Introduction: Our Nemesis – The Password
Since the advent of technology, there has been one common denominator that has been a great impediment to further growth: The Password. Whether we love it or hate it, the Password has been the de facto standard for both authentication and authorization purposes. There was a time when cybersecurity as a concept and digital security breaches were inconceivable. Due to this phenomenon, society as a whole had complete faith that the Password would be the ultimate key to securing just about anything.
Fast forward many years later, the opposite is now becoming true: the Password has become the nemesis of the modern digital world. Not only is it the highly coveted piece of information on a potential victim for the would-be cybercriminal, but the general population is now fighting against all of the security policies that were initially put in place to protect them.
For example, corporate employees are often prone to reusing the same passwords over and over again, going so far as to share them with others or even attach a post-it note containing them to their screen monitors which has become affectionately known as the “Post-it Syndrome”. Human beings are merely creatures of habit. We simply do not wish to change unless we are compelled, and even then, we will do so begrudgingly, cherishing the days of comfort when we had something we knew, and more or less trusted.
We will change with a huge and heavy heart, even despite being shown the advantages of a new solution. Probably the best example of this is the Password Manager. Even despite the ability of this software package to create long and complex passwords, and even remember them, and reset them on a pre-established schedule, companies still struggle to gain widespread adoption of this software solution by their employees. Compelling employees to use Password Managers can work in the short term, but longer term, even this strategy is likely to backfire.
Due to the ever present threat of cyberattacks in conjunction with this employee reticence, many companies have been scrambling to find new alternatives to replace passwords. While there are some solutions in place, the truth of the matter is that they likely will never be adopted as a replacement standalone solution.
Rather, these solutions will be used in conjunction with passwords, as a means to provide what is known as Two Factor Authentication (2FA) or Multi Factor Authentication (MFA). One such architecture that is now evolving to varying degrees (and actually proving to be successful) is that of the Zero Trust Framework (ZTF).
Apple, a perennial pioneer in the security space, has started its own endeavor to get rid of The Password. At WWDC 2022, they presented Passkeys using Touch ID and Face ID. Passkeys is being introduced in MacOS Ventura and iOS16, with technology developed in conjunction with Google and Microsoft through the FIDO Alliance. The technology underpinnings are unique codes generated for apps and websites. Users log on by selecting a passkey, instead of using a password. Since the passkeys aren’t stored on servers, they can’t be hacked. According to Apple, this makes them safer than 2FA. Passkeys can be securely synced across devices (Mac, iPhone, Apple TV) with e2e encryption. Google is using the same approach, as demonstrated at Google I/O in May 2022.
The Premise Of The Zero Trust Framework
The Perimeter Security Approach
As its name implies, the ZTF is one in which nobody is trusted, in both the internal and the external environments. There is absolutely no level of implicit trust here, and when it comes to the corporate environment, employees cannot be trusted, regardless of tenure. If the approach sounds extreme, that’s because it is. This approach has been designed for the modern world’s ever-changing dynamics of the cybersecurity threat landscape, and at this point, our hands are tied.
Previously, many businesses have relied upon what is known as “Perimeter Security” (see Figure A below). This is essentially one circle of defense completely surrounding the organization, and literally, all manners of security technology is incorporated to defend the corporate entity (think firewalls, network intrusion devices, routers, and any other security device imaginable). The logical fallacy is that since the organization is extremely well fortified, the company assumes that it is totally protected. A hypothetical: what if the cybercriminal actually breaks through this unilateral line of defense? Gaps and weaknesses always persist, even in the most advanced of security tools. Once a breach has occurred, the cybercriminal has free rein to all of a company’s digital assets. In other words, there is no multi-layer of security here, which lessens the likelihood of the cybercriminal from accessing a company’s most sensitive information at each point of entry. A company may have installed 2FA or MFA, but that won’t be sufficient if there is just one layer of defense.
So once again, here is where the ZTF applies. Not only can it provide the attributes of both 2FA and MFA, but it also offers a multi-tiered approach so that the likelihood of a cybercriminal accessing a company’s most sensitive data is drastically reduced, effectively impossible.
The Zero Trust Framework Approach
From a semantic standpoint, the best way to define the ZTF is through five core principles:
- Security relies on the assumption that every single user is hostile.
- Threats, both internal and external, exist on the network at all times.
- Locality is not enough for deciding trust in a network.
- Every user and device should be authenticated and authorized.
- Policies must be dynamic and rely on many sources of data.
The ZTF (see Figure B below) does away completely with the notion of having just one, large Perimeter Security. Rather, the approach here is to take an entire schematic of the business, and break it down into smaller, more manageable units. Obviously, the one area that is going to come under heavy scrutinization is that of the IT and Network Infrastructure, due to it storing all of a company’s digital assets within the servers, database, web applications, etc. Although they are all afforded some security through the use of 2FA and MFA, the traditional model here still falls under the realms of the Perimeter Security approach. But with the ZFT, a substantial paradigm shift has occurred. Each key area of the IT and Network infrastructure now becomes separated into their own islands, surrounded by their own layer of security. It is through this layer of security that an end user will have to present at three or more layers of authentication (for purposes of this journal article, we will assume that this is the type of MFA used).
For example, the email server, the database server, the web application server could all be their own islands. With the ZTF, digital assets are broken down into smaller units which are significantly more manageable to secure, known as ‘microsegments.’ An easy comparison for this process is the creation of different subnets in an entire Network Infrastructure, although in the ZTF scenario companies are subnetting out the various components of their digital assets with the MFA approach. The most distinct advantage with the ZFT is that it prevents the lateral movement, or in the worst-case scenario, greatly slows down the movement of the cybercriminal.
For example, the cybercriminal might be able to breach the first line of defense, but over time, their movements are halted as they continue to encounter additional authentication steps. This is a key tenet of the ZTF. While each island must have MFA, the authentication mechanisms used to confirm the identity of the end user (in the corporate setting, an employee, remote worker, or contractor) must all be different from one another. Types of authentication can include a password, an RSA Token, a Biometric modality (which helps to confirm an end user’s identity based upon their unique physiological and/or behavioral features), smart cards and challenge/response questions.
Another key component of the ZTF is that individuals must be constantly verified because the concept of trust, as aforementioned, doesn’t exist. For example, after access to one resource has been granted, the same sequence of authentication must be repeated to gain access to yet another shared resource. Naturally the pushback from corporate settings is that this repeated authentication process can prove to be time consuming, leading to the concepts of Privileged Access Management (which is a subset of Identity and Access Management known as PAM) which can be implemented. Once the first set of at least three or more credentials have been identified and used, they can also be used in a different sequence to gain access to the next shared resource that also requires these credentials.
Another key advantage of the ZTF is that since different authentication mechanisms are being used, the total eradication of passwords is now theoretically possible. The essence of the ZTF can be derived from its slogan: “Never Trust, Always Verify.”
Next up: The next article in this series will detail the many advantages of the Zero Trust Framework; it will also explain what factors should be considered before an organization implements this somewhat radical, but reliable, approach.