Implementing zero trust: Time to think beyond identity
Infrastructure-centric security deployed today divides the enterprise users into two domains, trusted users on the inside and untrusted individuals on the outside. Security leaders are focused on deploying controls to keep the untrusted individuals out. However, digital transformation and multi-cloud adoption by enterprises are forcing organizations to re-think the traditional network perimeter. As users, partners, and customers access the organization’s data from anywhere in the world, the artificial wall that protects the data is no longer enough, and inherent trust can’t be part of the security stack going forward.
Zero trust and multi-factor authentication
The paradigm shift in trust has led to the ‘Zero Trust’ security framework, first developed by Forrester Research analyst Jon Kindervag in 2009. The initial framework treated all the network traffic as untrusted and recommended that organizations inspect all the traffic and divide the network into small segments. Since 2009, the framework has evolved into advocating the need for protecting the organization’s data and evaluating access to the data throughout the user and device interaction. In simple words, the core principle of Zero Trust is to “never trust, always verify.”
In the Zero Trust framework, users and their identities play a pivotal role, and organizations must ensure that only authenticated and authorized users and devices can access applications and data. The easiest way to validate the identity of a user is through multi-factor authentication.
A case for thinking beyond identity
Multi-factor authentication strengthens access security by requiring two or more factors to establish the identity. These factors can include something you know - like a username and password, something you have - like a smartphone app to approve authentication requests or something you are – like a fingerprint.
The multi-factor authentication solutions have evolved to include the user and device context. Contextual information like the user’s device, the network used for access, or the geographic location can be used to force users to provide additional factor to re-verify their identity.
However, just using the contextual background is still not enough! We have come across incident after incident where insiders with the right access have walked away with sensitive data. A Tesla engineer uploaded auto-pilot source code which cost over $100M and took over five years to develop direct to his iCloud, to aid a rival company. Members of McAfee's sales team downloaded sales and business strategy data before joining a rival firm.
Understanding the context can help, but it is critical to understand the intent.
Forcepoint’s approach to understanding human behaviour
Forcepoint’s behavioural intelligence not only looks at IT environmental data such as logs, events, HR databases, or physical access control systems, but also uses the understanding of human behavior including intent, predisposition, and stressors and the device context to identify risky users. With privacy in mind, the user data is anonymized, and the identities that deviate from normal behavioural patterns result in elevated risk.
Forcepoint Technology Alliance ecosystem
Forcepoint user protection solutions can both directly ingest relevant context from identity and access management (IAM) solutions and (optionally) enrich them with risk user information to dynamically enforce policies.
The first two IAM/IDaas ecosystem partners to integrate with Forcepoint’s Behavioral Analytics are Okta and Ping. These integrations are now available for use. The combined solution delivers enriched visibility into user activities, enhances risk scoring, and enables risk adaptive authentication policy for joint customers. In the longer term, we’ll also enable customers to drive risk-adaptive authorization to key enterprise resources such as critical data. Stay tuned for exciting developments in this area.