Zero Trust has proved itself to be an effective strategic cybersecurity model for the protection of critical data and systems. The system components in a Zero Trust (ZT) architecture, which by default do not trust and deny access requests, and each node of the network or system is authenticated, authorized, and continuously validated as a part of this concept.
Authentication in ZT is a critical challenge since it is the first phase before establishing trust and granting access.
The Need for Authentication in Zero Trust
The legacy tactic for the organizational infrastructure was perimeter security with the incorporation of security controls to protect from unauthorized access. The core aim of this strategy is to protect the internal network and resources from the outside world, however it failed against the internal users and compromised internal systems. With more systems being shifted to the cloud and more employees working remotely, this has diminished the concept of perimeter security, making the traditional controls/models ineffective.
Zero trust is a security model that assumes no connection can be trusted, even if the user or account was previously authenticated. It shields the network by enforcing strong authentication mechanisms at one end and implements micro-segmentation at the other end to ensure threats are not further propagated.
Control & Data Planes in Zero Trust
The zero trust model meticulously manages system trust. These types of networks rely on automation to manage the security control systems, allowing us to build a more dynamic and hardened system. To accomplish this, the control plane and data plane exist.
The control plane is used by Zero Trust components to set up and manage the network. Data Plane is used by applications for business processes. Resource access requests are processed from the control plane, where both the device and user must be authenticated and authorized. The fine-grained policy can be applied at this layer. Access to highly secure resources can further require stronger authentication. If the request is authorized, the control plane signals the data plane to accept the incoming request.
Identities may comprise users, applications, or IoT devices that reside in Zero Trust control plane. When an identity attempts to access a resource, Zero Trust verifies that identity with strong authentication and ensures access is compliant and typical for that identity.
Types of Authentications in Zero Trust
The following types of authentications exist in Zero Trust:
1. User or service authentication: The first aspect of authentication in Zero Trust is to authenticate the user, service or application conclusively to make sure that the entity requesting access is the originally registered entity. Depending on the organizational requirements, there may be space for flexibility in the type of authentication performed to handle both users and services. Since the criticality of all resources is not the same, additional security for situations requiring some type of step-up authentication is needed for more critical resources where Public Key Infrastructure (PKI) , and Multi-Factor Authentication (MFA) are preferred. Authenticated users may also switch between various services accessing different resources, here Single Sign On (SSO) plays an important role.
2. Device authentication: The second aspect of authentication in Zero Trust is to authenticate the device requesting access, since it is as significant as the user or application itself. Another aspect may be the MFA with profiling and posturing of the client device, along with some stronger encryption checks.
The incorporation of Multi-Factor Authentication has increased identity security and authentication to the next level. Increasing the authentication factors required for access to the network increases security and reduces authentication-based attacks.
The categories of authentication factors are:
- Knowledge factors: some data you only know, such as username and password, etc.
- Possession factors: physically something you have, e.g. bank card, One-time Password (OTP) code, smart card, security tokens.
- Inherence factors: something you are, such as fingerprint, face and voice recognition, retina scan, etc.
- Location factors: your living country or area based on IP address, etc.
An effective implementation of MFA is to use various types of authentication factors, for example, implementation of policies to require PIN or biometric. Organizations not only provide seamless UX for employees to access internal systems and resources but also a passwordless solution that achieves higher levels of authentication security.
The use of a single authentication factor more than one time doesn’t guarantee system security. For example, a system that requires only security questions and passwords, both knowledge-based factors, will be less secure than the system that requires OTP codes delivered over your phone along with username or password. Another general principle for MFA is that users should not be able to move on to the second factor without justifying the first factor.
Authentication Logging & Analysis
Zero Trust principles mandate that each authentication attempt, network access request, email transmission, file access activity, etc. is examined and verified for probable malevolent action. Monitoring and data security analytics principal augment in tracking the issue. The differentiation between a legitimate authentication login and a compromised user account is a big challenge, and most tools for this monitoring may generate some false positives.
How a Public Key Infrastructure enables Authentication in Zero Trust
Since the verification of strong digital identities is vital for establishing a ZT infrastructure. The most common and widely used approach for implementing authentication in ZT is to implement a Public Key Infrastructure (PKI) which can provide an inimitable identification (digital certificate, public and private cryptographic keys) to devices, users, systems, apps, etc.
By governing the issuance of digital certificates and adding a cryptographic layer of protection to trusted identities, it safeguards confidential organizational and personal data along with securing end-to-end communications. This approach is directly in line with the zero trust model. PKI can also provision log-in mechanisms and solutions which are the base for identity inside Zero Trust. Identities can be long-term and short-term in the case of users, devices, apps, services, etc. The provision of manual certificates to a large number of identities in a ZT environment is not a viable and scalable solution. Online/automated PKI integration with the ZT environment can solve the problem of immediate identity provision.
About the author
Blog post by Imran Ahmed, an experienced cybersecurity and applied cryptography industry expert, consultant, and writer holding a Ph.D degree in Information Security. He has developed many information security solutions and also has in-depth technical knowledge of current and future trends in Infosec.