By Vinny Sagar, Solution Architect of swIDch
Jul. 21, 2023 2:10PM GMT+9
Traditional perimeter-centric network security is based around a well-defined network boundary where all enterprise resources such as devices, file servers, applications, etc. were inside the network and users’ access to the network was strictly controlled.
I like to compare traditional perimeter-centric network security to old forts since they have quite a lot in common. Just like traditional perimeter-centric network security, forts had a well defended perimeter wall, and access to the fort was strictly controlled via a draw bridge over a moat.
Both of these architectural designs had a critical flaw. If you were able to bypass the perimeter, there were no checks or controls in place inside. The analogy I like to use is the Trojan Horse during the Trojan War.
With today’s constantly changing world, along with the adoption of cloud computing and remote working, the network perimeter boundary has not just become blurred, it no longer exists for many modern enterprises. Both your enterprise resources and your workforce are no longer inside a well-defined network. Hence the approach of perimeter-centric network security is considered legacy by many industry experts.
◇ What is zero trust?
Zero trust is a modern approach to the evolving world of cybersecurity. It emphasizes the need to move away from a perimeter-centric network approach to a model focused on continuous authentication and assessment of trust across every device, user, and application.
The zero trust security model was developed to assume that no user or device is inherently trustworthy and to ensure that all access must be authenticated and verified. One of the core principles of Zero Trust is to assume that there is a breach and to try to minimize its impact. The zero trust model does not require reliance on a secure network and instead focuses on identities, individual resources, and data, regardless of the user’s location.
◇ Principles of zero trust
The principles of zero trust are the guidelines that inform the design and implementation of a zero trust security model.
- Verify explicitly: Always authenticate and authorize based on all available data points, such as user identity, location, device health, service or workload, data classification, and anomalies.
- Use least privilege access: Limit user access with just-in-time and just-enough access, risk-based adaptive policies, and data protection to help secure both data and productivity.
- Assume a breach: Minimize the blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
- Secure your data: Protect your data wherever it might live, while allowing only legitimate users and entities access to relevant resources and assets.
- Monitor continuously: Collect and analyze data, automate security tasks, and revisit and expand your zero trust implementation as needed.
◇ Continuous authentication is the new perimeter
Authentication is the first step towards building a zero trust architecture. You can no longer rely on the network perimeter to give employees, customers, and third parties access to proprietary applications from behind a firewall or over a corporate issued device. To provide the best user experience without compromising the security of your employees, customers, and third parties, it is imperative to move to a dynamic and continuous authentication approach.
Continuous authentication is at the heart of zero trust architecture, it ensures that users and devices are always verified and authorized before accessing sensitive data and resources. It reduces the risk of compromised credentials, insider threats, and session hijacking by monitoring user behavior and context throughout the session. It also improves user experience by reducing the need for repeated logins or password resets. This can be achieved by using various trust elements, such as biometrics, keystroke dynamics, device posture, location, network environment, and risk signals. Dynamic authentication can be achieved by tokenizing static security information such usernames and passwords, API keys, PINs, etc. into a one-time, time limited, and randomized code. This enables a zero trust security model that is adaptive, granular, and data-centric.
Continuous authentication can support the main concept behind the zero trust security model, which is “never trust, always verify.” As a first step toward zero trust, a continuous authentication solution will allow you to:
- Enable passwordless authentication, which is more secure and convenient than passwords or other methods that put the onus on the user.
- Support various use cases and applications, such as online payment, system login, document signing, physical access control, etc., which increases the flexibility and scalability of the system.
- Work with different types of devices, such as smartphones, tablets, laptops, IoT devices, etc., which increases the compatibility and interoperability of the system.
- Protect the identity and data of users and devices from unauthorized access, by verifying the confidence in devices’ identities and health in combination with user authentication.
◇ The crucial role of continuous authentication in zero trust architecture
Continuous authentication is a key component of zero trust architecture. It enables a dynamic and granular approach to security that adapts to the changing context and behavior of users and devices. By constantly verifying and authorizing access requests based on multiple trust elements, it reduces the risk of credential compromise, insider threats, and session hijacking, while improving user experience and productivity. It also supports the zero trust principles of verifying explicitly, using least privilege access, assuming a breach, securing data, and monitoring continuously. Therefore, continuous authentication should be at the heart of any zero trust architecture.
firstname.lastname@example.org Follow the author
About the author
With over 15 years of experience in pre-sales, consulting, and software development in the Identity and Cyber Security space, Vinny Sagar has helped many clients across various industries and regions to design and deploy Zero Trust solutions that meet their specific needs and challenges.
swIDch is an award-winning cyber security start-up with a focus on revolutionizing authentication. Based on the world’s first one-way dynamic authentication technology, swIDch allows manufacturers and operators to significantly increase security with minimal disruption and minimal computing requirements while at the same time removing password associated vulnerabilities, and thus greatly simplifying the authentication process. swIDch's patented technology, OTAC (One-time authentication code), ensures only known and authorized users and devices can access a system using dynamic, non-reusable, constantly changing code with 0% chance of duplication.