Dr. Zero Trust on Zero Trust Authentication

Dr. Zero Trust on Zero Trust Authentication

Categories: Thought Leadership

There are a lot of “For Dummies” books out there, and quite frankly, we don't need any more. In particular, I’m tired of seeing surface-level pieces of content about zero trust. I already have a small library of zero trust books, most of which appear to be written by and for dummies. So I was thrilled to see that Beyond Identity is taking the zero trust conversation to the next level.

Their new book, Zero Trust Authentication: Securing User and Device Access for a Distributed Multi-cloud World takes a deeper look at:

  • The role of authentication in zero trust security
  • The shortcomings of existing authentication methods
  • The requirements for Zero Trust Authentication and how it integrates with your current security tools to strengthen your overall security program
  • How you can deploy Zero Trust Authentication

While the book is a great starting point for this conversation, I’m even more excited about their upcoming The Bridge to Zero Trust Virtual Event. On Wednesday, March 15, from 11 AM to 2:30 PM ET, they’ve invited security and IT leaders to join together to explore how identity, Zero Trust Authentication, network architecture, and endpoint detection and response technologies combine to thwart cyberattacks.

It’s time for a shift in how we approach cybersecurity. 

No place for trust

Trust relationships are the gunpowder that digital threats explode to achieve their goals. 

It's essential for everyone to understand that trust, any kind of trust, is one of the inherent flaws of digital architecture. To quote John Kindervag, an industry icon who was an analyst at Forrester with me: "Trust is a human emotion, and computers don't have emotions." 

The Internet and the systems that touch it were built with this inherent flaw, a flaw that remains embedded in our technology today. When we implement zero trust security, we eliminate this fundamental weakness and take away the most powerful weapon that threat actors use against us. 

Turning to authentication 

Authentication is foundational to zero trust. Without a solid ability to authenticate assets, users, applications, devices, data, and a myriad of other things, zero trust is not possible. It is that simple folks, and that critical. 

Think about it for a second. What is the one thing that everything must do to interact with some other apparatus in a digital system? It must authenticate itself. 

If you want a good security practice in place, you must know who or what something is and why it is trying to request access to a particular asset. If a well-built cyber security system is just an ecosystem full of locked doors, what good are those locks if you never have the key? The key that is present across the entirety of systems is an authentication protocol. 

Without authentication, all systems are just holding pens for electrons. If access is not allowed and assets are not connected via some means of authentication, nothing happens.

Policy engines make it happen

Zero trust as a strategy was not possible until policy engines evolved to be able to manage, maintain, and control assets across infrastructures in disparate systems. Now policy engines are available, and they are the cornerstone of any good zero trust capability. 

This is especially true in relation to authentication, a dynamic aspect of digital systems that powers connectivity—but also introduces great risk if uncontrolled. 

The Zero Trust Authentication book describes how a policy engine can facilitate authentication and power zero trust across your corporate enterprise. Sections in the book clearly define how the practices and protocols around zero trust are centered on authentication controlled by a policy engine. Author and industry expert Jon Friedman also makes it plain that authentication solutions must have a policy engine at their core and that any zero trust policy is only as good as the data, the telemetry, the policy engine utilizes to make decisions and broker access to resources. 

Much like the phrase “crap in, crap out,” if you don’t have a policy engine that can make good use of your valuable network and system telemetry, you will have a junk zero trust policy and all is for naught. 

I want to encourage you to take an hour or two to read this book and note the ways the author discusses the use of that valuable telemetry for the purposes of powering a policy engine. Ask yourself, “how do I do this today?” and “can I do this at scale?” 

If the answer to either question is unsatisfactory, you have a problem.

ZTNA and moving forward

I was fortunate enough to basically coin the term Zero Trust Network Access (ZTNA) when I worked at Forrester Research. I saw that network security needed a better approach than the legacy VPN solutions the market was offering, and I was fortunate enough to be able to push that need and specific terminology out into the market. Now it’s a market space worth about two billion dollars. (I wish I could collect some royalties on that insight.) 

I think Zero Trust Authentication will be the next major “category” in the zero trust space. Frankly, it makes tremendous sense, and the technology available in this space is aligned to the need. We must have valid authentication to power zero trust. For the record, I support that definition and use of the phrase Zero Trust Authentication in this space. And after reading the Zero Trust Authentication book, I think you will understand the criticality and the need for zero trust authentication in your own organization.

If you want an even deeper understanding, set aside time to attend Beyond Identity’s The Bridge to Zero Trust Virtual Event. It’s rare to find so many high-caliber experts at one event. If you want to truly understand zero trust and authentication's critical role in your zero trust strategy, carving three hours out of your calendar is a pretty easy choice to make.

And best of all, after you’ve read the book and attended the event, you won't be just another dummy.

Download the book