This is a guest post by Michael Warnock, Australian head of growth for SecureAuth
Cyber attackers are turning their attention to identity, raising the security stakes for Australian companies forced into rapid digital transformation of their workforce due the Covid-19 pandemic.
Traditional security architectures have been designed before the new era of rapid evolution and no longer provide the secure access requirements for today’s digital business. This means urgent consideration needs to be given to systems that are protecting critical data and assets from unauthorised access, and limiting the threat perimeter to potential cyber attacks.
Raising the stakes further, many organisations are now operating with over 90% of their workers working remotely. And with the continued acceleration of cloud-based services, a new approach to security is urgently required, one that protects the business while providing a positive user experience.
A zero trust approach places users at the centre of the security strategy and enables access to resources based on policies and rules to ensure appropriate permissions are granted at the right time for each unique user to access applications, portals and services.
The following five steps have been designed to assist with the migration to deliver secure access in a zero-trust operating model.
Step 1: Do I know the user?
Understanding the identity of the user attempting to access your systems data and applications is critical.
Usernames and passwords are no longer enough to adequately secure valuable corporate resource. There is a need to move beyond single sign-on and implement multi-factor authentication (MFA) incorporating dynamic adaptive authentication.
Step 2: Have I seen this device before?
Recognising a device being utilised by your users to request access to resources is imperative to assessing risk.
Providing users a self-service capability to easily enrol the devices they wish to use enhances the user experience and reduces the burden on helpdesk teams while maintaining access control and security.
Step 3: Does the device meet my standards?
Confirming the device is pre-approved and meets your security requirements is paramount to the risk assessment. It is essential to ensure each end-point utilised to request access is recognised as belonging to a specific user and the device is up to date with respect to your current security standards.
If the device is not recognised or does not meet the current security standards in place, a unique workflow can be triggered, requiring action by the user to verify the device before the authentication process is continued.
Once the user and devices are affirmed, a workflow can be triggered, enacting a second-factor authentication process that is not a password, such as symbol recognition or biometric credentials, to securely verify the user and present a positive user experience.
Step 4: What is my risk tolerance?
Applying policies based on the user identity device and contextual data ensures a healthy balance between security and the user experience.
Moving beyond MFA and incorporating adaptive authentication adds additional layers of security by implementing risk checks which are contextual in nature. These adaptiveness checks happen unbeknown to the user and are triggered based on results.
The ability to design adaptive authentication workflows and apply each for different user types based on your acceptable level of risk ensures each user is securely accessing resources while experiencing a frictionless authentication process.
Step 5: Should I grant or deny access?
Executing a consistent process for every access request and ensuring compliance with policies and contextual authentication parameters validates establishing a secure connection for users to resources.
No session is ever created for any access request until each step in the authentication process is successfully completed. Once a session is created the identity profile for each user dictates the systems, applications and data which will be available to the user.
Beyond single sign-on, the inclusion of MFA and adaptive authentication policies empowers the business to enable such capabilities like password-less access, therefore confidently ensuring not only a great user experience but also a secure perimeter-less environment.
In any zero trust model, security is a priority, but a balance between this and positive user experience is crucial to the success of any identity and access management program.
Disrupting users to achieve secure access is not an option and the cost of a poor experience may result in lost productivity, poor engagement or the creation of shadow IT putting business at greater risk of attack.