Authentication best practices to achieve Zero Trust

Zero Trust, a strategic initiative designed to stop data breaches, has come a long way in the last 12 months as a result of the heightened cybersecurity risks faced by organisations due to the ongoing hybrid work environment and the accelerated move to the cloud.

While the concept of Zero Trust has been around for a while and Zero Trust initiatives are well underway with the goal of protecting an organisation's most important assets, it still means different things to different people. There may be many roads to Zero Trust cutting across the network, identity and access control, and the array of definitions or ways to get there are dizzying.

Zero Trust, a reality

To cut through all the noise, simply put, the Zero Trust framework implies that an organisation should trust no individual or thing unless properly verified before being given access to the network and data. The network believes everything that comes from outside or within the system is hostile.

Organisations must validate and authenticate every user who is entering the network. They must install monitoring agents on every endpoint. They must validate that the device is trustworthy and provide attestation. A user’s session must expire, and the system should make them re-authenticate frequently. Doesn’t that sound like a horrible user experience? It can be if not approached with not only the organisation’s security in mind but the user experience as well.

A few years ago, the implementation of Zero Trust seemed inconceivable even though the benefits were obvious. But now, Zero Trust is starting to become a reality for many large organisations due to the heightened security risks.

Identity management

Identity is arguably the first line of defence to a strong cloud security foundation and one of the most challenging things to get right for security teams. But just deploying identity elements does not mean an organisation has met the strategic goals of Zero Trust.

The concepts behind identity management are far more advanced than what most organisations can understand from a cybersecurity perspective. Dynamic and strong multi-factor authentication (MFA), protecting user credentials and protecting devices are all essential components of a Zero Trust architecture.

The Zero Trust model involves having a strong level of trust in the authentication mechanisms of every user from every device attempting to access company resources, whether inside or outside the network perimeter. Adopting strong authentication as a core building block of a Zero Trust strategy will jumpstart the security posture of the organisation with strong identity management and authentication.

Modern MFA

Modern MFA, as part of strong authentication, can prevent network access with stolen passwords. Strong authentication using modern MFA enables phishing-resistant user authentication before access is provided. Basic MFA methods such as SMS, authenticator apps and the like have been proven to be highly phishable.

If a user is using these methods to verify their identity and enter the network, the account can be compromised allowing for the attacker to gain a foothold that leads to lateral movement that can be difficult to find. As a result, we are moving away from symmetric-based secrets (passwords, OTP) to more advanced asymmetric solutions that are bound in physical devices.

For a secure Zero Trust framework, user accounts should be established using modern MFA, using purpose-built hardware security keys that deliver the strongest levels of phishing defence and secure user access. With hardware security keys using modern authentication protocols, users can register one single security key to hundreds of services with a unique public/private key pair generated for each service and the secrets are never shared between services. And the private key is stored in the secure element on the hardware key and cannot be exfiltrated.

Using this approach, hardware security keys will stop remote, MiTM and phishing attacks as only the registered service is allowed to initiate the authentication, unlike SMS or any mobile app authentication, man-in-the-middle attacks and malware.

Security keys

In the Zero Trust world that we now live in, especially during and after the pandemic where work-from-home and hybrid work policies have become the norm, CISOs need to work out how to enable a Zero Trust architecture without hampering user productivity as they embrace remote work and cloud applications.

A hardware security solution supports the “Trust nothing, verify everything” Zero Trust approach with strong user identity and device authentication. They are purpose-built for security and designed to stop phishing and other forms of account takeover in their tracks, delivering strong authentication at scale.

*Geoff Schomburgk, Vice President for Australia & New Zealand at Yubico

Image credit: ©stock.adobe.com/au/Olivier Le Moal