The concept of zero trust security governance is no longer an unfamiliar topic. As society faces more complex information security risks, the ever-changing network environment makes the boundary-based security architecture no longer capable of resisting internal and external security threats. The traditional network-centric security architecture is also gradually transitioning to an identity-centric network access control concept.
The security management framework derived from the concept of zero trust is also gradually meeting more security management needs, such as how to balance the friction between users, employees and security management. Transitional compensatory security control will result in poor user experience, increase the churn rate of users, reduce the agility of employees, and increase operating costs. The direct impact is to reduce business revenue.
According to the Verizon Data Breach Investigations Report, 81% of hack-related breaches are due to stolen credentials. In the past, the traditional security management method was to add more identity authentication processes, such as adding a second authentication factor, SMS/email and other verification processes under the account password single-factor authentication. This method is called 2FA, that is, two-factor authentication. However, this method cannot effectively solve such problems. Criminals will use phishing websites/emails/sms to obtain corresponding OTP instructions or build fake base stations to hijack verification information.
On this basis, 2FA is also iterated into MFA, that is, multi-factor authentication, which adds biometric identification technologies, such as fingerprints and faces, on the basis of OTP instructions. This method can effectively solve the above problems, but it also generates new problems, limited by objective factors such as equipment (for example, equipment needs to support fingerprint and face recognition), technology, etc., and cannot effectively cover all scenarios of authentication. At the same time, adding unnecessary factors to the authentication process will increase the burden on the user experience.
"Adaptive Multi-Factor Authentication (AMFA)" judges the current security situation based on the context on the basis of traditional Multi-Factor Authentication (MFA) to confirm whether multi-factor authentication needs to be added. Dynamically assess risks by judging various "elements" such as user attributes, contextual behavior, ip address, device information, and geographic location. For example, multi-factor authentication is added when a user logs in from a different place or with an abnormal ip, and no secondary verification is required when the user logs in with a commonly used device or company ip, which effectively solves the friction problem between user experience and security management.
However, although "Adaptive Multi-Factor Authentication AMFA" effectively solves the above problems, for organizations with more complex security environments and special requirements for security audits, only point-like one-time adaptive MFA is set on security-sensitive nodes and It cannot fully cover all potential security risks in the enterprise. At this time, "Continuous Adaptive Trust (CAT)" is proposed as a next-generation security management model, and "Continuous Adaptive Multi-Factor Authentication (CAMFA)" based on the adaptive trust framework It is the best practice to solve the above problems. This article describes what continuous adaptive trust is and how to implement continuous adaptive multi-factor authentication.
Gartner: Shifting focus from MFA to Continuous Adaptive Trust (CAT)
1. What is Continuous Adaptive Trust (CAT)?
Continuous Adaptive Trust (CAT) is a security model based on dynamic trust assessment, which aims to realize continuous monitoring and adaptive trust of entities (such as people, devices, applications and services) in the digital ecosystem assessment to effectively identify and respond to threats. The core idea of the CAT model is based on the real-time analysis of entity behavior and observable data. With the help of machine learning, artificial intelligence and other technologies, the behavior of the entity is dynamically evaluated, and the trust level of the entity is adjusted according to the evaluation results. The CAT model is highly adaptive and flexible, and can adjust trust evaluation strategies in real time according to changes in entity behavior, thereby better adapting to changing threat environments. By realizing continuous adaptive trust evaluation, the CAT model can effectively improve the security and credibility of the digital ecosystem, and protect the digital assets and privacy of enterprises and users.
1. From "emergency response" to "continuous response", continuous adaptive trust builds an enterprise security immune system
Let's take a more understandable example. "Continuous Adaptive Trust" is similar to the biological immune system at the micro level, and is similar to a complete ecosystem at the macro level. The immune system of organisms can quickly respond and adjust to new security threats autonomously, while the ecosystem is the basic condition for incubating organisms. A rich and diverse ecosystem can help organisms adapt to more complex environments and create stronger immunity. system capability.
In other words, relying on a rich and diverse IT infrastructure can help adaptive trust build a more powerful and complete adaptive trust system, so continuous adaptive trust is not a single product or solution, it requires a complete set of full-scenario user access authentication functions and Capabilities such as authority management can more comprehensively protect enterprise information security.
In the past, traditional organizations relied on preventive and policy-based security controls, and deployed products such as antivirus software, firewalls, and intrusion prevention systems (IDS/DPS), but this approach can no longer adapt to today's and future security environments. Gartner advocates a shift in security mindset from "emergency response" to "continuous response" in order to prevent and control more complex threats. The core of the next-generation security protection process is continuous, pervasive monitoring and visibility. Enterprise security monitoring should be ubiquitous and include as many layers of the IT stack as possible, including network activities, endpoints, system interactions, application transactions, and User activity monitoring.
2. Extend from Zero Trust to Continuous Adaptive Trust (CAT)
The three main principles of zero trust "do not trust any entity (people, equipment, software, etc.) by default", "always verify continuously" and "execute least privilege", the two most important points in the zero trust architecture:
Authentication : gathering and analyzing information to establish a level of trust in an entity
Access control : Control entity access to resources based on identity information and trust level
From the perspective of enterprise security, identity authentication is the process for an entity to prove its trustworthiness, which needs to be based on rich, continuous, and accurate data sources. From the perspective of user experience, identity authentication with no physical/weak physical sensation can guarantee the retention rate of users and the work efficiency of employees.
Since starting the journey of zero trust needs to solve the problem of zero trust authentication first, before there is an effective zero trust solution, many organizations add weak factor authentication to the authentication process, and organizations with technical capabilities will add multi-factor authentication and single-factor authentication to some sensitive nodes. Log in to try to ensure the balance between security and user experience, but since continuous and dynamic evaluation and authentication cannot be achieved during the user session, it is usually adopted to set a long session timer to reduce the frequency of multi-factor authentication.
Whether it is adding multi-factor authentication processes or adding session timers in various sensitive session scenarios, it cannot effectively solve the problems of security and user experience. Instead, it will increase enterprise security expenditures and affect user experience.
These problems are simply understood by organizations in the process of implementing zero trust as adding more authentication processes or adding factor authentication to each authentication link. In fact, thinking about the concept of "zero trust" from another angle is "continuously gaining trust". Only identities that continue to gain trust are allowed to proceed to the next step. The condition for an identity to continue to be trusted is that the system needs to continuously evaluate its risks. In order to ensure user experience, these evaluations need to be performed without the user's body feeling. At this time, continuous adaptive trust (CAT) is required. In essence, continuous adaptive trust is the best paradigm based on the concept of zero trust.
2. Continuous adaptive multi-factor authentication (CAMFA) builds an enterprise zero trust environment
As mentioned at the beginning of the article, Adaptive Multi-Factor Authentication (AMFA) can effectively solve the problem of user experience and security management friction, but audit regulators, as well as corporate security and business departments, are also increasingly demanding MFA, and they want to seek security Higher, more flexible, faster response, better user experience and lower cost MFA solution.
1. What is Continuous Adaptive Multi-Factor Authentication (CAMFA)
"Continuous Adaptive Multi-Factor Authentication (CAMFA)" is a security authentication method, which is based on adaptive multi-factor authentication (judging the current security status based on context attributes to increase factor authentication). The real-time risk assessment technology is used to dynamically evaluate the safety factor for users. In the time dimension, continuous adaptive multi-factor authentication continuously evaluates the user's trust throughout the entire usage journey to determine whether an additional authentication process needs to be added. The advantage of this is that the security of the enterprise is monitored in real time, and the user will only be prompted for additional authentication when performing risky operations.
2. The Value of Continuous Adaptive Multi-Factor Authentication (CAMFA) to Enterprises
Identity authentication is the foundation of enterprise security. Under the requirements of security supervision, it is an inevitable trend to switch from traditional account and password login to multi-factor authentication (MFA). However, according to Microsoft's Network Signal report, only 22% of AD identities use MFA, and the main reason is that traditional MFA provides poor user experience for customers and employees within the organization. In the face of user loss and productivity hindrance, enterprises often choose to turn off MFA to take on additional security risks.
Adaptive multi-factor authentication (AMFA) is an effective solution to balance security and user experience. However, like traditional multi-factor authentication (MFA), it is only used once for enterprises facing more complex security environments and special security regulatory requirements. Persistent authentication to control access to sensitive systems is no longer sufficient, and a user's security posture may change dynamically during a system session. At this time, enterprises need to have a continuous assessment of security risk technology to assess the dynamic safety factor of users, and based on this assessment, decide whether to add additional factor authentication.
3. Implement a zero-trust security environment for enterprises through Continuous Adaptive Multi-Factor Authentication (CAMFA)
The continuous adaptive trust system can ensure that the enterprise realizes a true zero-trust security environment, and the best practice to realize the continuous adaptive trust system is to implement "continuous adaptive multi-factor authentication". Continuous adaptive multi-factor authentication provides continuous risk assessment capabilities to judge external risk signals and internal data, and based on the "continuous adaptive multi-factor authentication" policy engine, these risk signals and access requests are processed according to the security policies set by the organization Evaluate.
A zero-trust security model typically includes a policy engine that accepts risk signals and related data, configures security policies, and enforces security policies. Determine whether multi-factor authentication needs to be triggered based on the result.
4. How to quickly build continuous adaptive multi-factor authentication for your enterprise?
It is worth noting that for enterprises to achieve continuous adaptive authentication, the policy engine must be able to connect contextual data with entities such as users and devices, and the prerequisite for ensuring the accuracy of its decision-making is to be able to expand to finer-grained identities to obtain more data as a reference. At the same time, in order to improve scalability, flexibility and continuity, the process must be automated. The key to realizing the above-mentioned capabilities is that the identity access and management system of the enterprise has the automation capability that can be orchestrated. At the same time, it also needs to have the metadata capability to unify the standards of behavioral data reported from different sources, and connect the entire identity verification process in series through the automation orchestration capability. , for adaptive multi-factor authentication that is continuously responsive.
The bottom layer of the adaptive MFA authentication strategy is based on Authing UEBA (user or entity behavior analysis technology), which can conduct in-depth combing and analysis on user behavior and user portrait, so as to automatically select the MFA strategy that matches the current behavior.
In the adaptive MFA authentication strategy, the AuthingUEBA engine will analyze and judge based on the user's behavior and portrait, such as the user's login history, device information, IP address, geographic location, activity pattern, etc. In order to determine the identity and risk level of the current user, and select a matching MFA policy. The continuous adaptive multi-factor authentication (CAMFA) is based on the adaptive multi-factor authentication (AMFA) plus the Authing identity automation orchestration engine.
Authing continuous adaptive MFA business architecture diagram
When the user's business system is connected to Authing, the UEBA data reported from the backend of the business system is sent to the Authing system, through the continuously adaptive MFA security policy flow configured in Authing, after subscribing to the events published by the security policy flow. At this time, the adaptive security policy will continue to monitor the MFA event, and will execute the corresponding security policy after receiving the MFA event.