Your “Zero Trust” Company May Be More Trusting Than You Imagine

What do you do when the corporate breach rate skyrockets? You lock things down. More and more tightly.

More breaches? More locks. But even the best locks won’t protect you if the wrong person has the key. © George Becker / Pexels

Thus we arrive at "zero trust," a catchphrase that's been gaining currency over the last several years in cybersecurity circles.

What it's supposed to mean is that your systems act as though everyone is a potential attacker—both inside and outside your security perimeter.

It all sounds very secure.

But as more and more companies have sought to adopt a zero trust culture as policy, in practice it's come to mean a relatively simple list of things where authentication practices and related policies are concerned:

  • Users must authenticate for more tasks

  • Users must authenticate more often

  • Multi-factor authentication (MFA) is required in each case

Now there's nothing bad about this list per se—it represents a far better approach to security than was the norm a decade ago. But it also begs us to ask a simple question: is this list actually a "zero trust" authentication policy at all?

Trust of Credentials

The first thing to notice about the authentication practices described above is that they suffer from a problem inherent to most of the authentication technologies in use today: they aren't about people at all. They're about things.

  • Words and secrets (like passwords and passphrases)

  • Codes and numbers (like one-time SMS codes)

  • Devices (like access cards or hardware tokens)

  • Fingerprints or faces (more on this in a moment)

Let's do a thought experiment—a fictional user's first minute at work. We'll call him "Bill."

Today’s open offices make capturing passwords and MFA codes an easy task. © Startup Stock Photos / Pexels

8:00:00 — Bill authenticates a session using SMS-based MFA.

8:00:15 — Bill sets his phone down and leaves for just a minute or two to pour morning coffee. It's early, after all.

8:00:25 — James, next cube over, grabs Bill's phone and quickly eyeballs the received SMS code.

8:01:00 — James returns to his cube and enters Bill's password (he's watched over the wall as Bill types it on several occasions) along with the recently delivered SMS code.

James is now in Bill's privileged workflow, just like that—all in the first minute of the day.

Why didn't MFA stop this breach from happening? Because the system trusts anyone that provides the right credentials. Or in simpler terms, it trusts the credentials. Is that trust well-placed? Obviously not.

Traditional biometrics—like fingerprints and face scans—are often imagined to be the solution to this problem. Unfortunately, fingerprint scanners in particular are trivially easy to fool—instructions are all over the web and the exploit process is inexpensive and easy to replicate.

Your fingerprint is not you. It also doesn’t change. That’s a risky combination from a security perspective. © 422737 / Canva

Face ID is somewhat stronger. That's good! But for any high-value target worthy of investment, Face ID exploit methods are also well-known and very effective. It's often not a matter of expertise any longer, just careful grunt work.

This tells us that you can't get to zero trust by trusting things any more than you can get there by trusting people.

Trust Between Logins

Let's move on to the next problem with most current zero-trust authentication policies: most of the time, they're also curiously trusting of people. What do I mean?

Here's second thought experiment—another fictional user's entire Tuesday morning. This time we’ll call her "Alice."

8:00 — Alice authenticates to start a computing session.

8:10 — Alice authenticates again to use a privileged workflow.

8:20 — Alice completes her privileged workflow.

10:00 — Alice is asked to re-authenticate two hours after original login, "for security purposes."

10:15 — Alice authenticates again to use a secondary system.

11:15 — Alice logs out of the secondary system.

12:00 — Alice logs out of her primary session and goes to lunch.

In the space of four hours, the Alice authenticates four times, at 8:00, 8:10, 10:00, and 10:15. She's forced to authenticate both to use a sensitive workflow and to use a secondary system, even though in both cases she is already authenticated and logged in for an ongoing session.

A workday is made of time. Lots of it is work time. But remember that any time not spent authenticating is also trusted time. © Pixabay / Pexels

Zero trust, right?

But let's look at the times more closely. From 8:11 to 8:20, for example, the privileged workflow is trusting that the working user is still Alice—the same user that authenticated at 8:10. From 10:16 to 11:15, the secondary system is again trusting that the working user is Alice— the same user that authenticated at 10:15. And so on.

Only exactly at 8:00, 8:10, 10:00, and 10:15—moments when successful authentication happens—is there any verification of identity at all.

The rest of the morning is pure trust—that Alice hasn't stepped away and been replaced by someone else. This is true for most of the entire four hour period.

The Basic Problem

These thought experiments, which are typical of real-life situations, highlight a fundamental difficulty in zero trust environments. To arrive at zero trust in authentication, organizations must achieve two things:

  1. The ability to verify the presence of the person requesting authentication, rather than trusting that a particular code, object, or physical feature always corresponds to that presence.

  2. Continuous, verified awareness of said person's presence, rather than periodic checks with long periods of trust in between them.

Right now, these things can't be achieved with any combination of passwords, passphrases, hardware, or traditional biometric scans. So if your organization relies on such a combination for zero trust, you are not—in fact—a zero trust shop yet. You're trusting:

  • That whomever holds the right credentials is the right person

  • The session, once it's open, regardless of who uses it while it's open

Unlike tokens, phones, or fingerprints, people are dynamic. They move, change, and act. But they do this in unique, recognizable ways.© Guilherme Almeida / Pexels

In short, your organization may be far more trusting in practice than you have imagined it to be in theory.

Behavioral Biometrics

So what's the solution?

What's needed is a technology that can confirm identity more rigorously than a fingerprint or face scan can, and that can do so continuously, throughout entire computing sessions.

Right now, there's only one technology that can deliver zero trust in authentication: behavioral biometrics.

The technology behind behavioral biometrics resolves both of the trust issues outlined above:

  • It doesn't rely on credentials, body parts, or any other static token or object.

  • It can authenticate throughout and behind work sessions, rather than just at the moment they're opened.

By analyzing ongoing micro-patterns and variations in user movement, behavioral biometrics is able to confirm identity far more authoritatively than credentials or mere body shape can.

And because frequent movements continue for as long as computing does, behavioral-biometric solutions can authenticate continuously, eliminating periods of trust between login events.

Getting to Zero Trust

If you're not familiar with behavioral biometrics, you can be forgiven. A decade ago, it was more a matter of research and prototyping than of deployable products.

Today, however, the patents are mature (at Plurilock we hold several of them) and battle-tested solutions are in channels. In Plurilock's case, these solutions are able to secure everything from in-perimeter enterprise endpoints to world-facing cloud SaaS applications.

The result? Both instances of credential trust and trust between logins can now be eliminated, once and for all—and this means that zero trust is more achievable today than it has ever been before.

Just don't mistakenly imagine that you've achieved zero trust until you have a behavioral-biometric solution in place. ■

Stay informed. Join our low-volume list for news and updates.

PLURILOCK IS THE LEADER IN ADVANCED AUTHENTICATION

Plurilock is the leader in advanced, risk-based authentication. We provide invisible, device-free MFA for corporate endpoints, Citrix sessions, cloud applications, and their users in finance, healthcare, education, and SaaS.

Follow

        

Contact Plurilock

Have a question or comment? 

© 2018 Plurilock. All Rights Reserved. | Plurilock Cage Code L02Z7; DUNS 248484623