One of the biggest problems with digital communication is the illusion that it has taken place with the correct person. Symantec, as a division of Broadcom, believes digital communications are based on trust. Applications trust that the person requesting access or giving commands is actually authorized to do so, but that isn’t always the case. Credentials and legitimate sessions are easily stolen and compromised, which is why the first tenet of Zero Trust is to verify every user and every device requesting access.
So, is authentication the solution to addressing the first tenet of Zero Trust? Yes and no. Authentication plays a critical role in addressing this tenet of Zero Trust, but it is not the whole answer.
Authentication: 2FA or not 2FA…that is the question.
The role of authentication is to positively identify a legitimate user from a fraudulent one. For many years, passwords were the de facto standard, and in many areas, they are still the preferred method to authenticate users.
Over the years, many new technologies and protocols have been introduced to strengthen the authentication process and address a basic set of challenges:
- How can we make the authentication stronger (more accurately identify legitimate users from fraudulent ones)?
- How can we make stronger authentication convenient (easy enough for anyone to use with minimal friction)?
- How can we do this in a cost-effective manner (doesn’t break the bank)?
Multifactor authentication is, of course, the obvious answer. But almost every organization uses multiple authentication mechanisms. Different applications and resources have different security requirements and altering the types of login credentials and processes gives organizations flexibility and makes it harder for hackers to penetrate.
Mobile apps, web sites, and IoT devices still require users to enter a password more than any other credential. And while some organizations are leveraging a transparent key or token that is working under the covers as a two-factor credential, to the end user, they are just entering a password.
Even so-called “password-less authentication” isn’t password-less. It may be password-less for the organization – they are not storing passwords -- but it’s not for the users. So, does this really make the login any more secure?
Real-time Analytics to the Rescue
In 2005, financial institutions pioneered the incorporation of User and Entity Behavior Analytics (UEBA) within the authentication and authorization process. They found that risk analytics provided that balance they were seeking among the competing needs for security, convenience and affordability.
By analyzing specific data at login or at payment, they could estimate the likelihood that the transaction was legitimate or not. This contextual risk analysis is now incorporated within most authentication mechanisms and processes, and it has proven to be just as effective in helping other enterprises balance when to apply stronger authentication mechanisms to their users.
However, there are some fundamental differences in how UEBA has been applied both within banking and payments, and how it is being applied within other enterprises, and these differences have an impact on achieving Zero Trust.
In the payments area, the transaction is an isolated event. When users enter their card information the card issuer collects all the relevant data about the transaction and runs its analysis and determines risk. In this way, it is very much like an authentication.
There is one huge difference: the payments industry has a secret weapon, and it’s called truth data.
This is one area where analytics needs to be improved, because authentication is just a first step.
When transactions are deemed fraudulent, they are removed from the customer’s bill. But that is not the end of it. In the background, fraud analysts at the credit card company log into the risk analytics system, pull up this specific transaction, and mark it as fraud. This is truth data. The machine learning being used to create the risk models can leverage this information to become a little smarter.
For the authentication process, users may have access to the same types of information, but they never receive this truth data. This is one area where analytics needs to be improved, because authentication is just a first step. After login, users interact with each other’s applications and this activity also needs to be monitored and analyzed because more data is needed to understand usage and behavior patterns.
Next Steps in Authentication
As users move from on-prem applications to cloud applications, or elevate their access to a privileged account, they may have multiple access management solutions protecting their access but none of these silos are sharing information. To detect and mitigate sophisticated attacks, users need to be able to freely share the risk data across the entire user session, so that it can be analyzed in real-time because users and devices are requesting access on a continuous basis.
In today’s world, where users can work from anywhere on any device, enterprises need to adopt a Zero Trust model and Symantec Zero Trust Security provides the breadth of solutions to address the first, and every pillar of Zero Trust.
We encourage you to share your thoughts on your favorite social platform.