Why passwords have no place in a Zero-Trust environment
As organisations come to terms with the implications of long-term hybrid work practices, many are realising their IT security measures need to be improved.
With large numbers of staff still working from home, the way in which they need to be protected from cyberthreats has to evolve. No longer supported solely by an office-based infrastructure and protected by firewalls, staff need to have other tools in place to ensure they can be both secure and productive.
The challenge is made even greater because of increased usage of cloud-based resources. Everything from storage and SaaS applications to productivity and communications services are now often housed on cloud platforms rather than traditional on-premise servers. This means new protective measures need to be identified and deployed.
One security strategy gaining increasing attention is Zero Trust. This strategy dictates that nothing within or connecting to an IT infrastructure is trusted until its identity can be confirmed.
Zero Trust also requires that least-privilege access policies are used at all times and each step of all transactions is validated. Users, applications, and devices must constantly pass authorisation checks to access the resources that they are seeking.
When undertaking a Zero Trust strategy, the question arises as to whether passwords can still be used as a trusted method of authentication. Within most organisations they remain widely used and are likely to continue to be a security mainstay for some time to come.
Unfortunately, however, passwords alone do not provide strong security. Indeed, industry research shows that password theft and misuse is the primary cause of the majority of significant data breaches. The OAIC Notifiable Data Breaches Report: July-December 2021, for example, found that 60 per cent of cyber incident breakdowns was due to compromised or stolen credentials.
Password-less and Zero Trust
For this reason, increasing numbers of organisations are investigating the potential of shifting to a password-less environment. They want to be able to enjoy the potential protection offered by Zero Trust without the weak links that passwords can create.
To create a password-less environment, organisations will need to have a range of measures in place. These will build on a number of existing, foundational technologies and include a system of centralised identity and access governance, single sign-on capabilities, and privileged account management measures.
Such an environment will also require access requests to be evaluated against a broader set of variables than has often been the case in the past. These variables could include the location from which the request is being made and the device being used.
Other security evaluation variables could include the time of day the request is being made, the elapsed time since the last authentication, and exactly what access is being requested.
Practical implementation steps
As organisations take steps to improve their overall levels of cybersecurity, being password-less is rapidly becoming a de facto standard. It is a necessary move to create a true Zero Trust strategy and significantly reduces the likelihood that credential theft could lead to a breach.
This is because password based authentication alone does not provide adequate identity assurance in a Zero Trust strategy. Thanks to their vulnerability to misuse and abuse they represent a risk that is too great and essentially undermine the security benefits that the strategy can otherwise deliver.
Before undertaking a strategy to remove - or at least significantly limit - the use of passwords within an organisation, it is important for everyone involved to have an agreed understanding of exactly what it will require. Strong authentication is a foundation for the strategy and putting measures in place to achieve this must be the first step.
It should also be remembered that zero trust is a journey, one that is ultimately never-ending. Many organisations find it beneficial to deploy the strategy in particular parts of their IT infrastructure and then gradually extend it over time by including it as a consideration in their procurement strategies.
To keep costs as low as possible, some organisations opt to link their Zero Trust strategy deployment to their ongoing technology refresh lifecycle. This means components can be added as legacy equipment is retired and replaced.
Adopting a strategy of embracing Zero Trust and becoming password-less should be high on the priority list for all organisations. It can significantly assist with the challenge of preventing cyberattacks while also keeping critical resources as secure as possible.
Article written by Scott Hesford, Director of Solutions Engineering, APJ, BeyondTrust