The evolving business and technology landscape and the need for secure, yet convenient, ways of logging into applications are driving the quest for more effective authentication.
The changing landscape
As we are slowly getting into a post pandemic world, the greatest lesson learnt from this turbulent period is that businesses need to have the ability to adapt to changing forces. Adaptability is what separates successful businesses from those that are still struggling to survive whilst working remotely. Besides the challenges of securing remote workforces, businesses have to adapt to the changing legislative landscape. Privacy and security regulations and laws being introduced in many countries mean data sovereignty is becoming a top requirement across many regions.
Surveys indicate that two-thirds of global enterprises will continue to support work from home arrangements for the foreseeable future, while hybrid working environments will pose further security challenges. This is because remote work disperses employees, increases the threat landscape and the inherent business risk.
To reduce the overall risk, organizations are investing in access security. Despite their efforts, they seem to be failing to protect an enterprise’s most valuable assets – data. Data is now located outside the traditional perimetry, rendering all legacy data protection and access controls ineffective. Without a defined perimeter to defend, it is time for businesses to redefine their access security strategy.
From static authentication…
The key reason why access security efforts are disjointed from the current threat landscape is because they are not adequate. Many businesses are still relying on single factor, insecure passwords, that are a source of increased risks. Even if they use knowledge questions to provide further protection, passwords are still easily compromised.
Other businesses are moving away from single factor authentication, embracing multi-factor authentication based on hardware or software tokens and credentials. However, even in this case, the authentication relies on text passwords, which are inherently insecure.
What is important to note is that both methods are binary ones – go or not go. Access is granted based on a static authentication decision which is not affected by the environment where the user is located. In an environment where users are changing devices and networks, accessing data from either business premises or their home, the access decision cannot be static.
… to dynamic, context based authentication
In modern business environments, where users and endpoints are dispersed, authentication cannot be a single, discrete, binary event. Modern authentication needs to be a continuum based on three key concepts:
- Passwordless – move away from insecure passwords that create many security risks and contribute to fatigue and friction.
- Adaptive – adapt the authentication mechanism to the changing risk environment based on defined policies. Higher risk environments require step up authentication based on contextual data.
- Continuous and intelligent – modern authentication must not be a static decision, but it should continuously evaluate the risk environment using analytics such as User and Entity Behavior Analytics (UEBA), risk assessments and identity validation.
An authentication scheme that supports these concepts becomes a key part of strong access management to safeguard authorizing access to valuable yet dispersed data and resources.
Why do you need modern authentication?
Besides securing your assets, modern authentication has become a necessity because employees in digital-first enterprises travel multiple authentication journeys and have different authentication needs. While each user belongs to the same enterprise, there are several factors that differentiate their authentication requirements, including:
- Their personas: the role they have within the organization
- Location: on site, remote or roaming
- Devices they use: business laptops, personal devices, mobile devices
- Resources they need to access either on-premises or in the cloud
- Corporate security policy requirements and regulatory compliance
Therefore, businesses need to support multiple authentication journeys, and to do that, they need to establish and enforce modern authentication. Modern authentication allows for policy based contextual access, based on risk assessments, and passwordless identity validation.
How modern authentication helps Zero Trust security?
The authenticity of identities supported by modern authentication is at the core of an identity-centric approach to Zero Trust security. Access to enterprise resource is based on identity and assigned attributes. The primary requirement to access corporate resources is based on the access privileges granted to an authenticated user, service, or device. To cater for a more adaptive authentication, access policy enforcement may consider other factors as well, such as device used, asset status, threat intelligence and compliance requirements.
Explore the role of modern authentication in achieving Zero Trust security in our latest webinar, which was presented during the Thales 2021 Trusted Access Summit.