Traditionally, the security perimeter formed around a company’s IT resources defined the access permissions given to users. Anyone within the perimeter was trusted and therefore allowed access. Anyone outside the perimeter was untrusted and special authentication measures were required before allowing access. In practice this translated to anyone working from the office, connected to the corporate network could easily access IT resources on account of them being inside the security perimeter. Anyone wanting to connect from outside the corporate network (i.e. remote workers) had to establish an authenticated VPN connection into the network to be granted access. Once the VPN connection was established, user permissions were granted as if the user was behind the security perimeter.
For many years this security approach was good enough. But then attacks began to emerge. Most common were attacks on the user passwords used to authenticate remote users. The response was multi-factor authentication that made it a lot more difficult for attackers to steal user credentials.
But attack patterns evolved and attackers found all sorts of ways to infiltrate the security perimeter. Mounting breaches prompted a rethink of how corporate resources should be protected. This is where the trust nothing, verify everything approach proposed by Zero Trust began to take root. The paranoid premise behind Zero Trust assumed that attackers were already inside the security perimeter, with a foothold in the corporate network. This meant no one can be trusted and every access request needs to be verified.
What is Zero Trust?
Zero trust is a security strategy built on the paranoid concept that every connection and every access request must be verified before granting permission. Because it takes only one bad actor to cause damage across the entire ecosystem, organizations can no longer assume trust across any part of the IT stack. No one is trusted. Every person and every activity is considered hostile until proven otherwise.
Paradoxically, by shifting access controls from the network perimeter to authenticating individual requests, Zero Trust enables employees, contractors, and other users more freedom to access company resources from anywhere, without the need for a traditional VPN.
User authentication as the new security perimeter
With Zero Trust, user authentication becomes the new security perimeter. The authentication system should therefore deliver a high-level of assurance that users are who they claim to be, and enable frequent verification of identities.
High-assurance authentication means that the authentication system is highly resistant to attack, including phishing, man-in-the-middle, and various forms of brute-force, and spoofing an identity requires an extreme effort from attackers. Designing and building a high-assurance authentication system requires skillful use of provably secure cryptographic algorithms will make breaking the authentication system extremely hard and expensive for attackers.
Frequent verification of identities requires an effortless authentication process that will not hold back productivity or run users ragged. Manual entry of data – i.e. a password or one-time code – should be avoided at all cost. Cumbersome procedures to present a credential will not be tolerated. Error-prone processes that requires multiple retries will not survive user pushback.