7 strong authentication practices for zero trust

As organizations grapple with protecting data and infrastructure in the era of cloud technology and remote working, Yubico’s Chad Thunberg argues that strong authentication should sit at the heart of zero trust plans.
As organizations grapple with protecting data and infrastructure in the era of cloud technology and remote working, Yubico’s Chad Thunberg argues that strong authentication should sit at the heart of zero trust plans.

Zero trust is built on the principle that organizations should frequently reestablish trust with individuals and devices attempting access to information. It’s a departure from a perimeter protection framework in which gaining access from outside is difficult, but everyone inside is implicitly trusted (or at least trusted more). Such traditional IT network security contributes to the frequency and impact of security events; the model is untenable in most use cases.

Why authentication matters

The rise in high impact incidents and evolving infrastructure should have us all assessing our authentication protocols. Although littered with buzzwords and competing stories based on what vendors are trying to sell, zero trust concepts are compelling. Indeed, our day to day conversations with customers is often focused around supporting their zero trust initiatives. 

With zero trust, it is imperative to establish a strong proof of identity. Every user attempting to access data will have to be authenticated. Every device will have to meet minimum security and health requirements, even if they are known assets. Users should re-authenticate more frequently, so the method should not only be effective, but efficient. 

First, consider how users prove their identity and how much confidence can be placed in the proof. One thing is sure, passwords on their own are not strong enough in the face of techniques attackers currently employ. Neither are passwords particularly user-friendly when we consider storage, length, complexity, and rotation requirements (which is no longer a best practice).

The following best practices should be considered as part of the zero trust journey: 

1. Phishing-resistance

Phishing is commonly used to extract credentials from unwitting targets to gain access to data, systems or applications. Passwords are obviously not resilient to phishing attacks but neither are one-time passwords fully resilient against some attack types. Despite this, research tells us that SMS one-time passcodes (OTPs) and mobile authentication apps are the most popular two factor authentication (2FA) methods. Authentication needs to be phishing-resistant and should work across multiple device types, and support higher security work environments that restrict mobile devices. Solutions that meet all of these criteria and don’t require deployment of client-side software, are ideal!

2. Secure

It goes without saying but the authentication method should be resilient to attack from a capable and persistent attacker. Dedicated and purpose-built devices include hardware security keys. With this form of authentication, users register their key with the applications and devices they use. To log-in, they present the key during the authentication process to prove their identity. Complex cryptographic actions that take place in the background, confirm that the user and service they are connecting to are genuine.

Such strong authentication supports a zero trust approach but even with this, the hardware security device should still be validated. That’s where attestation comes in. It validates that the device comes from a trusted manufacturer and that the access credentials it generates haven’t been cloned.

3. Identity and Access Management

Federated identity enables highly automated centralized management of identity and access management across the enterprise and cloud. Choosing an identity platform that supports FIDO authentication protocols, in addition to OpenID Connect and SAML 2, will enable the use of a strong proof of identity solution across a majority of applications including on-premise, cloud-hosted, and SaaS. The user experience will also improve with the use of single-sign on and reduced password management headache. This in turn should lead to wider adoption with improved security. 

4. Non-user accounts

Securing user accounts is often not enough. Service accounts often rely on static long lived credentials that can end up in source control platforms, network file systems, and on laptops. Asymmetric cryptography with a hardware security module (HSM) mitigates the threat of stolen credentials. HSMs can also provide attestations to increase confidence in where the keypair was generated and of its non-exportable status.

5. Digital signatures

Most organizations are now familiar with digital signing of electronic documents. The same principle can extend to other artifacts such as email, code commits, and software releases. Digital signatures can provide assurances that an authenticated person did the work and provide a means to detect if the work was modified after it was signed. Hardware-based authenticators and HSMs make signing electronically easier and stronger. 

6. Step-up authentication based on risk

Risk-based access control policies based on signals and risk scores protect users and the organization while increasing productivity. It is possible to implement automated controls that increase authentication requirements and expectations about the client endpoint based on the type of information being assessed, the location of the individual, and whether the behaviour deviates from expected patterns. Authenticators that can support a multitude of authentication protocols provide flexibility in the implementation and a gradient of security appropriate for the moment. 

7. Plan towards secure passwordless login

Passwords are vulnerable to compromise. As part of a zero trust framework, organizations can plan towards secure passwordless login for stronger authentication. To achieve this, they will need a consistent authentication framework and should opt for an ecosystem built on open standards such as FIDO2/WebAuthn. These standards pave the way for interoperability.

READ MORE:

Despite the hype, many organizations may struggle with zero trust. This is to be expected; after all, perimeter protection has been the go-to for a long time. However, it takes a different mindset to validate every access attempt instead. A strong starting point is to assess authentication practices and boost these where needed. Shared secrets, such as passwords, are easily stolen or phished. Strong authentication is a cornerstone of zero trust because it ensures that users are properly validated before granting access.

 For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

Choose an AI solution to transform beyond technology

Kit Cox • 09th December 2024

The first step is knowing exactly what your business wants to achieve with AI; think faster, smarter and more efficient. Once you know what you are working towards, you can start looking for a solution that can help you make it a reality. AI integration can feel like a daunting task at the beginning, so...

A Roadmap to Security and Privacy Compliance

John Lynch Director of Kiteworks • 04th December 2024

Only by understanding the current regulatory environment and implementing robust data protection measures, can organisations enhance their security posture, ensure compliance, and build resilience against the latest cyber threats. This article provides a comprehensive roadmap of how to do it.

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...