Zero Trust’s three big pillars are enforcing least privilege, segmenting access (could be networks, gateways, or other resources), and performing continuous authentication. As action pieces of adaptive intelligence, for this blog, I’d like to focus on segmentation and continuous authentication. A key capability requisite for adaptive intelligence is having the ability to tune authorization levels based on the confidence in the authenticity of the requester as well as measuring the risk of granting access that is requested.
As a point of reference, today, the vast majority of business environments still rely on static entitlements and traditional credentials to secure access across their environment. Looking across the industries, the areas where most of the progress has been made is primarily due to government mandates and their updated policies for regulated data. As a direct result, the adoption of multi-factor authentication for remote access (VPNs, Citrix/RDP, other technologies) has become commonplace. Beyond that, most organizations haven’t made meaningful progress towards meeting zero trust security levels needed for today’s cloud hybrid infrastructure. Even setting aside the move away from a perimeter security model, current standard implementations of static authentication don’t take into account any type of risk profiles or other information relevant to securing access.
The Zero Trust (ZT) security model presents a large enough of an archetype gap that realistically it requires a journey mindset to make the transition. As such, it’s best to divide this journey into phases. Thinking through the dependencies, I suggest that starting with a solid authentication foundation because:
- It offers the most flexibility and the least rework as your zero-trust model evolves
- The usability and success of both micro-segmentation and continuous authentication require a robust authentication infrastructure
I’ve already written a couple of blogs on Achieving Zero Trust and in them described how essential it is to offer no or low friction authentication types in your zero-trust environment. In summary, there is no quicker way to degrade the usability and, ultimately, the viability of your environment than interrupting your users (employees, customers, etc.) every time a ZT event is triggered. Verifying identities without bugging them is the best option. Making interruptions trivial or insignificant is the next best thing. Putting users through an authentication task that interrupts their focus as the means to achieve your ZT security isn’t business viable, especially if your users aren’t captive (customer, citizen, and even partners).
No doubt that any form of risk-based authentication is a step closer to reaching continuous authentication. It provides a structure from which you can pull in risk-related metrics, which are an important element of transitioning to information-based security policies. You can start populating your risk service by using the most rudimentary ways to determine:
- If the user is in or out of a secured area
- Is using a known device
- Cataloging the sensitivity of each of the resources
- And other metrics that are easy to measure
Having these basics covered first makes moving on a more advanced form of adaptive intelligence an easier step.
Our biggest customer and partner event of the year in North America, Micro Focus Universe has now gone virtual. You can join us live, on May 19-21st, for sessions on protecting applications, data and of course, identities. This Virtual Universe offers some noteworthy zero-trust sessions for those planning their upgrade to an adaptive environment. For example, on Tuesday, May 19th, there will be a live session where our customer BMW will talk about how they're using NetIQ Advanced Authentication. Not only are they using it for all their employees, but they are using it for a variety of other situations (you'll have to watch it to get the details!). After registering for Universe, make sure to sign up for “Leveraging Zero Trust to Avoid Security Assumptions - A Journey in MFA at the BMW Group,” on Tuesday, May 19.
Chan Yoon and I will also be delivering a breakout "Now that Zero Trust has turned SSO on its head, how do you recover?" that will be available for on-demand consumption. In ways that you possibly haven't walked through, continuous authentication breaks some of the paradigms conventional in SSO deployments. Chan and I will identify some areas in your environment to vet out and potentially re-engineer.
Since this year, you don't have to fight for the budget to pay for the flights and hotel, go ahead and sign up for these free virtual sessions at Micro Focus Universe.