5 minute read
The seven authentication best practices that support zero trust
By Geoff Schomburgk, Vice President for Australia and New Zealand at Yubico
In 2020, Zero Trust was introduced as a mainstream approach to improve security environments and has continued to be a priority in 2021. Almost all security vendors have been espousing their own alignment with this simple idea, which can at times be complex to implement.
Simply put, Zero Trust means no one from inside or outside the network is trusted.
The Zero Trust approach demands every person and device provide strict identity verification to access network resources, whether or not they are inside the network perimeters. That said, the first step is to establish a user trust framework and the following seven best practices, if applied, will ensure the protection of a user’s access as a foundational element of building a Zero Trust architecture.
1. Deploy strong phishing resistant authentication
Since March 2020, the Australian Cyber Security Centre (ACSC) has seen an increase in a range of different COVID-19 themed scams, online frauds and phishing campaigns. As Australians continue working remotely, organisations recognise the need to bolster security for user authentication with multi-factor authentication (MFA), but need to consider the following:
Security: Is it a purpose-built security-focused device or one built primarily for communication (a smartphone) and does it provide 100% protection against phishing?
Standardised access: Is the authenticator based on open standards, meaning it will automatically authenticate in a secure fashion across a range of platforms and services?
Deployability: Can the authenticator provide security across multiple devices and work offline across mobile in remote locations, or across shared workstations?
2. Adopt Attestation
With Zero Trust, there is no implicit trust in the authenticator. Strong authentication is important but the hardware device itself still needs to be validated to ensure it is not compromised.
Endpoint management is an important component of Zero Trust as phones and computers are susceptible to malware. Attestation enables validation that the authenticator hardware is from a trusted manufacturer and that credentials generated on devices are not cloned.
There are platform authenticators built into devices such as laptops and mobiles, and portable authenticators that are external and carried by users. The best practice is to ensure that the attestation is built-in and certified to the FIDO standard.
3. Integrate authentication policies anywhere a user has to enter their credentials.
Most organisations are using Identity and Access Management (IAM) platforms as core components of Zero Trust, which if done right, can deliver a frictionless and secure authentication experience for every user, asset and data interaction providing a foundation for a Zero Trust strategy.
These solutions can grant access rights, provide single sign-on from any device, enhance security with MFA, enable
Zero Trust means no one from
inside or outside the network is
user lifecycle management and protect privileged accounts.
4. Implement strong authentication for non-user accounts
Non-user accounts that are used to run web-connected devices are vulnerable to compromise as they are often protected with static passwords and have limitations on authentication options. Just as for user accounts, service accounts need to be heavily protected, monitored and properly scoped.
Cryptographic certificate-based authentication provides strong authentication stored in hardware security modules (HSMs) without passwords that can be stolen. The industry best practice is to use security hardware that comes in different sizes from large physical appliances to small USB devices.
5. Sign to prove that it is you over time
Strong authentication is critical to a Zero Trust approach but how does an organisation know that an authenticated person did the work and that that work can be attested to over time? In the physical world, a person would sign a document with their signature to approve a contract or legal document. In the digital world, it has been possible for quite some time to digitally sign email and electronic documents.
This has been a somewhat cumbersome process in the past, but now with personal authenticators and inexpensive HSMs, signing electronically has become much easier and stronger.
6. Implement risk-based authentication
The Zero Trust framework involves implementing realtime risk-based access policies based on signals and risk scores. This framework should allow automated controls and decision-makers ready access to application information, knowledge of where users are coming from, allowing for easy differentiation between types of accounts and device fingerprints.
A strong authentication solution that is hardware-based and highly trusted can elicit a high trust score, allowing for higher privileged access. A trusted strong authentication approach allows for step-up authentication based on risk, thus protecting the user and the organisation while increasing productivity.
7. Plan for a passwordless future
Over the past few years, the term “passwordless” has gained momentum and now it is used by many security, authentication and identity solution providers, each with its own unique nuance. For clarity, it is best to use a broader definition such as: “Passwordless authentication is any form of authentication that doesn't require the user to provide a password at login.”
Achieving secure passwordless login across desktop and mobile and into a wide array of services requires a rich ecosystem and a consistent framework for authentication. Specifically, it takes a rich open standards ecosystem built to achieve security and usability, while also satisfying the need for portability, compatibility and interoperability to scale to the masses.
Organisations in our region can embrace all the roads to passwordless by following a smart card passwordless, FIDO2/WebAuthn passwordless or a hybrid passwordless approach that uses the combination of smart card and FIDO2 passwordless, depending on their business scenarios and their internal infrastructure environment.
When to start the journey
Implementing a Zero Trust framework is a journey, a mindset, supported by a mix of integrated technologies. The transition does not affect the user experience or the business operations when implementing the right tools. As long as organisations ensure the protection of a user’s access is at the centre of developing their Zero Trust architecture.
