While I thought the conversation started 10 years ago, as early as 2004 we’ve been talking about the de-perimeterization of our cybersecurity thinking. Regardless of when the conversation started, there are clear recommendations to move cybersecurity strategies away from the concept of a defined security perimeter, often designated by the corporate network, with everything outside the network labeled as untrusted, and everything inside as trusted.
In organizations today there is no pre-determined security perimeter and it is now to the point where organizations can be called “irresponsible” for automatically trusting anything. Changes to organizations, such as the rise of mobility, adoption of cloud services, and outsourcing to third-parties continues to stretch cybersecurity beyond any well-known perimeters. The impacts of the 2020 pandemic, such as the shift to a remote workforce, have also helped to accelerate those changes. At the same time insider threats have continued to be a primary source of breaches and attacks, proving that there is plenty of cyber risk within the corporate network.
It is no wonder then, that in 2020 72% of organizations reported they are planning to implement Zero Trust to lower their cyber risk. However, implementing Zero Trust is not something that happens overnight, and is often a longer journey for organizations that many haven’t even started yet. So where do you begin when implementing a Zero Trust architecture? What is a foundational element that every organization must have to achieve Zero Trust?
The answer is multi-factor authentication (MFA).
Zero Trust Architecture & Guiding Principles
While Zero Trust has taken over the headlines, blogs, guidelines, and more as the latest cybersecurity approach, it can be hard to determine what Zero Trust really is, and how you are supposed to implement it.
Zero Trust is not a single solution but a strategic approach or “guiding principles” according to NIST, for how organizations should create their cybersecurity strategy. The motto for Zero Trust is to “never trust, always verify”, which drives the core aspects of this approach and implementation. In the NIST Zero Trust Architecture SP 800-27 they describe multiple tenets of Zero Trust's strategy that help define it further, including:
- All communication is secured.
- Access is only granted on a per-session basis.
- Access to resources is determined by dynamic policy.
- The enterprise monitors security posture of all owned & associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible on its security posture to continue to improve it.
Throughout these tenets controlling access to resources is critical, with continuous authentication and authorization being at the core of being able to achieve that.
Multi-factor Authentication is the First Control to Implement
Using a single authentication and automatically trusting credentials to gain access to resources are things of the past. Back in 2020, Microsoft’s Cybersecurity Solutions Group corporate vice president Ann Johnson explicitly provided this guidance, “The entire principle of zero trust is that you trust nothing. That’s the first thing that we tell organizations: they must use multi-factor authentication for 100% of employees 100% of the time. That is the first control to put in place as part of that Zero Trust architecture".
Intelligent, continuous multi-factor authentication is central to Zero Trust. Being able to authenticate and authorize the digital identity of a user or device is critical to verifying them before trusting them to access resources. With Zero Trust however, your traditional MFA tactics may not support the continuous authentication that Zero Trust requires, or the successful implementation of MFA across 100% of your employees. More traditional and one-size-fits-all MFA tactics can be difficult to get your users to adopt.
Overall, many traditional MFA approaches are not suited for a Zero Trust architecture. For example, MFA methods that use a password with an additional authentication method still leave the door open to cyberattack, with a heavy reliance on the password as something the user has to remember and often forgets. Or MFA solutions that are unable to provide key elements to achieving Zero Trust, including advanced authentication approaches, such as contextual authentication, and more granular security policy controls.
5 Multi-factor Authentication “Must Haves”
Just as with any approach, implementing and deploying MFA to support your Zero Trust architecture requires the right policies and solutions to support it. Here’s a list of requirements to make sure you include when creating your Zero Trust MFA strategy and selecting a solution:
- Include a wide range of flexible authentication options: A huge hurdle to overcome when taking on an MFA project is the implementation and overall user adoption. If the goal is 100% MFA for employees, 100% of the time, user adoption and cooperation is extremely important. MFA implementations need to not only give secure authentication options that meet an organization’s security requirements but also provide some control to the user themselves, to select the authentication method that works best for them. Be on the lookout for how flexible a solution is and which authentication options it offers to support all aspects of your Zero Trust architecture.
- Offer passwordless authentication & biometrics: Building on the requirement of having a wide range of authentication options, modern MFA strategies need to include options that stop asking users to authenticate themselves with a known “secret” or password. Passwordless options are excellent methods to avoid the risks of relying on passwords and providing a more convenient way for users to authenticate. By removing the password as part of the authentication process, the user can't forget it and cybercriminals can't steal it.
Offering passwordless authentication is best done by leveraging biometrics. Biometrics not only keeps the user from having to remember a password but also away from inconvenient hardware tokens and phone-based options – many of which users are hesitant to adopt. Also, for verifying a user’s identity, biometrics is the only authentication method that positively identifies the individual not a device or phone, so that you can trust that an authorized person is gaining access to your resources.
- Policy Micro-segmentation: A critical aspect to achieving Zero Trust is the policies that you need to define the authentication down to a very granular level. Using policies is how you can define what NIST calls “Policy Decision Points (PDP)” where it is determined what authentication should be used based on the user, the resource(s) they are trying to access, and the environmental and behavioral aspects of their request. Policies are also what drive the continuous nature of authentication that verifies the user’s identity as they continue beyond the initial authentication. Again, with Zero Trust there is no assumption that what was trusted to get into the network should be trusted to access everything that’s inside.
- Add environmental and behavioral aspects to access requests: While single factor authentication is obsolete, we are now seeing common multi-factor authentication methods, such as SMS and emailed one-time passwords, becoming the targets of cyberattacks. The next wave of authentication approaches is those that bring in environmental and behavioral aspects around the user’s access request to determine the appropriate controls and authentication. With granular security policies, authentication methods such as Contextual Authentication and Step-up Authentication can fit within the tenets of Zero Trust to provide dynamic and continuous authentication approaches.
- Look for a single, unified platform: While there are multiple solutions that can provide MFA, it is important to look for a single, unified platform to avoid any gaps in your security and avoid any blockers to implementing a Zero Trust architecture. MFA isn’t the only component to your Zero Trust architecture; however, it can quickly limit it. It is best to look for a platform that can offer the core aspects of Identity and Access Management (IAM), including single sign-on and federation, to make sure it works consistently across all access, users, devices.
Any Organization can Implement MFA
Without any pre-defined security perimeters, the popularity of the Zero Trust approach, “never trust, always verify”, has spread across organizations around the globe. Zero Trust architectures are often planned but quickly become a challenge to implement when organizations don't know where to start. On the journey to implementing a Zero Trust architecture the first step and foundational element is multi-factor authentication. However not all MFA solutions are suited for Zero Trust.
It is important to look for key MFA “must haves” in any solution you select including flexible authentication options that offer passwordless and biometric methods, granular security policy control, continuous authentication approaches that pull in environmental and behavioral factors, and are offered as part of a single unified platform.
Sign-up for a FREE Trial of PortalGuard IDaaS & Biometric Authentication!
With your free trial you will be able to test out:
- Flexible Multi-factor Authentication options
- Biometric Authentication
- Single Sign-on
- Self-Service Password Reset