Skip to main content

Why are enterprises transitioning from MFA to zero trust security?

security
(Image credit: Shutterstock / Golden Sikorka)

Zero trust is a new way of thinking about breaches. It says that no person – not even the most important ones -- should be trusted.

In theory, if a user passes an additional barrier for access (e.g., question-answer-based multi-factor authentication), businesses can trust that they are who they claim to be. 

In practice, we know this is not always true.

Hence, zero trust is emerging as a security model in many enterprises and shaking up the status quo in cybersecurity battles. 

Traditional models rely on trust, but all touchpoints in a system (identities, devices, and services) are verified in a zero-trust world. It also means that a user's access is restricted to the data, systems, and applications that are necessary for their job. 

Rightfully so, enterprises reduce the magnitude of security breaches by switching from a trust-based model to one that needs verification.

Identifying the driving force behind zero trust security  

A zero-trust network assumes that users, machines, and even networks have vulnerabilities that malicious attackers could exploit, so no user or machine should be automatically trusted. 

So, what drives zero-trust security? We have identified a few factors:

Least privilege access: A key principle in zero-trust security is least privilege access. By giving users only the minimum level of access required, you minimize exposure. 

Each user has access to less of the network and its data and, therefore, is less likely to damage or disclose sensitive information accidentally.

Micro-segmentation: Zero trust Networks also rely on micro-segmentation to improve security and user productivity. Microsegmentation is the process of dividing security perimeters into small zones so that different sections of the network may have separate access.

For example, in a micro-segmented network, each secure zone is isolated from other zones and has only the minimum permissions required to operate. A user who has access rights to one secure zone will not be able to access data in other secure zones without separate authorization.

Multi-factor authentication: MFA is also a core value of zero-trust security. MFA means that an employee in a corporate network must provide more than one piece of evidence to authenticate themselves before accessing their account.

A commonly used example of MFA are platforms in the banking sector. Users who enable MFA must enter a code sent to another computer, such as a mobile phone, in addition to a password, including two pieces of evidence that they are who they say they are.

Enterprises are transitioning to zero trust in scope and phases 

In the enterprise security industry, zero-trust security is the newest craze. Businesses should either accept it or risk falling behind their competitors. Many who are implementing it are doing so in phases to avoid over-architecting and overspending on their security policy. Here’s how: 

Scope

The initial scope for implementing zero trust in an enterprise should be ideally across employees, partners, and vendors—on applications that they use daily. 

This means that any device (corporate-owned or personal) they access company information on must be centrally managed through a device management system.

Verification of identity

Enterprises may use smart cards to monitor administrative access to servers to start improving security for the environment.

Besides, the increasing use of mobile devices has led to the need for multifactor authentication. MFA began as physical tokens, then moved on to become something that can be controlled with a phone-based challenge (phone-factor), and then to a more modern experience using biometric authentication.

Verification of device

Enrolling devices in a device-management system should be your first step toward device verification. This applies to both company-owned and personal BYOD devices. 

If your organization allows employees to use their personal devices for work, such devices must be enrolled and follow the same device-health policies as company-owned devices.

Verification of Access

Your organization’s security and productivity depend on being able to ensure all your applications are being used by the right users, on the right devices. 

Therefore, on the access front, go for a segmented approach on users and devices across purpose-built networks.  Change employees' default network to the internet and automatically route users and devices to the relevant network segments.

You may also build specialized segments, such as those specifically designed for the various IoT devices and scenarios that your company uses.

Zero trust goes hand in hand with digital transformation 

From a security standpoint, Zero Trust advocates a data-centric and risk-based approach to access management. It offers a combination of data management and technology processes to ensure the integrity of an organization's security posture. 

When properly implemented, it facilitates enhanced levels of compliance, reduces both complexity and operational burden, and removes technological debt for improved mission-focused outcomes.

Today, transformation fuels business growth and a flexible workspace is key to supporting employees’ overall success. 

Therefore, it is imperative for enterprises to adjust to the new way of doing business—to attract and retain successful customers while maintaining a competitively secure advantage. 

Wrapping up 

Enterprises' transition to Zero trust captures the core of what SASE is all about: transforming security and networking for the cloud age, enabling access-from-anywhere, and ensuring data is safe wherever it goes.

Implementing Zero trust principles is the easiest way to provide secure and seamless access to systems from anywhere, anytime, and with any device. Organizations are increasingly adopting Zero trust to manage access to their sensitive data. And it’s working!

Deepak Gupta, CTO and co-founder, LoginRadius