Back

What is Zero Trust Security and How IPification Fits In

December 18, 2018
4 minutes read
Category: Mobile Identity
Author: Harry Cheung

We are nearly at the end of 2018. A year we can safely say was one of the worst in terms of cybersecurity issues. We’ve seen dozens of high-profile breaches and data leaks involving even some of the biggest tech companies like Facebook and Google, while crypto investors were a constant target for SIM swap attacks that resulted in the theft of their assets worth hundreds of millions of dollars.

The situation is dire, and the most likely solution comes in the form of a zero trust security model.

Trust no one

Zero trust security is not a new term in the cyber-security circles, but it has been gaining traction in the recent months due to the growing number of different attacks and breaches that could have been prevented if tighter security had been put in place.

The term was coined in 2010 by, then Forrester Research analyst, John Kindervag to describe a security concept centered on the belief that organizations should not automatically trust anyone or anything outside or inside its perimeters.  Instead, they must verify every person and every device trying to connect to its systems before granting access, and not only to the system as a whole but also to each individual service within the system.

In the traditional approach, to get into the system you’d be verified once and when the access is granted, further checks were not required. This assumes that those that are inside the perimeters of a system can be trusted to behave in a secure way.

But this assumption – that everything within an organization’s perimeter can be trusted – is outdated, when you think about a new era of sophisticated attacks, new threats, and new ways of connecting to networks. Users, devices, applications, and data are moving outside of the enterprise’s zone of control, which makes the perimeter that needs protecting very complex.

We can easily imagine, a too often seen scenario, where a malicious user successfully enters a system, and once inside starts, for example, stealing user data from a social networking site, or transferring their funds… To protect against these types of situations is why zero trust security is coming into the mainstream.

How zero trust security impacts the real world

It is easy to imagine the benefits of this approach when looking at an e-commerce company or a bank, for example. Their systems are very complex and can be accessed by employees from different departments, but also by end users who need to be able to browse and buy products and to initiate bank transfers.

Different people need to have access to different services, and not be able to use services that are not associated with their roles. This can only be done if verification is done every time a potentially sensitive action is being taken.

To add to complexity – many different devices are being used – from desktop and laptop computers to tablets and smartphones, to interactive kiosks… And most of them are not connecting through the organization's internal network – end-users are on their home Wi-Fi or free Wi-Fi in a coffee shop, and on mobile networks while on the move.

Threats can come from many directions!

Using zero trust security approach seems like a logical step, but when thinking in practical terms – having secure enough checkups at many different steps increases complexity and impacts user experience. And when organizations think about how a new security solution will impact their bottom line, they need to make sure their users don’t start fleeing to a less secure but more user-friendly competitor.

User experience must not be forgotten

And although all the talk about zero trust security might still seem a bit academic, companies are starting to implement this approach.

Probably the most notable example is Google. Their initiative is called BeyondCorp and is aimed at moving access control from the network’s perimeter to individual users and devices. It is still used only internally to create granular access control policies for their cloud platform and G Suite apps, especially for remote users who would traditionally use VPN to access the company’s resources.

Their approach further strengthens the notion that the new security paradigm MUST take user experience and productivity into account. This is why user authentication has to be done in a way that, in the very least, does not prevent from finishing the task they set out to do. But – I have to ask – what if instead of becoming an obstacle, it can speed things up?

Zero trust needs secure mobile authentication

If you are familiar with our solution, by now you already know that IPification is the answer to the above question. But let’s take a step back just for a moment.

In the modern era, accessing systems, internal or public, online shop or a banking app, is happening every day, from any location. And mobile devices are the usual way to do it. This makes mobile authentication become increasingly important. But in the zero trust security model, mobile authentication must be bulletproof!

And the most used mobile authentication methods are just not up to par. With SIM swapping attacks becoming almost a daily occurrence, SMS two-factor authentication can’t be trusted, while header enrichment approach brings great user experience but lacks in security.

Even biometrics is not enough anymore. Not only due to privacy concerns, but also because of technologies that can fake biometric data becoming widely available. And blockchain looks like it might become an answer… sometimes in the future.

This makes IPification the only currently available mobile authentication solution that offers both smooth UX and the highest level of security! Exactly what zero trust approach needs.

What eSIM brings to the table?

I keep envisioning a future where all devices we use are connected to mobile networks, making mobile authentication even more relevant!

So far, that was beyond reality, but with eSIM technology becoming mainstream – it's not anymore.

As with users’ stance towards authentication methods – where they prefer convenience over security – I believe the same will happen with laptops, smart watches, tablets… all becoming fitted with eSIM technology to allow users to be online whenever they want.

Just think about it. Why would users settle for trying to find the nearest Wi-Fi hotspot and also trust their data to be securely sent over someone else’s system, when they can have direct access to the fast, encrypted mobile network everywhere they go?!

We are not far from the moment this will be a reality, and in this new reality, zero trust security approach will need to rely on IPification seamless authentication technology.