Ever since users have been forced to supply their credentials for the variety of applications and platforms they use, vendors have invested in finding ways to simplify authentication through some form of single sign-on (SSO). To make this happen, the name of the game over the past few decades has been to figure how to apply a mix of technology to leverage a single credential entry, in order to authenticate to as many different resources as possible. Some of the highlights of this SSO quest include technologies such as password synchronization, Active Directory, identity management with credential caching, and federation.
Beyond the simplified account management advantages that IT loves so much, such as account disabling and auditing, SSO’s advantages to the business have always been front and center. It’s more than the fact that users hate dealing with repeated authentications. It’s that every instance where you’re able to remove wasted time and the frustration of users trying to remember or retrieve their credentials is both a business win and a people pleaser. Insert the scenarios of field personnel and road warriors fumbling through repeated authentications. It’s no wonder that many businesses consider SSO, at least to certain extent, a “must have” to protect themselves from one of the biggest workflow killers. And that’s not even getting into password recovery or reset scenarios that are often more problematic than they should be.
The Security and Usability Disruptor
As Verizon's annual data breach reports have concretely illustrated over the years, the accumulated cybersecurity purchases and projects that organizations have invested in haven't delivered on the promised level of protection that they need and their consumers demand. Simply put, breach rates remain unchanged. And piled on top of this security shortfall is the continual pressure of business owners pushing to empower their digital consumers with more interactions and better usability. With all of this, it's not hard to see that a significant security paradigm shift is needed. Enter Zero Trust.
Zero Trust (ZT) ditches the perimeter-centric security paradigm that has been the foundational approach of IT security for decades in favor of an approach where no device or connection is inherently trusted. In many ways, this is akin to assuming that all endpoints and sessions are in a public setting. Consider these situations where you need to protect against scenarios where a user’s credentials have been compromised:
- Through some type of spear phishing or datastore hack
- By an unsuspecting web user visiting a website that’s been corrupted with cross-site scripting code to dupe the user into handing over his credentials
- By a user’s mobile device or some other type of BYOD that has been compromised, stolen, or is running a vulnerable unpatched operating system
Because compromised credentials are the most common breach enabler, ZT takes authentication to the next level by requiring the user or service requesting access to verify their identity (authentication) before allowing it to occur (authorization). The defining difference in ZT is that credentials entered for another resource are irrelevant for this access request. In other words, cached credentials, which are often used in SSO environments, aren’t assumed to be secure enough on their own. Instead, ZT requires additional authentications during a variety of authorization requests.
It's not at all clear whether IT and security teams fully understand the new level of authentication rigor that ZT imposes. We are talking about repeated authentication requests (strong authentication, two-factor authentication, multi-factor authentication) that create a significant usability hurdle to jump over before it can become business viable.
Navigating the ZT/SSO Obstacle
Now that ZT has broken SSO’s paradigm, here are some suggestions for organizations that see the need to adopt an approach that helps them achieve a better balance between security and usability. These guidelines likely pertain to your environment.
Evaluate your ZT needs – Most organizations don’t need ZT across their entire environment and doing so is expensive. Identify and categorize your security needs, identifying resources that merit ZT access control.
Continuous authentication – This is the antithesis of SSO and possibly requires more preparation than your organization is equipped for. Moving from an SSO/single-credential model to a continuous authentication approach will be a major shift for many organizations. While continuous authentication might be a step too far for some who see it as invasive (users might not be comfortable being passively monitored and watched), it is currently a core part of the ZT model that Forrester has defined.
Let’s look at some important components that need to be in place for a ZT environment:
- Passive authentication: A common architecture approach is to identify and secure network segments and other attack surfaces and to require the user to authenticate when entering or accessing it. Obviously, continually popping up a strong authentication request to the user every time he is accessing a resource isn’t viable. This is where organizations need to research and select a passive authentication. For example, it might be a biometric, behavioral, or second factor, such as something the user has (phone or FIDO device). The key point is that it needs to be frictionless for the user. Organizations should seek an authentication framework that gives them the most choices today, as well as into the future.
- Real-time risk assessment: If the user’s context (unexpected location or device) or behavior (what is being accessed or when) changes to a level that is considered higher risk, an action needs to happen. A key component of ZT is having a security model that adapts to the risk at hand from a user. To adapt, you must have a risk engine that can track the metrics that matter when a user is attempting to access protected information and adopt the authentication level that is needed. The correct action might be to invoke another passive authentication from the user or even request a different authentication type.
Define ZT policies – Now that you have identified your resources that need a ZT level of protection, you need to put those controls in place. Foundational to this is applying least-privilege rules to your network segments. You’ll need to define the business use of segmentation and develop a methodology for building a segmented network. You might also want to apply a similar vetting process to specific attack surfaces such as data, applications, services, and other resources that are sensitive or regulated.
Learn More about ZT Identity and Access at Micro Focus Universe Europe 2020
Among the various identity and access management sessions coming up at Micro Focus Universe in The Hague on 17-19 March are a Zero Trust workshop and session. You’ll hear from one of our customers, who will describe how they have used NetIQ Advanced Authentication to achieve some aggressive security goals, as well as their roadmap for achieving more with it in the future. On the second day are also a series of IAM advisory boards, which will also include ZT related roadmap discussion. All of these discussions will highlight various IAM technologies, as well as how to use them to achieve your ZT goals. See you there!
The health and safety of our customers, partners, and employees is our number one priority at Micro Focus.
After careful consideration, and out of an abundance of caution, given the public health concerns surrounding the Coronavirus, we have decided to move to a Micro Focus Virtual Universe event, which will remain scheduled for March 17-19, and replace the physical event that was due to take place in The Hague. We are currently in the process of reaching out to all the customers and partners who were already registered to attend and to our event sponsors to let them know about this revised plan. We will publish details on the agenda for Micro Focus Virtual Universe soon.
We are excited for you to join us for free at Micro Focus Virtual Universe for compelling content, peer to peer learning and some live interactive sessions with Micro Focus experts. Open to all.
Let’s power the Digital Transformation!