The Rise of Zero Trust Authentication

Co-Founder Patrick McBride defines Zero Trust Authentication—strong, risk-based authentication verifying a user’s identity and the security of their devices on a continuous basis—which has become a core pillar of the zero trust security strategy embraced by private enterprise and public sectors around the world.


Hi, I'm Patrick McBride, and I'm one of the co-founders here at Beyond Identity. And today we're going to be talking about zero-trust authentication. It's a pretty easy concept to explain, as you'll see in just a moment. 

But don't let its simplicity belie how important it is to protecting a modern environment from cyber attackers. So, let's start with understanding this through the lens of the cyber attackers. What do they want to get access to? We know that. They want to get access to your data and your applications, whether they're a SaaS application, platform as a service, infrastructure as a service, your data, and whether they live up in the cloud or they live in your traditional data center on-prem. 

That's their target. We know that. So, how do they get access to that environment? Well, there's two main ways that they do it. If we've all been following along with things like the Verizon Data Breach report or many of the other threat intelligence reports that get issued every year, we know with certainty that the vast majority of attacks start with attacking the identity of the user. 

How do they do that? Bad guys will steal passwords, or they'll just buy them. There are literally billions of passwords for sale on the underground. So, these days, an attacker doesn't actually have to break into your environment. More often than not, they'll start off an attack by just stealing a credential and reusing it, and logging in as an authorized user right into your environment. 

What's the other way that they get in? We know that the other thing that attackers really go after is the endpoint devices that users are using to get into the environment, whether that's a tablet, a phone, a laptop, etc. So these are the two main threat vectors that the attackers use. How do they use the devices? 

Well, they'll try to install malware on the device. That's done a number of ways, but it usually starts with either a spearphishing attack that gets an unsuspecting user to click on or open up an attachment that may be laced with malware so they can install it or get them to go to a rogue site where the malware gets delivered, you know, straight from the website. 

So, now they've got a footprint on the device and that gives them access as the individual user moves around using that device and gets into the infrastructure. So, what are we going to do about it? Here's where zero trust authentication comes into play. And it's a pretty easy concept, as I said. 

The first thing we're going to fact, let's break it down into three simple concept with zero trust authentication. The first concept is you have to establish very high trust in the user identity. That's what they attack. That's what we have to fix. The second thing we need to do is establish very high trust that the devices that they're using to get into the environment are appropriately secured. 

And then we have to do it continuously. It's no longer a once-and-done proposition. And that's markedly different from traditional authentication, which you'll see in just a second. So, how does this all start? Well, it starts with implementing phishing-resistant MFA. And I chose those words exactly. In the 2020 January report on zero trust, the federal government has come out and mandated that all federal agencies now use phishing-resistant MFA. 

What does that mean? No longer can we use one-time passwords sent over email or sent over SMS, you know, for example. We can't use magic links anymore. We can't use push notifications. All three of those methods are in the U.S. government's assessment easily bypassed at scale by attackers. That's new. 

It used to be that we had a password problem, we established MFA and we were good. No longer are we good. So, phishing-resistant MFA is the first step. Can't have any passwords or any other phishable factors. In fact, what it should really be using is the modern passkey technology that's based on public-private cryptography, which means that there's nothing on the endpoint that can be stolen and nothing that traverses over the network for the bad guys to steal. 

Nothing lives in the database on the end to steal. So, there's just nothing to steal. That's the first starting point. So, we're going to build high trust in the user by using phishing-resistant MFA. Next, we're going to need a risk-based policy engine. And we'll use that to process a lot of additional factors that we're going to want to be thinking about. 

And that start us off first with some behavioral factors. For example, is the user logging in from a location that we expect them to be in? Or did the user's location, you know, just change from somewhere in Northern California to Russia in the last five minutes? So behavioral factors like that are important, but it doesn't stop there. 

We already talked about the fact that the device is the second way that the adversaries use to get to our infrastructure, so now we're going to want to check that all the controls that we expect to have implemented and running on the devices that we're using to log in are in place. So, for example, is the firewall turned on? 

Do we have data encryption turned on on the devices? Is the PIN code and the biometric for device access turned on so that somebody just can't pick up one and log in? So, we'll want to take all those device security posture signals and also run that into the policy engine. Now, we spent almost the last decade of our time building out some pretty interesting detection and response capabilities. 

We're going to want to include those as well. So, whether it's EDR, network detection response, or modern XDR technology, we're going to want to think about those signals and incorporate those into the policy decision as well and into the policy engine. Only once that we have high trust in the end user and high trust that the device or other factors are okay, do we let the end user into our environment, whether it's into the cloud or into our traditional data center. 

But it doesn't stop there. Now we have to do this continuously. It's not good enough to check once during the authentication transaction, have high trust in the user and the device, things change. People can change settings on the device. A particular control can stop working. My MDM or EDR technology running on the endpoint can stop working. So, we want to be able to continuously check those things and run that back to the policy engine and if something runs amiss, be able to alert the security operations center or even turn off access from those devices. 

Now, to be a good citizen in the rest of our zero trust infrastructure, zero trust authentication also has to be a player. So, we'll want to feed information back to our detection response technologies. We're going to also want to feed information from our zero trust authentication platform back into our SOC into the SIEM tools. 

And all the other infrastructure that the SOC team is using to evaluate what's going on in the environment. And lastly, we're going to want to keep really an immutable record of all that information because we know we're going to have audits, and so if we get all the information about the user, the device security posture, and what was going on exactly at the time of authentication, we've got exactly what we need to do to pass audits. 

So, wouldn't it be nice if we can leverage a lot of the infrastructure that we already have in place that's typically been oriented at detection response and make that a proactive part of our control? And that's exactly why we founded Beyond Identity, to create zero trust authentication that organizations can rely on for their modern protection environment.