Why should continuous authentication be at the heart of your Zero Trust Architecture?

Traditional perimeter-centric network security is based around a well defined network boundary where all enterprise resources such as devices, file servers, applications…etc were inside the network and users' access to the network was strictly controlled.

I like to compare traditional perimeter-centric network security to old forts since they have quite a lot in common. Just like traditional perimeter-centric network security, forts had a well defended perimeter wall and access to the fort was strictly controlled via a draw bridge over a Moat.

Both these architectures had a critical flaw. If you were able to bypass the perimeter there were no checks or controls in place inside, the analogy I like to use is the Trojan Horse during the Trojan wars.

With today’s constantly changing world along with the adoption of cloud computing and remote working, the network perimeter boundary has not just become blurred, it no longer exists for many modern enterprises. Both your enterprise resources and workforce are no longer inside a well defined network. Hence the approach of perimeter-centric network security is considered legacy by many industry experts.

What is Zero Trust?

Zero Trust is a modern approach to the evolving world of cybersecurity. It emphasizes the need to move away from a perimeter-centric network approach to a model focused on continuous authentication and assessment of trust across every device, user and application.

Zero Trust security model was developed to assume no user or device is inherently trustworthy and all access must be authenticated and verified. One of the core principles of Zero Trust is to assume there is a breach and try to minimize its impact. Zero Trust model does not require reliance on a secure network and instead focuses on identities, individual resources and data regardless of the user’s location.

Principles of Zero Trust 

The principles of zero trust are the guidelines that inform the design and implementation of a zero trust security model.

• Verify explicitly: Always authenticate and authorize based on all available data points, such as user identity, location, device health, service or workload, data classification, and anomalies.
• Use least privilege access: Limit user access with just-in-time and just-enough access, risk-based adaptive policies, and data protection to help secure both data and productivity.
• Assume breach: Minimize the blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
• Secure your data: Protect your data wherever it might live, while allowing only legitimate users and entities access to relevant resources and assets.
• Monitor continuously: Collect and analyze data, automate security tasks, and revisit and expand your zero trust implementation as needed.

Continuous Authentication is the New Perimeter

Authentication is the first step towards building a Zero Trust Architecture. You can no longer rely on network perimeter to give employees, customers & third parties access to proprietary applications from behind a firewall or over a corporate issued device. To provide the best user experience without compromising security to your employees, customers & third parties, it is imperative to move to a dynamic and continuous authentication approach.

Continuous authentication is at the heart of zero trust architecture, it ensures that users and devices are always verified and authorized before accessing sensitive data and resources. It reduces the risk of compromised credentials, insider threats, and session hijacking by monitoring user behavior and context throughout the session.

It also improves user experience by reducing the need for repeated logins or password resets. This can be achieved by using various trust elements, such as biometrics, keystroke dynamics, device posture, location, network environment, and risk signals.

Dynamic authentication can be achieved by tokenizing static security information such username & passwords, API keys, PINs…etc into a one-time, time limited & randomized code. It enables a zero trust security model that is adaptive, granular, and data-centric.

Continuous authentication can support the main concept behind the zero trust security model, which is “never trust, always verify”. As a first step toward Zero Trust a continuous authentication solution will allow you to:

• Enable passwordless authentication, which is more secure and convenient than passwords or other methods that put the onus on the user.
• Support various use cases and applications, such as online payment, system login, document signing, physical access control, etc., which increases the flexibility and scalability of the system.
• Work with different types of devices, such as smartphones, tablets, laptops, IoT devices, etc., which increases the compatibility and interoperability of the system.
• Protect the identity and data of users and devices from unauthorized access, by verifying the confidence of device identity and device health in combination with user authentication.

The Crucial Role of Continuous Authentication in Zero Trust Architecture

Continuous authentication is a key component of zero trust architecture. It enables a dynamic and granular approach to security that adapts to the changing context and behavior of users and devices. By constantly verifying and authorizing access requests based on multiple trust elements, it reduces the risk of credential compromise, insider threat, and session hijacking, while improving user experience and productivity.

It also supports the zero trust principles of verifying explicitly, using least privilege access, assuming breach, securing data, and monitoring continuously. Therefore, continuous authentication should be at the heart of any zero trust architecture.

--------------------

Author: Vinny Sagar, Solution Architect, swIDch

With over 15 years of experience in pre-sales, consulting and software development in the Identity and Cyber Security space Vinny has helped many clients across various industries and regions to design and deploy Zero Trust solutions that meet their specific needs and challenges.