Zero Trust and the Multi-Factor Authentication Conundrum
By Joseph Carson, Chief Security Scientist & Advisory CISO, Thycotic
In a world where cybersecurity is a growing challenge for all organizations, the urgent quest to find security that works, reduces cyber risks for the business and easy to use is one that CISO’s are constantly assessing. Cyber Incidents are continuously growing with billions of passwords being disclosed on the dark net available to both script kiddies and cybercriminals to easily abuse either for curiosity or for financial fraud. For many, it is only a matter of time before you find out that your identity has been stolen and you can no longer access your online accounts or worse.
"Zero trust should be used as a starting point for the business to build and establish trust on their networks"
Countless solutions have been proposed to the point that biometrics will eventually make passwords no longer necessary. The harsh reality is that is a promise that is unlikely to happen. Yes, biometrics will help augment human password interactions to make our lives that little bit easier, however, biometrics have a fundamental flaw is that the biometrics we currently use are not changeable meaning once cloned or disclosed the security is significantly weakened such as a copy of your fingerprint.
It is additionally important to note that accounts can be either human based identities or non-human meaning machines or applications and yes let’s accept the current state is that machines don’t have biometrics at least today so they will continue to use traditional security controls such as strong complex passwords and keys. Please do not use default credentials as that means it is only a matter of time before an incident occurs. Though let’s focus on the human based credentials and what can be used to help reduce cyber risks and increase your security posture.
While the password is not going away anytime soon and yes, passwords can be augmented with biometrics to assist with repeated human interactive authentication at least to make our life easier it is important that passwords and biometrics are not the only security we are using to protect our identities or access to our sensitive business information. Multi-Factor Authentication has a major role to play in authenticating users; however it is important to get the right balance and a little friction as possible to ensure adoption is seamless.
When a password is used with biometrics and multi-factor authentication such as those used with smart phones is a much stronger security control that reduces the risks from cyber-attacks and identity theft significantly. It is important to know when to use a single factor and when to require all factors and that depends on the accepted risks. Accepted risks should always be based on the sensitivity of the data or service being accessed and that means an adaptive risk approach must be mapped to each service along with risk variables meaning when certain metadata changes what triggers an additional factor request.
Getting the balance is critical to ensure that users’ friction is as minimal as possible this means that a user must not be required to use all factors for everything. When a user is accessing from an office location within the corporate network and nothing has changed since the initial multi-factor authentication then only when the baseline changes such as the user then accesses from another country or different device then it might warrant an additional authentication depending on the scenario.
Zero trust is a term that is currently being overused in the cybersecurity industry though it is still important however it must be used correctly. Zero trust should be used as a starting point for the business to build and establish trust on their networks.
Zero trust assumes any user or system that accesses the network, services, applications, data, or systems starts with zero trust. To gain authorized access, trust must be earned by the prospective user through verification. For example, verification can require two-factor authentication. In this instance, a user provides a password but then must take an additional step by using an authentication application. When new devices are introduced on the network — and before they obtain access to any resources — they must first identify and verify themselves based on various security controls. The more sensitive the resources to be accessed, the more security controls they must satisfy.
Cybersecurity should begin with zero trust, ensuring that only authorized access is permitted however it is important that the goal is to build trust. After verification of identity is established, users should be classified according to the access they need to perform their jobs.
Combining multi-factor authentication with privileged access management is another way to reduce cyber risks and make it more difficult for cybercriminals to gain access to sensitive data or critical infrastructure.
The future of cybersecurity is about making it more difficult for cybercriminals while keeping a business first approach ensuring that employees can continue performing their job successfully but safely. That means the immediate future of cybersecurity is with Multi-Factor Authentication that combines passwords and biometrics along with a strong privileged access management solution that uses adaptive risks to determine what security controls must be satisfied.