Understanding the 7 Keys to Zero Trust Authentication

Patrick McBride, Chief Marketing Officer here at Beyond Identity, talks about a modern authentication capability that can stand up to the now-elevated rigors of zero trust. 


Hi, I'm Patrick McBride, the chief marketing officer here at Beyond Identity. And today, we're going to talk about strong authentication, a modern authentication capability that can stand up to the now-elevated rigors of zero trust. 

I'm going to take you through seven requirements and try to put those in context of how that might work in the real world. But before we get started, let's take a quick refresher on how we're doing authentication today and some of the issues. So, we've got our happy user trying to get, you know, access to apps and resources, whether they're on-prem or in the cloud. 

And today, what are we using? Well, we typically start with a password. We all understand the fundamental flaws of a password. It's a shared secret. So the bad guy can either steal it from the user, steal it off the user's device, capture it as it traverses a network, or steal it out of the databases on the app side. So, as an authentication means it's just a fundamentally flawed method. 

Unfortunately, a lot of organizations thought the savior was MFA. And what we're finding out is with first gen MFA, we've got some issues. And when I say first Gen MFA, I'm talking about things like push notifications or one-time password sent over SMS or magic links, those flavors. 

Unfortunately, those are also just another variation of shared secrets. So they can be taken from the end user or extracted from the end user from their device. They can be extracted in a man-in-the-middle attack. And that's happening quite often today. In fact, some of the recent attacks that you may have read about Twilio, Coinbase, Microsoft, Okta, and even going back to the SolarWinds breach, all included bypassing the traditional first-generation MFA. 

So, what do we need to fix this problem? I'm going to take you through what we think are the requirements for zero trust auth. So, let's start with the first one. Well, given the issues that we already saw with passwords, you know, passwordless is a key requirement. So, being able to authenticate a user at a high trust level without a password is an important thing. 

So, how might we do that? Well, we've got some great technology in the form of asymmetric cryptography. So, public key, private key cryptography that we can use. And the nice thing is the modern endpoints that we're using, whether, you know, we're talking a laptop or a phone, has a really nice place to store the private key in hardware, in secure hardware called a TPM or an enclave depending on which technology you're using. 

So now we've got a private key, public key keep here that we can then do an asynchronous transaction on and ensure at a much higher level of trust that we're talking about the end user. More interestingly, or as interestingly, we've also got biometrics that are built into the device. So, whether we're putting a fingerprint on a laptop or we're putting our face print on our phone to get in, now we've got two very strong factors. 

So no password, and we've got phishing resistance checked off. The interesting thing about this public-private key in the asymmetric, you know, crypto that we use, and many of you will notice that is like the FIDO2 standard. So, FIDO2 gives us the standard for how to actually implement this, which is really important. And you get a third check out of this. 

If you're storing the private key on the machine, the public key, and the cloud, we can then with a high-fidelity transaction, validate that the user is coming in from an authorized device. They're not logging in from the internet café or from a computer in the hotel lobby, for example, which we like to be called a pre-breached machine. So that's all good. 

Now, we've got three really important controls in place. But we're not done yet. The level of trust in the user is up there, but now we also need to make sure that we establish high trust in the device. So, we've got to be able to check the security posture of the device itself. You know, for example, is the firewall turned on? Is the PIN and biometric enabled at the time of transaction, is disc encryption turned on, etc.? 

Are the software components that are helping us secure it, you know, the MDM, you know, or our EDR, are those systems installed and running at the time of the authentication? So, those are new signals that we can add to our authentication transaction. 

But again, we don't need to stop there. Security posture of the device is a big check mark, but many of us have made big investments in, you know, products like MDM, as we mentioned, and EDR. So, being able to pull those risk signals in and having a policy engine that can process the collection here of risk signals and make a policy risk-baked decision on whether we let this user and this device have access. 

So, if everything is hunky dory, we let them in and everything's good, right? Well, it was Ronald Reagan, I think, who said, "Trust but verify." In this case, it's trust but continuously verify. Many organizations, when this connection gets made, have tokens that don't expire for days, weeks, or even months. That gives the bad guys a long time to do something nefarious or even the good guys, you know, time to maybe do something with their device. 

They could jailbreak their phone, for example. They could turn off the firewall or one of the important controls we want to have. So, we have to go back and continuously check that and make sure that we're okay. And if we find an issue, let's say we found an issue on the laptop, you know, our EDR or MDM pointed out something, or we were just checking the settings as we mentioned, then we need to be able to take action. 

So, what can we do if we add ZTNA to the mix? You know, one of the things that we can do is talk to that product and block or stop the network connection. Drop the bad guy or potential adversary right off the network. Using our EDR tools, if we find something nefarious on the end-point, we can quarantine the device and again, stop the attack or stop a potential attack before the attacker has time to move laterally into your network. 

So, continuous is super important. And as we've already started to show here, integrated is also important. But we'll want to, you know, do things like, you know, integrations for your SIM tools so that the SOC team has the rich data that we've collected. Or integrations to your audit and compliance tooling so that we get a full picture of what went on in history and you can prove that the controls were in place. 

So, hopefully, we've painted a picture for what a true Zero Trust Authentication solution in action would look like. And really the first level of that is idea of high trust in the end user. And the second level of that is adding the other elements that we talked about for high trust in the device and continuous authentication. 

We firmly believe that this is where the industry's going, and in this case, you can get these solutions from Beyond Identity. We have a user authentication solution that's passwordless and phishing resistant, and we've got a whole zero trust authentication capability that you can either start with or add on as it makes sense. 

The industry's clearly going in this direction, and we'd love you to join us for the journey.