A new category enters the cyber vocabulary: Zero Trust Authentication
- Published: Wednesday, 15 March 2023 11:28
Beyond Identity and various industry partners have launched a new category of zero trust technology: Zero Trust Authentication (ZTA). Beyond Identity says that Zero Trust Authentication has been developed in response to the failure of traditional authentication methods – a problem exacerbated by the increasing number of cyber attacks. Adopting Zero Trust Authentication will allow organizations to overcome the limitations of passwords and legacy multi-factor authentication (MFA) and implement more robust security strategies. To achieve this, the Zero Trust Authentication approach includes components such as Beyond Identity's risk scoring and continuous authentication capabilities, which significantly enhances the level of protection offered.
"In working with leaders across the security ecosystem, it became apparent to us that the industry needs to formally bring identity and access management into the security fold to continuously deliver the highest level of security around users and devices,” said Tom Jermoluk, Chief Executive Officer and Co-Founder of Beyond Identity. “We are bringing together the leaders from the essential technology categories to ensure authentication decisions are risk based and continuously informed with signals from the wealth of existing cyber security tooling.”
Among the other organizations supporting Zero Trust Authentication are Ping Identity, Palo Alto Networks, CrowdStrike, World Wide Technology, Optiv, Climb Channel Solutions and industry associations including the Cloud Security Alliance and the FIDO (Fast Identity Online) Alliance.
Zero Trust Authentication requirements
Zero Trust Authentication includes a set of practical requirements that any organisation can use to measure their current identity practices and adopt to insulate their workforces and customers from everyday attacks. These include:
- Passwordless – no use of passwords or other shared secrets, as these can easily be obtained from users, captured on networks, or hacked from databases.
- Phishing resistant – no opportunity to obtain codes, magic links, or other authentication factors through phishing, adversary-in-the-middle, or other attacks.
- Capable of validating user devices – able to ensure that requesting devices are bound to a user and authorised to access information assets and applications.
- Capable of assessing device security posture – able to determine whether devices comply with security policies by checking that appropriate security settings are enabled, and security software is actively running.
- Capable of analysing many types of risk signals – able to ingest and analyse data from endpoints and security and IT management tools.
- Continuous risk assessment – able to evaluate risk throughout a session rather than relying on one-time authentication.
- Integrated with the security infrastructure – integrating with a variety of tools in the security infrastructure to improve risk detection, accelerate responses to suspicious behaviours, and improve audit and compliance reporting.