Zero Trust is a powerful foundation for a robust security strategy, but so much has changed lately with the typical enterprise's threat landscape that it's really only the beginning of a comprehensive security approach. The implementation of true continuous authentication is the vital next step, particularly today when a historic number of employees are now working remotely following social distancing measures put in place to combat the spread of COVID-19.
The original concept of Zero Trust was intended to replace current perimeter thinking, but it wasn’t originally envisioned to eliminate perimeter security as much as enhance it. Zero Trust means everything should be robustly authenticated, regardless of user or device. That’s a great start, and continuous authentication is the logical next step.
Why? Because the initial entry into the network is not the only issue. For example, users can use their mobile devices and VPNs to access a sensitive area of the on-prem site, fully authenticated. So far, so good. But by clicking on certain applications, that privileged, tunneled connection can extend to a cloud-based SaaS or external network, and then opening another application can direct the user to yet another external network.
Repeating username/password and multi-factor authentication (MFA) at every one of those jumps would undermine the seamless nature of those transfers from a user-experience and workflow point of view, so often the original authentication is carried over to each new application interaction.
Given these sessions never left the mobile device where they originated, nor the VPN tunnel allowing access, assumes a much more static environment than enterprises actually employ today – all of which puts the security of the transactions and validity of the user at risk.
In addition, with single authentication measures – even if they employ MFA as an extra precaution – there is no guarantee that the user is actually legitimate, and even a legitimate user is for the most part free to engage in unauthorized conduct. Again, addressing these issues is where continuous authentication shines.
The cliché "don't let the perfect be the enemy of the good" is popular for a reason. A robust deployment predicated on a strict Zero Trust approach is objectively better than other enterprise perimeter efforts available today. Yet, that's the point.
Just about any form of perimeter security is pointless on its own given the complex environments enterprises have today, and certainly the environments they'll have in the near future. Perimeter security is still needed, but without additional tripwires on every access point to the network environment, the ability to defend against intruders is paper thin.
Beyond the practical limitations of perimeter defenses – no visibility inside the network or into connected networks, and also no ability to know what users are doing after they are authenticated – there is the simple matter that credentials can be easily stolen.
Consider keystroke capture malware, sniffing the credentials over the network as it heads to the perimeter defense, or even simple shoulder-surfing as someone logs into the network while in line at Starbucks. Further, how about the ever-popular social engineering trickery that collects a root password with those associated superuser privileges? All of these issues make one-time authentication problematic.
Continuous Authentication as the Zero Trust Multiplier
Continuous authentication, on the other hand, examines a range of contextual and spatial factors to continuously validate a user, such as how they interact with their keyboard and mouse, the angle they hold the device, the time of day, the IP address, the nature of the files they are trying to access, etc.
Continuous authentication constantly reauthenticates the user without their even knowing it so that an approved user can just focus doing their job with minimum interruptions. As an added measure of security, this authentication changes instantly with risky behavior and/or degrades over time until reauthentication is mandated, especially on unmanaged devices.
The net result is improved user authentication that provides protection against credential abuse by unauthorized users, privilege enforcement against security controls for authorized users, and a more seamless workflow to improve user experience and productivity.
If Zero Trust means that no user can be trusted at any point in their interactions with a corporate network or data, that no device – recognized or not – is trusted for a nanosecond longer than is absolutely necessary, and that obstacles to productivity that compel security workarounds can be obliviated, then continuous authentication is an obvious Zero Trust force multiplier.