User Authentication in a Zero-trust Environment
This is part 3 in our series on Zero-trust security. To start at the beginning, you can jump to part 1 “What is Zero-trust Security” or head back to part 2 “Network Segmentation in a Zero-trust Environment.”
Establishing a zero-trust environment starts with authentication and identity controls. You need to know if your users are truly validated — are they who they say they are? But validation today can extend far beyond simply verifying a username. In a zero-trust environment, you want to validate usernames as well as user context to better trust authentication.
Have you ever seen a person you know well in a different setting and not recognized them? If you typically see someone at work in the office setting and in work attire, you may not recognize them immediately at a ball game wearing a jersey and a cap. To add to the lack of recognition, imagine you were traveling abroad and thought you saw someone from back home. We expect to see people in their usual setting, but it would catch us off guard to unexpectedly run into them thousands of miles away — especially if we know they are simultaneously back in the states (more on that later). Seeing a close acquaintance performing a behavior we didn’t expect from them can also challenge our recognition. Imagine you and your spouse are out to dinner and you are positive your server looks just like your CEO. It might take a minute to believe what you are seeing — especially if you are physically far from the office.
User authentication in a zero-trust environment works the same way. The network no longer believes someone is who they say they are simply through traditional authentication such as username and password, LDAP (Lightweight Directory Access Protocol), or Active Directory authentication. In zero-trust, we can take into account the device the user is accessing from, their geolocation, and even their behavior before granting access. If a user is logged in from their MacBook Pro in Seatle Washington and simultaneously tries to connect from their iPhone 11 in Phoenix Arizona, the network can deny access completely or flag the activity as suspicious. People can’t physically be in two places simultaneously but depending on the user’s history of access and use of VPNs, this behavior could be deemed secure. The point is the system is aware of far more than just identity. And under certain suspicious activities, the network may allow access to low-value systems or data while blocking access to high-value data. Tools such as WatchGuard’s AuthPoint have these extra capabilities along with simplifying your MFA (Multi-factor Authentication) implementation.
In a zero-trust environment, you back up all of these authentication controls with monitoring and visibility to look further for potential red flags and suspicious activity. You can then identify what you may need to investigate or automatically remediate depending on your policy. Once you have your services, systems, and data segmented and you have strong authentication, you are going to see every time that a user who doesn’t have privilege for something attempts to access it. Attempts like this are a red flag for suspicious activity. Sometimes it’s not actually the person making the unauthorized attempt but a malicious process running on their device. And that’s why you implement zero trust.