What Is Zero Trust, and How Does Multifactor Authentication Support It?At the 29th iteration of the RSA Conference (RSAC), one of the most well-attended yearly events for online security, discussions zeroed in on the urgency for more fresh strategies to battle threats to data security.
While banking and telecommunications industries obviously have huge stakes with online security, other industries, no less relevant the SMBs across industries, should stay current and be part of the conversation on taking online security to the next level.
Among the prominent points discussed at this year’s conference were multifactor authentication and zero trust, which is the security concept anchored on the belief that it’s irresponsible of organizations to automatically trust anything inside or outside their perimeters. Rather, before granting access, they and must verify anything and everything that attempt to connect to their systems.
Zero trust becomes seemingly even more practical with the rise of cloud storage, which means companies, more likely than not, no longer keep their data in one place, combining, for example, on-premise location and the cloud, and even a third separate physical location.
Businesses and IT solutions providers therefore need to recalibrate the way they set up their web security and implement their protocols, with the awareness that the castle-and-moat approach to security is no longer the best answer to data security threats. The zero trust model of information security redirects the attention of organizations that have always focused on defending their perimeters based on the assumption that everything and everyone inside the “castle” doesn’t pose a threat and is therefore granted access.
The numbers that make the case for zero trust
- $6 trillion – Predicted annual cost of cybercrime to the world by 2021, up from $3 million in 2015 (2017 Annual Cybercrime Report from Cybersecurity Ventures)
- $3.62 million – Global average cost of a data breach (2017 Data Breach Study, conducted by Ponemon Institute and sponsored by IBM)
- 1.8 percent (24,000 records) – Increase in the average size of the data breaches in 2017, though down from last year’s number
- $93 billion – Predicted worldwide spending on information security products and services in 2018, from $86.4 billion in 2017, up 7 percent over 2016 (Gartner Inc.)
The principles and technologies behind zero trust
Least-privilege access. The practice of granting users access only to the resources and places they need to perform their job, minimizing each user’s exposure to sensitive and confidential elements of a business operation.
Microsegmentation. The practice of breaking up security perimeters into small zones to maintain separate access for separate parts of a network.
Multifactor authentication (MFA). An authentication method that requires from users two (as in 2-factor authentication) or more information that fall under either of these four categories: knowledge (e.g., PIN), possession (token, USB key, etc.), inherence (biometrics—e.g., fingerprint, voice, etc.), and location (determined through GPS tracking). Options to increase the number of factors required to authenticate identity makes multifactor authentication a logical core value for the zero trust model.
Strict controls on device access. This is carried out through monitoring how many different devices are attempting access to the network and ensuring that every device is authorized, which reduces a network’s attack surface.