Zero Trust Myth Series: Keep Users at the Forefront of Your Security Approach

Friction is the enemy of cybersecurity. Tools and approaches that make it more difficult for users to do their jobs turn security solutions into impediments, digital stop signs in an era when business leaders are demanding agility.

For organizations implementing a Zero Trust approach, the subject of user experience should not be far from mind. As the number of employees and devices accessing the network grows, the more critical it is for the process of accessing different network zones and applications to be as seamless as possible. This fact applies to customer identities as well, perhaps even more so. Customers are likely to rebel against applications that require multiple password entries or the incessant reentering of personal information.

In the face of this reality, today’s authentication solutions have evolved with an eye toward usability, making the fifth and final myth in this series—Zero Trust creates poor user experiences—well, just a myth.

Making Security an Enabler
Fifteen years ago, Zero Trust would be much less attractive to implement. At the time, multi-factor authentication might require receiving a one-time password through email that had to be manually transferred to a Web interface for whatever application or service the user is trying to access. Today, that same process can be resolved with the user simply pressing a button on their smartphone.

The growth of risk-based authentication technologies has made Zero Trust adoption more attractive as well. Decisions about the number and type of challenges users receive when attempting to access certain services and applications are based on several factors related to risk. These factors include details such as the time of the access attempt and the geographical location of the user making the request. If, for example, employee A is suddenly making an access attempt from a location that is unusual, that access attempt can be flagged and trigger a prompt for additional authentication.

This type of policy enforcement is enabled by risk-based authentication supported by machine learning technology and analytics. The combination of these three elements allows organizations to assess a request based on its context and make a decision grounded on real-time information. The result is a Zero Trust approach that applies the appropriate security defenses for a particular user and situation and ensures that those accessing low-risk assets and resources are not subject to unwarranted levels of access controls that slow down employees unnecessarily.

Keep User Experience Top of Mind
Done correctly, Zero Trust is a business enabler. Thoughts about minimizing the amount of friction for users should begin during the planning process. One of the most vital pieces of a successful roll-out and user adoption is the use of beta testers to test the proof of concept. These beta users can become champions of the company’s Identity and Access Management (IAM) strategy across the organization. As demonstrated by IDSA’s recent report on the state of identity management efforts in the enterprise, internal political battles can complicate efforts to handle identity effectively. Having champions to evangelize the benefits of the company’s approach during the launch can help address some of these issues. In this context, it is crucial to look at multiple types of users to be all-encompassing. Invite Windows, UNIX, Linux, cloud, and DevOps users to the table so that their specific behavioral needs are reflected in the organization’s strategy.

Failing to consider the needs of the entire organization can compromise security. For example, forcing an administrator to log into a password vault, check out a password, and then check it back in when he or she is done creates a cumbersome process the administrator may be tempted to work around. Sophisticated admin users may look to create a SSH key and use that instead of checking out the password, effectively circumventing access controls. For Zero Trust—or any other security strategy, for that matter—to be successful, it cannot be viewed as a nuisance. Instead, the approach must be a business enabler.

Lay the Myths to Rest
Unfortunately, perimeter-based defenses are not enough to keep up with the current threats to the enterprise. Identity credentials are at the center of the typical breach, and it must be at the center of security strategies as well. It is time for enterprises to lay the myths about Zero Trust to rest and protect the keys to the kingdom—the user credentials that open the doors to the data organizations hold most dear – The Path to Zero Trust Starts with Identity.

About the Author:  Dr. Torsten George is a cyber security evangelist at Centrify, which delivers Zero Trust Privilege to secure modern enterprises and stop the leading cause of breaches — privileged access abuse. He also is a member of the Identity Defined Security Alliance Zero Trust Technical Working Group and serves as a strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Dr. George has been part of the global IT security community for more than 25 years and regularly provides commentary and publishes articles on data breaches, insider threats, cyber warfare, incident response, and IT security best practices, as well as other cyber security topics in media outlets. He is also the co-author of the Zero Trust Privilege For Dummies book.



Let's work together to help everyone become more secure.