What is zero trust and why is it important? What are the three core components of zero trust?
Zero trust is more than just the buzzword of the moment in cybersecurity. With social engineering attacks exploiting compromised passwords and legacy multi-factor authentication (MFA) technology successfully compromising many large enterprises, the need for zero trust is clearer than ever.
What is zero trust?
Zero trust means set of principles that govern how cyber professionals design and implement systems as well as authentication of user access and privileges to those systems, and how we all think about security.
By order of the President
The conversation around zero trust is accelerating, as new cybersecurity paradigms are being defined and adopted at the highest levels of government. In 2021, the Biden administration issued an executive order calling on the US government to institute “bold changes and significant investments” in security measures to better protect federal networks from attack. The White House Office of Management and Budget followed by defining a “zero trust strategy”, outlining the security architecture which would fulfil the executive order to overhaul federal cybersecurity practices.
The US government mandated that authentication now includes two components: device authentication and identity authentication.
“When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user,” according to the OMB.
It is important to recognise that this requirement drives a new paradigm for security professionals. It emphasises that password-less solutions on their own are not enough to achieve zero trust, and that identity authentication must go hand-in-hand. Given these mandates, zero trust is likely to prompt major shifts in how all organisations structure networks and authenticate their workforce, third-party vendors and customers.
All of this establishes zero trust’s importance. But just what is it, exactly?
Zero trust definitions
According to the National Institute for Standards and Technology (NIST), “zero trust is the term for an evolving set of cybersecurity paradigms that move defences from static, network-based perimeters to focus on users, assets, and resources.”
All traffic is hostile and allows no implicit trust to be granted to assets or users.
Also, according to NIST: “Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”
To sum up zero trust in a nutshell, it:
- Requires that both users and devices be authenticated before connecting to or accessing an enterprise resource to protect the resource from unauthorised access
- Does not assume that everything that has access to an environment should have access to everything within that environment as legacy network environments often do
- Focuses on individual and small groups of resources and granular control of access to them vs. the defence of a wide network perimeter
Zero trust contrasts what Forrester Consulting noted was an old saying in information security, “We want our network to be like an M&M, with a hard crunchy outside and a soft chewy center.”
In the past, security teams focused on protecting the “perimeter”— protecting access to trusted enterprise networks by implementing access controls like CASBs and VPN. With this methodology, however, security holes and authentication vulnerabilities leveraging passwords and transient trust still arise. A zero-trust approach centralises access mechanisms and grants access based on the risk and trustworthiness of both the user and the device, resulting in a more secure and resilient environment.
With zero trust, there is no more “chewy center” where users can move around freely, and device-based authentication by itself is not enough.
Components of zero trust
Forrester Consulting first coined the term in 2009, and released seven operational domains of zero trust architecture.
Since Forrester’s seven pillars, NIST has established that zero trust architecture includes the following core components:
- The Policy Enforcement Point is the gateway to secure access for corporate resources, and is responsible for enabling, monitoring, and terminating connections between users, devices, and enterprise data
- The Policy Engine decides whether to grant access to organizational resources based on policies set by the organization’s security team
- The Policy Administrator is responsible for executing the access decisions made by the policy engine; this component allows or denies communication between a user and a protected resource
Why is zero trust important for organisations?
Zero trust was developed as a response to the new realities of our digital world. Enterprises must grapple with the challenge of authenticating employees in today’s hybrid/remote economy. Gartner predicts that an estimated 51 per cent of knowledge workers were remote by the end of 2021 and a Microsoft study found that 67 per cent of employees bring their own device.
Zero trust accommodates these modern network realities, including remote users, BYOD, and cloud-based assets which are not located within an enterprise-owned network boundary.
A perimeter-focused security approach does little to combat insider threats, which are one of the most serious sources of breaches today.
Insider threat incidents increased 47 per cent between 2018 and 2020, according to the Verizon 2021 Data Breach Investigations Report. According to the Ponemon Institute, in 2020 the global average cost of an insider threat was $11.45m, while the average cost of a data breach over the same period was $3.86m.
Social engineering attacks exploiting legacy Multi-Factor Authentication (MFA) technology have been successful in compromising Twilio, Cisco, Intuit, and other enterprises this year. Out of 4,110 breaches studied in the 2022 Verizon DBIR, compromised credentials due to insider error was the root cause of 82 per cent of breaches.
The role of strong authentication
Since a zero-trust model assumes a network is always at risk of being exposed to threats and requires all users and all devices be authenticated and authorised, authentication plays a huge role in a zero-trust ecosystem. Zero Trust Architecture is centred around identity and data, as the goal of implementation is to protect access to data by specific, authorised identities dynamically. The authentication of both users and devices is core to zero trust architecture as their verification prevents unauthorised access to networks, applications, and databases.
Implementing zero trust architecture necessarily relies on implementing multiple points of authentication and requires asking users to authenticate themselves in various ways, over and over. Without strong authentication protocols in place to confirm the identity of the user and the device requesting access, security teams cannot obstruct unauthorised access to resources.
MFA’s role in authentication
Because MFA touches on so many elements of zero trust – MFA is used to authenticate access to an environment or privileges within an environment, or as an account recovery method when a potential threat actor is on a network – insufficient MFA can derail even the best laid plans for zero trust architecture.
Multifactor authentication methods have become ubiquitous and have increased security. But most MFA being implemented is based on a couple of factors:
- Something you know (knowledge factor), such as passwords, PINs, and answers to personal security questions, or
- Something you have (possession factor), such as mobile devices, physical tokens, key fobs, and smartcards
Legacy MFA places assumed trust in the recipient of a code, knowledge of the user, or holder of a device. These types of MFA therefore can be vulnerable and easy to spoof as they do not really authenticate the user behind the device. Most device-based authenticators do not require “live” biometrics for user identity and access authentication.
In addition, legacy MFA can present administration issues, such as account recovery, lock-outs and added friction in the authentication process.
Worst of all, most legacy MFA solutions don’t meet the current minimum standards promulgated by OMB, which noted that SMS verification is not enough and that phishing-resistant MFA is required for agencies and their partners.
OMB also mandated that “When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user.” This particular directive requires that organisations think about strong authentication as two parts: authenticating the device and, separately, authenticating the user’s identity.
Adopting zero trust requires enterprise-wide authentication solutions that can be implemented and used easily. One such solution is biometrics authentication methods. Rather than relying on knowledge factors or possession factors, biometrics employ human factors, such as face, voice and fingerprints. With biometrics, additional security features like liveness detection can increase assurance that a live person is requesting access.
Biometrics, whether device-based or cloud-based, also play a significant role in enabling phishing-resistant MFA as mandated by OMB. As we have learned from recent data breaches, human vulnerability is highly targeted and easily exploited via phishing, smishing and other social engineering attacks. Non-phishing resistant MFA leaves organisations extremely vulnerable and greatly lessens the efficacy and use ability of the zero trust framework. As OMB noted, the federal government’s Personal Identity Verification (PIV) standard is one effective approach to phishing-resistant MFA, and the World Wide Web Consortium (W3C’s) open “Web Authentication” standard is another.
Of these solutions, though, implementing FIDO2-compliant password-less authentication into the IAM and PAM layers could be the most seamless. At the front door, users login with FIDO2 to provide strong, phishing resistant MFA which works on the user’s native device. Once the user is past the front door, the organisation can set polices based on the resources being accessed by the user that request higher levels of identity confirmation such as cloud biometric authentication. This ensures that when the gate keeping components request authentication, the assurance levels are being raised beyond that of what was used in at the front door.
Implementing enterprise-grade biometric authentication has several benefits for a zero-trust environment.
- Biometric authentication sits between the “untrusted zone” – the area before login and the “implicit trust zone” the area where all users are assumed to be trustworthy, behind login. Real-time solutions can be invoked whenever deemed necessary, and the “implicit trust zone” can be shrunk to whatever the organization decides
- Enterprise authentication solutions ideally will disallow any connection to a resource where the user fails biometric verification
- Authentication solutions should support conditional access with role-based access policies and the ability to be invoked based on the organizational risk acceptance
These technologies can be implemented at any point in a user journey to remove transient trust between applications and login sessions. Biometrics also offer a degree of seamlessness and ease of use that cannot be matched by knowledge- or possession-based factors.
The road to zero trust
Despite the known benefits of adopting zero trust paradigms, the road to implementing it can be rocky.
Legacy systems are often built on an implicit trust model, allowing those who have access to digital environments to have access to all data and resources without additional authentication. The cost to rebuild or replace IT infrastructure to transition fully from an implicit trust model to zero trust can be prohibitive for some organisations.
Finally, zero trust is still an evolving concept. While the government and organisations like Forrester Consulting have promulgated standards, there is no consensus around the adoption of a maturity model. Organisations should be mindful that trust should not only be enforced at the perimeter, but should also be managed when users attempt to access privileged applications or assets. With zero trust, there is no more “chewy center” where users can move around freely, and device-based authentication by itself is not enough.
Organisations must be committed to increasing their security with strong authentication that includes device authentication paired with identity assurance that will help them accelerate their journey to zero trust.
Tom Thimot is CEO of identity authentication solution authID
API management for zero trust endpoint protection – Andy James, associate partner at Cluster Reply, and Gordan Milinkovic, partner at Spike Reply, spoke to Information Age about the importance of API management for zero trust endpoint protection
Considering digital trust: why zero trust needs a rethink – David Mahdi, chief strategy officer and CISO advisor at Sectigo, discusses the important role of digital trust in the security strategy
Zero trust: the five reasons CIOs should care – It’s no wonder the ‘zero trust’ approach has caught the eye of many CIOs, but if you’re still not convinced, here’s some reasons why you should be interested