It’s an ever-present challenge faced by every security team: finding the right balance between ease-of-use and maintaining the right level of risk management. Never has that challenge been more apparent than with the sudden migration to a remote workforce in the wake of the COVID-19 outbreak.
According to a recent Gallup Poll conducted March 30 to April 2, 2020, the number of remote workers has nearly doubled to 57% as a result of social distancing measures. With the potential for reduced productivity due to the inherent workflow disruptions with such a rapid transition, the question remains as to how much should security inconvenience users in their day-to-day work life in order to properly protect corporate systems and data?
The Zero Trust and Zero Touch Balance
While this remains one of most difficult problems facing security professionals today, the technology and tools required are available, making it possible to balance this security vs. convenience equation during the crisis and beyond. This is good news, because for too long, good security has often come at a high cost where productivity and the end-user experience are concerned.
No one wants security hassles. No one wants to be forced to enter a username and password and then have to answer a handful of security questions and then provide their biometric to perform what should be a simple, low-risk task. Conversely, if security teams make access too easy, then security risks become unmanageable. It shouldn’t have to be this way, but this is a reality we have often faced until now.
What we are really talking about here when we distill the subject down to its essence is finding a balance between Zero Trust and zero touch. How do we know that we can trust someone or something? Traditionally, for the vast number of applications, we have relied on only usernames and passwords to answer that question. Every time a username and password were properly provided at login, that user would be trusted – and they’d be trusted for as long as they continued that session.
Obviously, there are big challenges with this model. Once a threat actor gets access to user credentials, virtually all defenses are nullified. We all know passwords can too easily be guessed in brute-force attacks or stolen via phishing attacks. And even with strong passwords and multi-factor authentication (MFA), once an adversary has access to systems there is little in the way of reauthentication to stop them. This is where a Zero Trust approach is advantageous.
Maintaining Zero Trust Throughout the Enterprise Network
Fortunately, there are issues a Zero Trust approach can remedy within modern infrastructures, and it cuts to the foundations of how modern enterprise software is developed. Today, enterprise software is dependent on hundreds, if not thousands, of third-party software components. It’s difficult for any organization to know if those components are secure, and thus not easily subverted through software exploits used by attackers who, in turn, can install malware within enterprise systems that are designed to steal access credentials.
As of the writing of this post, the Common Vulnerabilities and Exploits (CVE) database contains more than 11,000 addressable software vulnerabilities. At any given time, it’s typical for more than 30% of these vulnerabilities to lack a software patch that remediates the risk they pose.
Over the years, enterprises have taken many steps to mitigate these risks. They’ve added second layers of authentication to their access procedures such as one-time codes sent via SMS or biometric authentication. Firewall policies and rulesets are typically established to protect systems from attack as well as the deployment of encryption and other defenses.
While all of these layers of security work to help prevent unauthorized access, they also present obstacles for legitimate users. Despite all these efforts, enterprise data breaches continue to occur at alarming rates. This isn’t just a data security problem, it’s also a business problem. Often, because there is so little trust in the security of new technologies, CISOs and security teams have to put the brakes on new applications, technologies, and other digital transformation initiatives that could have positive business outcomes.
However, thanks to Zero Trust architectures that support zero touch strategies, enterprises no longer have to make choices between security and usability, or security and moving the business forward. It’s now possible to get the balance right. This is even more critical as companies face increased business continuity challenges as a result of the COVID-19 outbreak. Organizations need every productivity and security advantage they can leverage now more than ever.
Zero Touch + Zero Trust = Secure Usability
So, what is Zero Trust? Essentially, it means that users, devices, and applications – anything interacting with an organizations’ network – should not be automatically trusted at any time during the interaction. Instead, all interactions need to be constantly vetted through continuous authentication to provide verification on an ongoing basis.
Continuous authentication is all about the contextual features of a transaction where all of the information that is available about a user or device is leveraged to measure the risk of each interaction at every point in the transaction.
That’s because a Zero Trust architecture isn’t based on a one-time act of vetting the user or device with a password and MFA. It’s a dynamic evaluation that takes into account every aspect of the context of the activity, location factors, biometric factors, and more to continuously evaluate for risk – and this is all accomplished passively, without disruption for the user. If an interaction shows an elevated risk level or anomalous characteristics, that user will be asked to provide another factor of authentication or the session will be terminated.
The outcome is that legitimate users engaged in normal activities enjoy nearly effortless access across devices, systems, and data throughout their workday without compromising on security. This is the Zero Trust and zero touch balance.
Zero Trust and Zero Touch in Action
How is this achieved? Consider all of the contextual information that exists regarding users and devices, particularly if they are already known to the network. Real-time analysis of contextual and spatial data is used to validate behavioral and location patterns to continuously generate a risk score that informs adaptive security policies to ensure the best security and compliance posture possible while maintaining a non-disruptive end-user experience.
The risk score continuously determines what level of access should be granted to any particular user, device, or application at any given moment, dynamically applying security controls without negatively impacting user experience and productivity. Continuous authentication can proactively detect anomalous behavior and prevent potentially malicious activity in accordance with an organization's security and regulatory policies instantly on any device anywhere.
What does this look like in practice? It means all of the datapoints mentioned that pertain to a user can be used to evaluate how much risk a user creates within the context of what he or she is trying to do, and then responds with the appropriate level of security. This way, low-risk transactions (most transactions) can be zero touch and users can work unfettered. When users engage in higher-risk or anomalous conduct, then additional identity access controls that are risk-aware are applied based on these contextual or spatial features.
At the same time, security is not wholly dependent on one-time password validations. Even when MFA is employed, authentication is limited to a particular moment in time, and does not provide the advantage that low-to-no touch continuous authentication provides. Continuous authentication is the Zero Trust enabler for a zero touch experience.
We live in a world where we have a tremendous amount of data about our users, the devices, and the networks they use. This data can be leveraged in a way that not only improves security but also improves the daily experience of employees and other authorized users while simultaneously improving security.
When the user is understood to a high degree of certainty to be authorized because of the devices they are using, their location, and other characteristics around how they behave, and even physically handle the device they are using, they can be granted seamless access without the need to continuously authenticate across platforms and applications. This is the Zero Trust and zero touch advantage.