It would be ideal if organizations could implement zero-trust security overnight. Unfortunately, they can’t, but they can take numerous incremental steps to improve their authentication and cybersecurity, and their users’ experience.
That was a key takeaway from Wendy Nather, head of the advisory CISO team at Duo Security, which is part of Cisco Systems, who spoke at the CDW Protect SummIT in Phoenix. There are several levels of authentication security, each more granular than the last, that businesses can deploy to enhance their protections, she said.
One way that organizations can smooth the user experience as they move toward zero-trust security models is Web Authentication (WebAuthn for short), Nather said. WebAuthn is a new standard proposed by the FIDO Alliance and the World Wide Web Consortium, and it could mean an end to traditional passwords.
WebAuthn is a set of anti-phishing rules that uses a sophisticated level of authenticators and cryptography to protect user accounts. It supports various authenticators, including physical security keys used today and emerging mobile and biometric technologies such as face recognition or fingerprints, says Dave Camp, vice president of engineering for Firefox at Mozilla. For now, users can sign in to their accounts using external USB-based authentication systems.
Authentication, Nather noted, is neither identity nor authorization. Authentication is how users are validated for a particular session, and the determination of what level of access the user should be given.
Authentication is Getting Harder as the Stakes Get Higher
Attackers can capture users’ credentials and appear to be legitimate users. Those attackers can then lead other malicious actors into an organization’s systems. “The stakes have become higher and higher to figure out whether you really are the person who presents the credentials at authentication time,” she said.
Additionally, cloud and mobile technologies make authentication harder. Mostly, Nather said, that is because organizations have been using location as an implicit component of trust. “We have been depending on locations in the back of our head as part of the authentication sequence,” she said. That is because location implies access control, identity, business legitimacy and that the user was previously vetted. However, applications and users can be anywhere now, Nather said.
The ideal security model is zero-trust, but it is difficult to implement, she said. Originally, the model required that organizations should not trust something just because it was inside their firewall. However, Nather said, “it is hard to go into a meeting saying you should never trust anyone.”
Nather advocated for a more incremental approach to enhancing authentication security.
A New Way of Thinking About Authentication
Nather said organizations can take their security through several levels.
On the first level, organizations can route all traffic through a centralized access proxy. That will then help them determine if their users are the right users, and they can pick their factors of authentication. That will allow the organizations to trust a user for a certain period of time. The second factor could be something a user knows, has or is (such as a biometric).
Trust, Nather said, is “neither binary nor permanent.” That is the key issue with firewalls, because if a user comes in from the right IP address, they are trusted. But trust tends to degrade over time. For example, if there is a new exploit, organizations should not trust users as much until they install a software patch that fixes the exploit
Organizations should also use behavioral analytics to determine if, during a session, a user is behaving as they are expected to.
There are several challenges with implementing a zero-trust model, Nather said, including figuring out how to turn an ideal into a practical reality, as well as how often to reset trust. Another challenging is scoping the cost and effort needed to get buy-in from management, because management will always want to know how much such a solution will cost. Yet another challenge is that security organizations can sometimes be siloed, and they need to work together. Organizations also need to reverse-engineer their current policies and risk assumptions.
Nather said that to overcome those challenges, organizations could, for example, remember devices forever; then, if someone tries to be authenticated on a device that is unknown, they should be blocked.
Organizations can also use an access proxy and put it in front of a service users use all the time, such as email. That will allow IT teams to see which devices users are actually using and allow them to block any untrusted devices.
Another level involves binding users to trustworthy devices. Credentials can be stolen quietly, but if devices are stolen that tends to be noticed quickly, Nather said. Organizations can prevent credential reuse on approved endpoints other than the user’s original device.
Beyond that, another level up, organizations can enforce adaptive policies and tell users that if they want to access certain applications, they need to meet specific security policy requirements.
The goal is to get to another level that includes a granular set of policies for each application commensurate to its risk and that delivers a consistent user experience.
However, Nather said, Organizations need to reduce the number of authentication events for users, she said, which is where WebAuthn comes in.
“It would be nice if you only had to log in once,” via a tap or a reading of a fingerprint, Nather said.
WebAuthn is built on three principles, she said. Authentication is ideally backed by a hardware security module, which can safely store private keys and perform the cryptographic operations needed for WebAuthn.
Further, a key pair is only useful for a specific origin, like browser cookies. For example, a key pair registered at “webauthn.guide” cannot be used at “evil-webauthn.guide,” mitigating the threat of phishing.
And authenticators can provide a certificate that helps servers verify that the public key did in fact come from an authenticator they trust, not a fraudulent source.
Check out our event page for more articles and videos from the CDW Protect SummIT.