Craig Dore, the AsiaPac Field CTO for RSA (one of the pioneers in the world of strong user authentication), says there are several myths and misconceptions about zero trust and how to successfully incorporate it into an organisation’s security strategy.
“Computer security, historically, has made a great assumption around getting through that front door and onto your network. Once you've been checked at the gate you can enter any room in the castle. Zero trust removes the perimeter. It makes no assumptions about who you are or whether you're allowed to have access. Just because you're in the office and you're on a PC does not mean you should get access to that thing.”
Dore says there are three major myths when it comes to zero trust and the importance of authentication and identity management.
“Zero trust is not a product. It is a philosophy or a mindset and an approach to computer security. You cannot do that with a product. You can’t buy a set of products that are going to magically introduce zero trust into the organisation.”
One of the core tenets of zero trust is to “never trust and always verify” says Dore. Myth number two is that embracing zero trust does not obviate the need for strong authentication. Dore says it makes it even more critical as you will need to confirm identity every single time a resource is accessed.
“You must verify the identity of the person accessing a given resource through a securely delivered means of strong authentication. If you don’t, you’ll end up perpetuating the same problems we’ve always around social engineering or other exploits that are out there,” says Dore.
The third major myth about zero trust is that access management is less important. But Dore argues that the opposite is true.
“Not only do you need to check authorisation against an entitled application or an entitled user, but you need to do it as quickly as possible by leveraging automation. The notion of access entitlements becomes ever more important in the context of zero trust.”
When automation is successfully implemented Dore says that organisations will have a very easy mechanism for security staff to always verify every access request. Human security teams can’t handle the minutia that results from growing numbers of users, devices, entitlements, and environments. Instead, organisations need AI to do the coarse-grained analysis needed to verify every entitlement request and move toward zero trust. Risk engines can assess users’ behaviours and triangulate the potential risk those requests pose by factoring in contextual information: for instance, is the user using the same IP address, device, and logging in at the same time as they usually do? Risk-based authentication balances security and convenience: it will be invisible to most users and accelerate access requests that fall within typical behaviours, and will challenge the highest-risk access requests with step-up authentication if the situation warrants it.
“The end goal here is to enhance the security and enhance the automation of security controls in your organisation to reduce the risk of threats escalating into attacks and breaches,” says Dore.