Zero trust is rapidly becoming a cybersecurity best practice, and to buttress this point, the US National Institute for Standards and Technology (NIST) has now released draft NIST Special Publication 800-207, which gives what NIST considers to be the fundamental requirements for achieving a "Zero Trust Architecture."
At Plurilock, we've long argued that continuous authentication, which is provided by Plurilock's DEFEND product, is a key to achieving a true zero trust computing environment and ecosystem. This is because:
Without continuous authentication, most of the day is "trusted" time. With traditional authentication practices, user identities are only checked when logins occur. Between logins, while work is actually happening, the system quite simply trusts that the person doing the computing is still the account owner. These periods of work activity, ironically, are precisely when risks are greatest.
Non-continuous authentication technologies require trust by nature. Because continuous authentication identifies users by observing them as they work, it offers an objective evaluation of identity that is not based on trust. Traditional authentication methods like usernames, passwords, or SMS codes, on the other hand, trust that the intended user hasn't chosen weak credentials, or shared or lost their credentials or authentication devices.
Achieving "zero trust" with traditional authentication is impractical. The only remedy to these issues with traditional authentication tools is to authenticate more and more frequently, in more and more draconian ways. These approaches replace actual work time with interruptions and cumbersome authentication flows—yet all without eliminating the "trusted" gaps during which productive work occurs.
In short, our position at Plurilock has long been that only continuous authentication actually enables zero trust at the end of the day—and that without continuous authentication, the pursuit of zero trust is destined to fall short.
NIST Sounds Familiar Continuous Authentication Refrains
For these reasons, at Plurilock we've been excited to read NIST's latest draft document outlining the practices that enable zero trust. Key parts of the draft, in fact, sound very familiar to us. Consider:
Section 2.1, item 4. One of NIST's six "Tenets of Zero Trust Architecture" calls for access to resources to be determined in part by "network location, previously observed behavior…automated user analytics, device analytics, and deviations from observed usage patterns." These requirements echo the points that we frequently use to describe Plurilock's behavioral biometrics and advanced authentication technologies.
Section 2.1, item 6. Another of NIST's six tenets is that organizations must implement "a constant cycle of access, scanning and assessing threats, adapting, and continuously authenticating" in which "[c]ontinuous monitoring and re-authentication occur throughout the user interaction" to "achieve a balance of security, availability, usability, and cost-efficiency." Call us biased, but we think this sounds an awful lot like Plurilock DEFEND.
Section 3.2. NIST's outline of a trust algorithm for zero trust deployment suggests the use of biometric data, behavior characteristics such as typing rhythm, and locational strategies to establish identity before granting privileges. All of these are long-standing components of Plurilock's advanced authentication technologies.
Section 5.3. NIST notes that with most traditional authentication tools "an attacker with valid credentials (or a malicious insider) may still be able to access resources for which the account has been granted access," adding that the key to solving this problem is the ability to "detect access patterns that are out of normal behavior and deny…access to sensitive resources." At Plurilock, we make the same points about insider threats on a regular basis.
Ultimately zero trust, NIST argues, "assumes the network is hostile," minimizing access to resources. It grants access only to those who are validated as needing access, all while "continuously authenticating the identity and security posture" of each user and request.
Zero Trust Comes of Age
Cards on the table, we're excited to hear NIST validating much of what we've said about authentication to date.
Based on NIST's draft document, we continue to believe that behavioral biometrics, advanced authentication, and Plurilock products like ADAPT and DEFEND have a key role to play in enabling organizations to achieve today’s best zero trust environments.
NIST dates the term “zero trust” to a now well-known 2010 Forrester report which noted that "there are no longer trusted and untrusted users," but rather a "new malicious insider reality [that] demands a new trust model."
At the time, practically deployable continuous authentication products didn't yet exist. But that was then.
Today, they do—and Plurilock provides them. With NIST's draft Publication 800-207, zero trust is coming of age, and we'd argue that if continuous authentication isn't on your organization's roadmap yet, it should be. ■