On March 15, we kicked off our Zero Trust Leadership series with a virtual event attended by over a thousand global participants. We were very fortunate to have a who’s who list of security industry leaders providing zero trust solutions, including CrowdStrike, Palo Alto Networks, BeyondTrust, and Ping Identity. Dr. Zero Trust himself (aka Chase Cunningham) was in the house, along with CISOs, CIOs, and prominent service providers, including World Wide Technology, Optiv, GuidePoint Security, FIDO, and Climb Channel Solutions.
The overarching goal of the event was to provide practical guidance to help participants begin or extend their zero trust journey. A related goal was to define a new subcategory—Zero Trust Authentication. Zero Trust Authentication meets the much higher standard required to shut the door on the largest single vulnerability that organizations face today—passwords and weak MFA. As Dr. Zero Trust noted (he kinda pounded the table on this one), we have significant data-based evidence over multiple years from reports like the annual Verizon DBIR and CrowdStrike Threat Report that authentication is the weak link and initial attack vector of choice for adversaries. Existing authentication methods simply fall short.
If you want to view the keynote sessions or the technology demonstrations, you can register here:
- Executive Welcome: Using Zero Trust Principles to Unleash Proactive Security
- Authentication Meets Zero Trust
- FIDO Alliance: The Road Ahead for Authentication
- Leadership Panel: Authentication Meets The Zero Trust Ecosystem
- From Concept to Practice: Architecting and Accelerating Your Zero Trust Objectives
- Security within Reach: Practical Steps to Get on the Road to Zero Trust
- One Mission: Zero Trust Authentication that Fortifies IT and Inspires Users
- Technical showcases from CrowdStrike, Ping Identity, Palo Alto Networks, BeyondTrust, Optiv, and World Wide Technology
I wanted to share a few themes that came up across multiple sessions. So without further ado…
1. You can’t get to zero trust footing without addressing the authentication vulnerability.
We know passwords (any shared secret) are completely inadequate for validating a user's identity. Unfortunately, the last two years have also demonstrated that traditional MFA (one-time passwords, magic links, and mobile push) are barely a speed bump. There are just too many easy-to-use, open source methods and hosted services enabling adversaries to launch MFA bypass attacks or social engineering techniques that work.
FIDO2 is now the gold standard for phishing-resistant authentication, and as Dr. Jasson Casey points out in his session on the key requirements for Zero Trust Authentication, cryptographic FIDO2 passkeys are a great first step and there are other ingredients required to harden authentication.
2. The device matters
The topic of “device trust” came up quite a few times. Traditional authentication systems ignore this part of the authentication equation, but they do so at your peril. It matters who is gaining access to apps, resources, and data, but it also matters what is gaining access—what device the user is bringing to the party.
Ensuring that the endpoint the employee or contractor is using to access resources and data is paramount. The user and the endpoint device are the primary targets, so ensuring that the appropriate controls are in place before allowing access needs to be an equal part of modern, secure authentication capability.
3. Zero Trust Authentication is a team sport
Incorporating risk signals from your existing cybersecurity tooling (MDM, EDR, ZTNA, and more), has become critical to ensuring that only authorized users with secure devices gain access. No single technology has a lock on risk, but they all have risk signals that can contribute to improved authentication decisions. Gaining additional/maximum protection value from the tools you have already implemented just makes sense, but too often, the solutions just don’t work in concert and signals that could be helpful in stopping an attack are not leveraged to stop an attack.
Making a better, risk-based authentication decision is part of the “team sport” equation. The other is the ability to take action to stop an adversary from gaining initial access or moving laterally to access additional resources. This was one of the key reasons Beyond Identity developed the Zero Trust Authentication subcategory and joined forces with cybersecurity technology leaders to advance the state of authentication dramatically. The goal is to make better authentication decisions and take action when needed.
4. Once-and-done authentication is not nearly enough
Continuous validation is the new sheriff in town. One theme widely echoed across the sessions is that the once-and-done approach to authentication is flawed. Authenticating a user with an initial challenge, even a strong MFA challenge, only gets you so far. Unfortunately, because of the friction of the many legacy MFA tools that make users jump through hoops (find a second device, reply to a prompt, etc.), organizations are forced to make the security versus usability tradeoff.
The solution is often to set session timers to days, weeks, or sometimes months. But we know users log in and walk away from their devices. We also know users can change a security setting (e.g., turn off the firewall or the lock screen) and adversaries can successfully deploy malware via a phishing link.
Continuous authentication has become a must-have. And similar to the NYC subway advice “if you see something, say something”, if something looks suspicious, then the authentication solution needs to be able to take action to quarantine the device or kick it off the network. Even during authenticated sessions. When that happens, the threat cannot maintain access or move further into the network.
5. Zero trust is a journey worth taking
One important conclusion from the various panels of experts is that the zero trust thought process and moving a security program toward zero trust can really improve the situation. The panelists acknowledged the overuse of the term “zero trust,” especially by vendors who have nothing to offer, has turned a few off. But while the consensus opinion was that no one technology provides complete zero trust, they all believed that it was a journey worth taking and fixing the massive authentication vulnerability was an important foundational step.
For more on Zero Trust Authentication, including the seven key requirements for a Zero Trust Authentication solution, I suggest reading:
- The Rise of Zero Trust Authentication - a white paper that discusses how phishing-resistant, passwordless authentication advances zero trust security
- Zero Trust Authentication: Securing User and Device Access for a Distributed, Multi-Cloud World - an ebook written by Jon Friedman of AimPoint Group that describes:
- The role of authentication in zero trust security
- The fatal shortcomings in existing authentication
- Technologies that can provide passwordless, phishing-resistant MFA
- Low-friction authentication that simplifies deployment and ensures user acceptance
- How Zero Trust Authentication integrates with security tools and strengthens your overall security program
- How you can deploy Zero Trust Authentication fast and generate quick wins