Modern organizations and service providers today rely heavily on cloud technologies that, coupled with remote employees, make the concept of an inside network perimeter outdated and ineffective.
Do you remember the Firewall?
That ancient form of security was based on the presumption that anything inside the network is to be trusted. It also meant that protection is needed only from parties trying to access the network from the outside. Once you gained access, you’d be good to go.
However, this just won’t cut it today. Attacks can come from anywhere at any time, carried out with the technology each of us has right in our pockets.
A firewall can no longer ensure trust within a network, and trust or lack thereof is precisely the essence of the alternative to the firewall approach: the Zero Trust approach.
What is Zero Trust Security?
We’ve already discussed the Zero Trust approach, but let’s review the basics once more just in case.
Whereas in the age of the firewall a user would gain trust after passing beyond a certain entry point, Zero Trust entails regular checkups, even after the user is inside the network.
No one is to be trusted until proven otherwise — and repeatedly proven otherwise.
To be truly effective, Zero Trust comes hand-in-hand with other security concepts, such as least privilege, micro-segmentation, and context.
Least privilege is the principle of limiting access rights of certain users to only those services or resources required for that user to do their role. This principle was discussed all the way back in 1985 in the Department of Defense Trusted Computer System Evaluation Criteria, which recommended it as a way to keep classified data safe.
Similarly to least privilege, micro-segmentation divides the network into specific areas of isolated nodes, as opposed to a flat system where all nodes can reach each other.
Finally, the idea of context is something we’ve talked about time and time again. Instead of simply relying on username and password, or even more modern authentication methods, Zero Trust relies on the context of the authentication request, examining contextual data about the device, the user, and the environment.
Sound complicated? This is where IPification fits in.
Implementing a Zero Trust methodology definitely requires a certain level of preparation. In addition to collecting contextual data, you need to customize this methodology according to your needs. Every organization’s security needs are different, depending on their existing architecture, systems, and services.
For instance, a bank and an online forum certainly don’t need the same level of security protocols, from the KYC protocols at the first interaction to the whole Zero Trust system, should it be implemented.
Let’s examine the customization of Zero Trust, which is key to its efficiency as a security solution
Zero Trust is Not a One-Size-Fits-All Solution
To start with we’ll assess your existing security protocols since there’s a chance that some aspects of Zero Trust technology have already been implemented.
You must have received that Gmail alert when logging into your email from abroad — I certainly have. Contextual data, anyone?
Check your current architecture. What is it like? Do you understand what needs to be protected and the way these systems function? What’s your current visibility into the activity of users? Is it enough to gather contextual data?
Once you’ve addressed these questions, you’ll have a much better understanding of what your implementation of Zero Trust protocols could look like.
Google, for example, relies on BeyondCorp, a solution that moves access control from the network’s perimeter to individual users and devices and creates granular access control policies for their cloud platform and G Suite apps. This allows organizations to bypass the need for remote employees to use VPN to access these internal resources, thus simplifying the Google user experience while still upholding appropriate security levels.
Your solution will most likely be a little bit different, but some things are certain: that your Zero Trust implementation will have to ensure secure authentication checkups that are still up to par with your competitors’ user experience — unless you want to lose your users to them.
What are the Options for Frequent Authentication Checkups?
We’ll explore these options assuming more mobile users than desktop since that’s where we’re all headed. Our economy is going mobile; there were five billion people connected to mobile services in 2017. Over 99% of transactions in Finland are carried out online. These numbers are only predicted to increase.
Now, if you’ve read any of our prior blog posts, you already know what I’m going to propose. But let’s just briefly go over the current authentication options before jumping into the real deal.
SIM swapping has completely eliminated the feasibility of using SMS 2FA as an effective authentication solution. Header enrichment offers a great user experience but extremely disappointing security levels. Hackers have become so sophisticated that technologies for bypassing biometric authentication exist, not to mention the high privacy risks posed by this form of authentication. Blockchain for authentication purposes is still quite far in the future.
So, what does that leave us with?
Well, for starters, if mobile is where it’s at, why not utilize the capabilities of mobile network operators? After all, they do cover the whole market.
IPification authentication relies on the mobile network operator’s existing capabilities to generate a unique mobile ID. It’s based on various mobile network operator data, while still detecting context clues such as device or SIM card data.
The whole process is done seamlessly and continuously in the background, without any actual exchange of data. That’s highly secure, in my books, with impeccable UX to boot.
As such, IPification’s mobile network-based system is the perfect complementary authentication solution for implementing a Zero Trust methodology. Whichever architectural decisions you make when implementing the system – it will fit perfectly.
Your security will only be as good as the lock you choose. Currently, you won’t find any lock better than IPification!
