Zero Trust 2.0 providing balance between security and convenience

Even before the pandemic, it was difficult to safeguard workforce systems and employees from potential breaches and the threat of social engineering. But with many employees having been forced to swap their office workstations for make-shift desks in their homes, a new wave of risks has emerged as a result. No matter where they are in the world, individuals working outside their company network are more vulnerable to attack from fraudsters. A survey from OneLogin found that 30% of the remote workers had their online accounts compromised while working from home in 2020, with only 10% changing their passwords as a result.

With the majority of employees working remotely, organisations have had to quickly update processes and policies to protect their organisation from malicious attacks, breaches and confidential information being stolen when employees connect through an unknown network.
Employees are also less likely to stay put every time they connect to their corporate network– whether that is logging in through their personal Wi-Fi or networks from different locations.
Fraudsters are taking this opportunity to exploit less secure networks, as well as weaknesses in how workers authenticate themselves to obtain access. In a bid to reduce the likelihood of a breach, many organisations have been compelled to review their Zero Trust framework, which until now has been considered the best way to add greater security.

What is Zero Trust?
Whilst Zero Trust itself is not a new concept, it has now become the solution of choice for many organisations. According to a study from Gigamon over two thirds (67%) of European organisations have adopted or are planning to adopt in the next 12 months. The concept of Zero Trust requires authentication at each touchpoint connecting to an organisation’s network, with the primary goal of creating an impenetrable barrier around the organisation. Zero Trust removes the single point of failure in any authentication processes because authentication is continuous throughout the user journey and not just at the beginning.

However, with any increase in security, greater friction can occur. Knock-on effects are on costs and productivity. IT staff may be spending more time resolving login issues than on strategic projects, and more employees potentially locked out of systems due to forgotten credentials waiting for resolutions.

Since the concept of Zero Trust was introduced, working practises and technology have evolved considerably. So how can organisations build upon the robust principles of Zero Trust?

Zero Trust 2.0
Zero Trust 2.0 provides the same “Fort Knox” style of security but without compromising user experience. By layering passive behavioral indicators over knowledge-based passwords, and location or device-based indicators used in a Zero Trust approach, organisations can improve their authentication process without increasing friction.

Passive behavioural indicators such as the pressure a user exerts when typing, or the way they swipe a device are unique and inherent to an individual. Used in conjunction with data from a users’ device and location, this unique behavioural data helps to positively identify users.

Collecting behavioural biometric data is a passive process which preserves user privacy or add extra friction but does add extra security. These techniques know who the user is, without knowing who the user is, and removes friction for the user.

Making Sure that Zero Trust 2.0 is Compatible
There is a narrative within Zero Trust that if the approach is preventing breaches and malicious attacks, then friction is necessary and acceptable. This mindset is understandable; however, it is important to consider productivity as some users will often try to bypass systems and put more pressure onto the IT teams.

With Zero Trust 2.0 there is no need for unacceptable levels of friction. Many modern devices use some intelligent passive indicators such as fingerprint security, so consumers are already aware of this type of identification and therefore also have an expectation around user experience. How do organisations implement organisational authentication policies to manage a vast distributed workforce?

To be successful, organisations need to adopt a solution that incorporates the following:

1. Utilises Machine Learning – Not all authentication events are created equally. A user authenticating via a PIN on a low-end device will be less secure than a user authenticating in a high-end device via a fingerprint reader. Because of this, IT teams will have to consider all these factors when adopting any solution. An ideal solution would have the ability to gather and analyse broad categories of contextual data that Machine Learning (ML) models can learn as “normal” for an individual. Any authentication attempts that lie outside of the recognized normal can be identified as higher risk and treated in an appropriate manner. These such attempts may require more scrutiny and ask for another step in the authentication process.

2. Provides an Orchestration Layer that Manages Identity and Access Policy – Before orchestration layers, controlling the large and evolving ecosystem of users, devices and applications across multiple locations and channels was very challenging. Fraud is not static and so policies should not be either. An orchestration layer provides one central location to implement and manage policy decisions, giving full visibility of policies and where they are used. Policies can then be tailored according to organisations requirements for example by channel or activity.

Safety in Zero Trust 2.0

When organisations begin to reopen up offices, the issue of the expanding attack surface will remain as employees are given the option to continue to work remotely. With business continuity in a precarious position, they have no other choice but to consider adopting technologies that protect their entire organisation and satisfy their employees when it comes to consistent access, convenience, and speed.
Zero Trust provides an adequate approach, organisations need to balance user experience with security and fraud prevention. There is no point in having formidable security if people attempt to bypass it to have a convenient experience. Zero Trust 2.0 gives organisations the ability to establish a Fort Knox security system with reduced friction, something every employee wants.

Written by: Amir Nooriala, Chief Commercial Officer, Callsign