They seize personally identifiable information (PII) and intellectual property (IP), build backdoors and establish ongoing access so they can continue to pull data and plant malware.

Moving Beyond Passwords

As cyberattacks escalate, there’s a growing focus on adopting systems that encompass total digital trust. This includes things like decentralized identity, more advanced MFA frameworks and password-free biometric methods, including techniques like live selfies, voiceprints and digital tokens to handle authentication. These tools improve protection while making it easier to balance legitimate access and tight security.

Unfortunately, many organizations haven’t advanced beyond basic authentication. Many are just starting to use MFA, and some still don’t have single sign-on (SSO). Others rely on a text or email with a six-digit code for verification. These methods are over 20 years old and represent significant risks. For example, if crooks already have access to a person’s email or phone (via coercion, SIM-swapping or phishing), the code doesn’t do any good.

Even more advanced MFA frameworks that take advantage of Touch ID, biometric face scans, rolling codes and authentication tokens like YubiKeys aren’t infallible. That’s because these “device biometrics” do not actually prove a user’s identity. Also, if a YubiKey doesn’t work or the person doesn’t have it available, the fallback options often include a one-time text code or other legacy methods that give the attackers another avenue for attack. This defeats the purpose of using the device. Security is suddenly back to square one.

How can an enterprise address these issues and build a robust zero-trust framework? According to Forrester, three principles are central to the concept.

• Know thy user. An organization must feel extremely confident that it has vetted a user each and every time that person accesses the network. This method must make it relatively simple for a person to authenticate but ensure that the user is exactly who he or she claims to be.

• Know thy permissions. It’s vital to ensure that permissions are set correctly and network segmentation is in place. This way, if an attacker gets into an account, it isn’t possible to grab the keys to the entire kingdom. What makes this task difficult is that roles within organizations often change, and a mechanism must exist to update and manage permissions.

• Monitor, audit and trace. Zero trust is all about knowing what is taking place and having essential controls in place. This way, if a suspicious event or violation occurs, there’s a mechanism for detecting and dealing with it. This can mean shutting down an application or part of a network, or it can mean forcing a user to authenticate further before proceeding. An immutable audit trail of access events ensures that the bad guys cannot cover their tracks.

Building Better Protections

It’s critical to recognize that zero trust revolves around the idea that you’re verifying first and checking constantly. This translates into a need for layers of detection and protection along with different mechanisms for identifying and remediating attacks.

Within the identity space, zero trust involves things like verifying through two strong forms of identity, such as live biometrics along with a private cryptographic key, and even cross-checking this information with a person’s physical location and machine ID as they log in. In some cases, it might also incorporate an immutable ledger like blockchain, which can protect files, documents and more.

The real-world impact of such a model is tangible. With a zero-trust identity framework in place, you might discover that a login is suddenly originating from a different IP address or at an odd time—say, 3 a.m. and from a different city. This signals that something is potentially astray and allows the organization to deny immediate access until the SOC can take a closer look.

The tools to support zero trust already exist. These include the FIDO standard that replaces passwords with more advanced tokenization, the use of live selfies and other methods that combine a biometric face scan or voiceprint with rolling QR codes, cryptographic methods, and machine learning, as well as other forms of AI that can detect unusual usage patterns.

In the end, there is no magic formula for achieving zero trust. It involves numerous tools, technologies and processes that sit atop an IT infrastructure. It involves a shift in cultural thinking. Yet more than anything else, it requires a fundamentally different way of thinking about identities, access and assets. When organizations get the identity component right, cybersecurity suddenly becomes a lot simpler—and stronger.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?