Zero Trust Means Zero Trust, Not “Trust All Recognized Users”

Lost in the shuffle of the "zero trust" marketing melee over the last several years is the very basic idea that nobody should be trusted.

Nobody.

Humans make up our teams. They are also why breaches happen. Yes, even the familiar people that we know and work with. © rawpixel.com / Pexels

Yes, many companies today believe themselves to be zero trust companies—but most still make fundamental errors in zero trust authentication practices.

Worse, they lose the thread entirely by doing one simple thing: trusting anyone that can successfully authenticate.

Why Trusting Authenticated Users is Bad

Though the per-study data varies, virtually every study agrees that a double-digit percentage of data breaches today results from insider threats. In many cases, these breaches are caused by previously good employees with authorized credentials that:

  • Decided to become a bad employees

  • Made serious, uncharacteristic mistakes or showed lapses in judgment

  • Silently delegated their access or login to others

Whatever the reason, these kinds of threats are amongst the most worrying for any organization. After all, at least a few employees need at least some regular access to critical systems. Without such access, no work can actually be done.

Yet no amount of credential control can prevent the worst from occurring when a legitimate user—a recognized employee with valid permission and login credentials—does something seriously wrong for the very first time.

Whether that something is willfully malicious, a careless mistake made under unrelated duress, or just cutting corners by having someone else "fill in" for them, the results can be equally catastrophic.

The obvious solution? Stop trusting them. But how might you go about doing this?

Finding the Right Signal in the Noise

To avoid placing trust in legitimate users without leaving them productively hamstrung, what's needed is a technology that can evaluate their ongoing activity in real time and detect things like:

  • Significant changes in mood or agitation level

  • Uncharacteristically careless behavior

  • Valid credentials that are being used by an unintended third party

None of the typical authentication technologies are able to spot these things. In fact, passwords, hardware tokens, mobile SMS codes, fingerprint scans, and other conventional authentication strategies are completely and entirely blind to them.

We can’t continuously scan the brains of active users for brewing trouble. We can, however, observe their movements. © meo / Pexels

The same is true for simple logging or macro-behavioral tracking.

Monitoring the tasks that a user performs or the websites that they visit won't enable you to anticipate the moment at which they suddenly deviate from typical behavior and bring down a critical system, or the moment at which they steal critical data—even if they've been planning an attack for months.

The right signal for this kind of intelligence would capture information about pre-conscious mental states in some way—whether a user is uncharacteristically nervous, for example, or is not in their right mind at the moment, or is indeed not the same mind at all, but actually someone else.

As it turns out, such a signal is available in today's cybersecurity world. Where?

Detecting Strange and Out-of-Character Behavior

Authentication technologies that rely on behavioral biometrics—the technology that we specialize in at Plurilock—are the right kind of signal to address these sorts of risks.

Behavioral biometrics analyzes micro-patterns and variations in user movement in the background, as users work. Recognition is based on a user's evolving typing cadence and unconscious patterns in pointer movement, rather than on passwords, codes, tokens, or fingerprints.

But what does a technology for authenticating users have to do with finding ways to avoid trusting them once recognized?

Work life can lead to stress and unexpected choices. With behavioral biometrics, sometimes the extent of their effects on production systems can be limited. © aekkarak Thongjiew / Dreamstime

In fact, stress, mental incapacitation or intoxication, and the substitution of one user for another all change the characteristic movement patterns that behavioral biometric systems are designed to identify. These changes are often noticed within seconds—and the user in question can immediately be blocked.

Recall the list presented a few paragraphs ago:

  • Significant changes in mood or agitation level (such as when a user is about to commit a crime)

  • Uncharacteristically careless behavior (as might be caused by intoxication or mental incapacitation)

  • The presence of an unintended third party (for example, due to user substitution)

Behavioral biometrics can often spot such cases, and quickly end access because—in a very real and practical way—the user is behaving strangely, and strange behavior and critical systems should never accompany one another.

Plurilock clients report cases of just such detection and rapid remediation in the wild.

Once they get over the surprise, they’re then pleased to know that this kind of protection is possible—and that it's ongoing.

The Right Level of Trust

It’s true that as a fundamentally statistical technology, behavioral biometrics is unable to state with certainty that—for example—a user is intoxicated or up to no good. It's not a breathalyzer or a mind-reader, after all—and for that reason it's not an evidentiary tool.

Enabling free access to needed company resources without ever compromising security is what zero trust ought to be about at the end of the day. © Mwiens / Dreamstime

It is, however, a stunningly good preventative one.

On one hand, it can detect and act astonishingly quickly on slim indications of "odd" behavior. On the other hand, administrators who deploy it can tweak threshold levels to their suit their organization’s own needs.

So it is that Plurilock products in particular offer a way to set an organization's "just-right" level of trust (or, indeed, studied lack of trust) for known users.

For this reason, we argue that products like ours represent the only true path to a deep zero trust implementation—one that doesn't trust users even after they've passed through multiple layers of authentication, yet can maintain this skepticism without preventing everyday work from getting done.

At Plurilock, we think this is what zero trust really ought to mean. ■

Stay informed. Join our low-volume list for news and updates.

PLURILOCK IS THE LEADER IN ADVANCED AUTHENTICATION

Plurilock is the leader in advanced, risk-based authentication. We provide invisible, device-free MFA for corporate endpoints, Citrix sessions, cloud applications, and their users in finance, healthcare, education, and SaaS.

Follow

        

Contact Plurilock

Have a question or comment? 

© 2018 Plurilock. All Rights Reserved. | Plurilock Cage Code L02Z7; DUNS 248484623