Zero Trust Means Zero Passwords
Given how often I’m seeing the topic of Zero Trust come up in marketing and sales messages, I figure it is best if we start with a few clarifications:
First, Zero Trust is a security framework introduced by analyst John Kindervag of Forrester back in 2010. Zero Trust is not a marketing pitch that should be abused although it often is. From my perspective it has been misused by marketing and sales teams in our industry. Frankly, I believe this is because we perpetuate an unspoken agreement which enables this behavior. As an industry we find that organizations are intrigued by the value of a Zero Trust security framework and the insights provided through mainstream implementations like Google’s BeyondCorp. So, it is important we critically look at the basics of this framework and step away from the glamour.
Second, this blog is not another “My company provides Zero Trust!” message. Yes, HYPR does empower a Passwordless approach to Zero Trust and I will touch on that, but lets save my biases for the end.
Lastly, we should level set on what this framework is and the focus I’ll take within it. In simple terms, the Zero Trust framework calls for what the name implies: No trust for anything within or outside of your network. This is a broad statement and feeds into the fact that you have users accessing corporate networks, VPNs, and SaaS applications all from corporate or personal devices. These users, devices, and their data can never be trusted in terms of access control. This is a small glimpse of what is encompassed in a Zero Trust framework. While there are network and device-based controls that need to be implemented to achieve this framework, my area of expertise focuses on achieving Zero Trust with authentication.
Zero Trust is Not a One Size Fits All Approach
My personal experience in the industry is planted in Identity and Access Management. I’ve worked in many environments ranging from the typical mom-and-pop shop to a federally regulated network just outside of DC. As you can imagine there are a few differences in these environments. Not every company deals with a high level of data regulation. My point here is that the Zero Trust framework is not necessarily the right approach for everyone.
While I frequently work with customers on Zero Trust implementations, one primary issue I find with Zero Trust is that friction is typically imposed on the end user. We have all seen that with ‘great security’ comes great friction. Just as it relates to authentication, the framework itself calls to authenticate the user and the device at each point of access. I recently worked on an environment where the organization enforced Multi-factor Authentication (MFA), using a product that will remain unnamed, to access each workstation on the domain. The user experience (UX) in this environment proceeded as follows:
- The User types in password (Username is stored in the Windows operating system)
- The user waits for an embedded IE browser to pop up and display MFA options (I won’t go down the rabbit hole of using Web Views here)
- They get a cup of coffee while you wait for the PUSH, SMS or call to your mobile device
- They type in the OTP code or accept the PUSH request
- They wait for a response on the IE browser to establish the Windows Session
There were simply too many steps required of the user. As you can imagine their executive team was not happy with the unnecessarily high degree of friction. It’s taxing on the user and inevitably leads to the most difficult security threat to address: human error.
Security solution providers have identified this issue. The concept of “adaptive authentication” or “risk-based” are generally applied to provide a streamlined UX where possible. As an example, some solution providers would go as far to say that if the geo-location, geo-velocity, and device fingerprint are as expected, authenticating with a password is sufficient. However, organizations inefficiently apply layers of data analysis to build a risk, or Trust, score to quantify the authentication event.
A Downside of Authenticating with Risk Scores
A potential problem with relying on a risk score for authentication is that it doesn’t address the abruptness of change. All forms of user behavior can drastically change. In today’s climate this data cannot be used for authentication and it is critical we have a fundamental process established to perform the true act of authentication. There is value in this data, but it should not be solely used to authenticate a transaction. This data needs to be integrated into an authorization process to ensure the transaction can proceed based on its context. An example I find relevant is cross-border employee authentication under the General Data Protection Regulation (GDPR). If an employee works in country A and resides in country B, their authentication cannot be authorized when they have crossed the border to return home. This is invaluable in understanding when authorization is permitted or if it should require step-up authentication.
Zero Trust Security and Usability
Now for the callback to my claim that HYPR empowers Zero Trust. HYPR provides what is typically the highest level of assurance in authentication, as it is based on both PKI and Biometrics. That’s why with HYPR, risk layers are not required. Compared to the 5-step example of a legacy MFA experience I provided above, HYPR worked with the same customer to achieve Zero Trust with True Passwordless MFA into Windows with two steps that are so fast and easy there isn’t enough time to grab that cup of coffee. HYPR’s UX is the following:
- The user selects their workstation on their HYPR Mobile App
- The user provides their biometric and authenticates.
I’m clearly biased, however HYPR can help customers accelerate and achieve Zero Trust through passwordless authentication. The point of this comparison is to show customers how you can enforce a true Zero Trust model without sacrificing usability.
As security professionals organizations need to understand the core fundamentals of the framework they implement. You cannot allow marketing or sales professionals to dictate your security posture. I’ve seen too many LinkedIn posts at this point to realize the industry is confusing what is marketing, and what solutions truly support a Zero Trust model. Every aspect of a security framework needs to be properly considered, particularly the UX as discussed. Zero Trust may or may not be the right framework for you — it’s not a one size fits all framework. And, it’s important to note that no provider has a complete Zero Trust solution. If it is the right approach for you there are certainly solutions out there that help you properly achieve this. Read through the noise and you shall find them. Or better yet, try it out yourself first-hand.