Skip to main content

Zero Trust 2.0: Striking a balance between security and convenience

security
(Image credit: Shutterstock / Golden Sikorka)

It does not matter where they are located, if the employee is working outside their secure company network, they are more vulnerable to attack from fraudsters. A recent survey conducted by OneLogin revealed that 30 percent of remote workers had their online accounts compromised while working from home in 2020. Despite this, only 10 percent of victims changed their passwords as a result.

During the pandemic, the potential threat of social engineering and breaches has given organizations a lot of headaches. Because of the newly distributed workforce, businesses have had to rush through their digital transformation projects and rapidly upgrade existing processes and policies to safeguard their IT infrastructure – potentially overlooking weaknesses in network security.

One of the benefits of remote working is that it provides workers with added mobility. They can now log in and access their work through their personal Wi-Fi or networks from different locations around the world - there is no need to stick to one place when connecting to the corporate network. The drawback is that fraudsters are exploiting these less secure networks. Targeting weaknesses in the technology that employees use to authenticate themselves, thus gaining access to confidential information to perform malicious attacks, breaches, and steal valuable data.

To curb the likelihood of a breach and stop fraudsters in their tracks, most organizations are depending on the Zero Trust framework for improved protection – often considered as the best method to attain greater security.

Zero Trust explained

Although Zero Trust is not a new concept, it has only recently grown in popularity. A recent study from Gigamon found over two thirds (67 percent) of European organizations have already adopted or are planning to adopt it in the next 12 months. Authentication at each touchpoint connecting to an organization’s network is fundamental to Zero Trust – having it in place it creates an impenetrable barrier around the organization. Zero Trust’s primary goal is to remove the single point of failure in any authentication process; therefore, organizations need to ensure all are continuously running smoothly throughout the user journey.

That said, with every extra layer of security there is an opportunity for greater friction. There are inevitably knock-on effects on costs and productivity. For example, IT staff may spend valuable time resolving log in issues rather than dedicating their time to more strategic tasks. Or employees could face being locked out of systems, unable to work, due to forgotten credentials waiting for resolutions. 

Since Zero Trust was created, everyday life, working practices, and technology have evolved - accelerated by Covid-19. To ensure their security procedures align with this change, what can organizations do right now to build upon the robust principles of Zero Trust?

What is Zero Trust 2.0?

Enter Zero Trust 2.0. The modernized concept offers the same “Fort Knox” level of security as its predecessor without compromising the user experience, so that organizations can improve their authentication process without increasing friction. It works by adding an extra layer of passive behavioural indicators (for example the amount of pressure a user exerts when typing, or the way they swipe a device) over existing knowledge-based passwords, and location- or device-based indicators.

Passive behavioural indicators are unique and inherent to an individual, which makes them ideal for use in conjunction with data from a users’ device and location. This unique behavioural data helps organizations to positively identify users.

It is important to note that the collection of behavioural biometric data is a passive process, which protects user privacy, limits unnecessary friction, and adds extra security - these allow IT teams to know the user is who they say they are.

Ensuring maximum compatibility

When discussing what it means to provide a seamless user experience, it is often said that extra friction should be minimized. However, there is an unspoken rule within Zero Trust that states if the approach is preventing breaches and malicious attacks, then friction is necessary and acceptable. This narrative is all well and good, but organizations must also consider productivity as some users will inevitably attempt to bypass systems and put more pressure on the IT teams.

This is where Zero Trust 2.0 can help because it does not require unacceptable levels of friction. Consumers are already aware of intelligent passive identification, such as fingerprint security, because this is built into most modern devices. There is, therefore, an established expectation around user experience.  Although, the real question is, how do organizations take this model and implement authentication policies across a vast distributed workforce?

There are a few things to look out for when searching for the perfect solution:

  • Machine learning capabilities – Authentication events are not all the same. For instance, a user authenticating via a PIN on a low-end device will be more at risk compared to a user authenticating on a high-end device via a fingerprint reader. All these different factors need to be considered when IT teams are choosing a solution to adopt. An ideal choice would therefore be able to gather and analyze broad categories of contextual data that Machine Learning (ML) models can learn as “normal” for an individual. As a result, any authentication attempts outside of recorded normal behaviour can be identified as higher risk and treated in the appropriate manner, which may require more scrutiny and further authentication procedures.
  • Orchestration Layer – In the past, it would have been very difficult to control the large and evolving ecosystem of users, devices, and applications across multiple locations and channels – as there were no orchestration layers. Orchestration provides a centralised location to implement and manage policy decisions, this offers full visibility of policies and where they are used. Fraud comes in different shapes and forms, so policies should not be static either, organizations can tailor them (for example by channel or activity) according to specific needs.

Safety comes first

The UK government has recently announced its roadmap out of the current lockdown and some organizations are already in discussions to reopen up offices, but the issue of the increasing attack surface will remain as many employees will continue to work remotely. Business continuity and the future of work remain precarious. To be as prepared as possible, organizations should adopt technologies that not only safeguard their entire organization but also satisfy their employees when it comes to consistent access, convenience, and speed.

This is what makes Zero Trust 2.0 such a viable solution – it not only balances user experience with security and fraud prevention, but also empowers organizations with the ability to establish a Fort Knox security system with minimised friction and have the best of both worlds.

Amir Nooriala, Chief Commercial Officer, Callsign

Amir Nooriala is Chief Commercial Officer at Callsign. He joined Callsign from OakNorth. Before joining OakNorth he held positions at Barclays, Accenture and Cisco Systems.