Authentication: Getting Serious about Zero Trust.
Article written by, Chase Cunningham, Advisor, Beyond Identity.
The White House Cybersecurity Strategy is a comprehensive plan to improve cybersecurity across all sectors, including government agencies, critical infrastructure, and private industry. The strategy includes several key components, such as modernizing federal IT, securing the nation's critical infrastructure, and promoting cybersecurity workforce development.
This strategy mandates the implementation of a zero trust architecture, and the first stage focuses on IAM and authentication—foundational aspects of zero trust. Without a solid authentication strategy and technology protocols in place, zero trust is not achievable.
Zero trust security assumes all network traffic is potentially malicious, even traffic originating from within the network. This model emphasizes the importance of identity and access management, and authentication plays a critical role in ensuring that only authorized users are granted access to sensitive resources.
Without an effective authentication methodology, the only way to have a zero trust infrastructure is to build a system with no users, no accesses, and no moving data—which obviously is counter to a good digital system.
Authentication and zero trust
At its most basic level, authentication is the process of verifying an entity's identity. That entity can be a person, app, network protocol, or anything that needs to get to something else.
Authentication can occur through a variety of methods (passwords, biometric authentication, and multi-factor authentication [MFA] for example), but it must be done. Organizations require authentication on a scale that requires the use of technology to enable the zero trust strategy. It is impossible to function at the enterprise level with Timmy, the intern, managing access requests on a spreadsheet.
Authentication is necessary to ensure that only authorized users have access to sensitive resources. When an authentication system is integrated into a zero trust environment, it typically requires multiple factors of authentication. This can include something the user knows (such as a password or PIN), something the user has (such as a security token or smart card), or something the user is (such as biometric information like a fingerprint or facial recognition).
The use of multiple factors of authentication significantly increases the difficulty of an attacker attempting to gain unauthorized access to resources, as they would need to compromise multiple authentication factors to be successful. This creates an additional layer of security that can effectively stop breaches in their tracks. A good authentication program, powered by the right technology and aligned with a zero trust strategy, confounds the adversary and empowers the user. Security happens for the user and is happening to the adversary.
ZTX framework to White House Cybersecurity Strategy
Source: CISA Zero Trust Maturity Model 2.0, April, 2023
Speaking more broadly, the DoD has essentially adopted the ZTX framework I authored at Forrester Research. The point of the framework is to help those who adopt it understand that zero trust builds upon itself. The visualization of the framework as a pillar structure is misleading. When the framework was originally published, the graphic was one where the point offerings within a zero trust strategy were inter-operational via automation and orchestration and observed via visibility and analytics.
The real takeaway should be that they must cooperate at the functional level to benefit an organization. That cooperation happens in an integrated, comprehensive policy engine where connections are brokered based on vast amounts of telemetry.
The reason the US Government and DoD are moving forward on their zero trust focus as part of the White House Cybersecurity Strategy can be directly correlated to several studies and reports that show the effectiveness of zero trust security and authentication in systematically preventing breaches. A few of those evidence points are:
- The average cost of a data breach in the United States was $8.64 million. However, organizations that implemented a zero trust security model experienced an average cost savings of $3.58 million per breach (Ponemon Institute).
- 57% of organizations that implemented multi-factor authentication reported zero incidents of phishing attacks, compared to only 28% of organizations that did not use multi-factor authentication (LastPass).
- Well-crafted authentication protocols can prevent 99.9% of account hacks (Verizon).
- Organizations that have an authentication methodology and scalable technology are 99.9% less likely to experience a compromised account (Microsoft).
CISA Zero Trust Maturity Model
If these data points don't get you motivated, maybe a slightly more visual framework will. CISA, dubbed America's Cyber Defense Agency, has introduced their version of the Zero Trust Maturity Model.
One part visual, one part common sense, the framework is designed to help organizations understand where they are today and the steps needed to advance the ball for each dimension.
Source: CISA Zero Trust Maturity Model 2.0, April, 2023
There is plenty to unpack in this model, but let me underscore the essential components that CISA is clearly indicating you must achieve to be protected:
- Continuous. One-time checks were never envisioned to be anything more than that—a single hope-for-the-best approach. Continuous authentication and validation is critical.
- Comprehensive. There is a lot of security telemetry shooting data in and around the authentication process, from EDRs, XDRs, VPNs, ZTNAs, and more. Use it. If you aren't using it, you are exposing your flank.
- Automated. The combination of users, devices, applications, and signals is overwhelming. No human-centered process can hope to keep up, so it's no wonder that most identity-based breaches aren't found until after 100 days of illicit access. Automating the collection, analysis, and action against these data is the only hope.
Authentication is critical
Bottom-line: authentication is the one "thing" that touches all components in an enterprise system. Authentication plays a foundational role in zero trust and the White House Cybersecurity Strategy. Because of this, it must be examined along the new axis of excellence laid out by the Zero Trust Maturity Model. The White House is mandating this approach, and I would suggest this is clear evidence your organization should as well, if you want to get to "optimal" now.