In a cyber threat landscape in which adversaries seemingly hold all of the advantages over organizations, security leaders are increasingly committing to a concept called “zero trust.”
Zero trust works exactly as it sounds. Enforcing the tenets of “never trust, always verify,” it requires the authentication and authorization of, well … everything: All users and devices are subject to granular controls. Gatekeepers should always assume that the network is hostile, that there are external and internal threats either already inside the virtual door or plotting to enter by any means necessary. Least privileged policies limit users to solely the access they need to perform their tasks/roles, for only the amount of time needed to do it.
It all sounds so draconian, doesn’t it? But that’s because the relentless and ever-resourceful nature of our adversaries has forced this state of vigilance: About seven out of 10 organizations are either currently planning zero trust access projects or already have a model or project in place for this, according to research from Cybersecurity Insiders. In doing so, they are most interested in implementing continuous authentication and authorization (as cited by 67 percent of organizations taking part in the research) and trust earned through entity verification whether a user, device or infrastructure is seeking access (65 percent).
Given the velocity of attacks today, it’s easy to justify zero trust as a mandatory measure. But it also appears to directly conflict with what has emerged as an even greater priority for the modern enterprise: digital transformation.
In fact, digital transformation is considered the most important tech initiative today, as ranked by 54 percent of senior IT leaders, according to research from Flexera. (Sorry CISOs, but cybersecurity ranked second on the priority list, as cited by 49 percent.) As a result, organizations are investing a significant amount of budgeting into transformation, with three of five committing $5 million to $50 million to these projects, and another 15 percent spending more than $50 million, according to research from Modus Create. In doing so, 57 percent are determined to integrate all social, mobile, web, commerce, service efforts and investments to deliver a frictionless, omni-channel experience – the top goal of their long-term digital transformation efforts.
The key word here is “frictionless.” Whether users are internal (primarily employees) or external (typically customers), they seek liberation from processes which keep them from accessing what they want to access – right now. But zero trust, of course, is all about such processes. It’s about passwords and multi-factor authentication and questions about your mother’s maiden name and the make/model of the first car you drove. It is about verifying that users are who they claim to be based upon what they know (passwords, answers to questions) and what they possess (their devices). Yet, this leads to the very sort of friction-laden experience which users wish to avoid.
With the current health pandemic creating a more distributed workforce and consumers who are increasingly shopping, banking, learning and essentially living life online, there is much at stake for companies that are heavily committed to digital transformation and zero trust at the same time. At some point, these opposing forces will collide, because technology that says “We don’t trust anyone or anything” is problematic at best. Resenting the friction, employees will seek end-arounds to constant authentication steps, often by acquiring alternative apps and tools which are less secure. Customers will simply find another online outlet to get what they want, and do what they want.
To effectively respond, organizations must transition from zero trust tools and practices that rely upon what users know and what they possess toward emerging technologies which are focused on distinct user attributes – their face, fingerprint or behavior, i.e., “inherence.”
This is what’s behind behavioral biometrics technology, enabling security teams to unobtrusively – even invisibly – authenticate users through profiles which store how they interact online. By collecting and analyzing data based upon how individuals hold a smartphone, touch a keyboard, move a mouse, press their finger on a touchscreen, etc., you can build profiles entirely unique to each individual that provide the unambiguous level of authorization which zero trust demands, minus the friction. What’s more, malware can’t accurately impersonate this extent of physical activity.
Many companies still require several steps of authentication every single time their users switch from one business app to another. This literally results in dozens of productivity barriers a day, for every employee. With behavioral biometrics, security teams assess behaviors to block suspicious activities or direct targeted monitoring without disrupting users, maximizing the protected state of the enterprise while minimizing impact on the user experience. Today’s users expect cybersecurity tools to work this way; while they appreciate the role the tools perform, they know “I am me” and have little patience for taking multiple steps to prove it.
In this sense, behavioral biometrics takes a “Back to the Future” approach in resolving the threat prevention puzzle: People have always clutched shopping bags, flipped through their wallets and wrote checks with unique, signature movements and patterns. The same, distinct movements and patterns extend to our interactions with devices. By leveraging this as a core component of authentication, CISOs and their teams implement zero trust to the strictest of standards, with users not even realizing that they’re being held to them. Thus, zero trust ends up enhancing the digital transformation, not inhibiting it.