Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

How Is Zero Trust Evolving to Be More Continuous in Verifying Trust?

For zero trust to be successful, organizations need to be able to check user identity, device posture, and overall behavior without adding friction to the experience.

Ash Devata, General Manager, Cisco Zero Trust and Duo Security

December 21, 2021

2 Min Read
Concept art showing nodes with zero trust, wi-fi networks, and cloud.
Source: Olivier Le Moal via Alamy Stock Photo

Question: How is zero trust evolving to be more continuous in nature in verifying trust?

Ash Devata, general manager, Cisco Zero Trust and Duo Security: Zero trust is all about assuming zero trust by default when a user is trying to access a work application and building trust by conducting a set of checks from a baseline of no trust. The three main checks are around user identity, device posture and identity, and overall behavior. To be successful, organizations need to be able to perform these inspections in real time without adding friction for the end user.

Two initial questions emerge when we think about this model. Can trust get transferred between entities in a meaningful way? For example, you proved that you are really you when you logged into your laptop. Now, why do you need to prove your identity again when you are logging into the email client on your laptop? The second question is about post-login. How can we evaluate changes in trust after the session was granted? Some applications grant a session for months and the trust levels change in that time period. For example, a user might turn off disk level encryption on their PC or just move from the hospital building to a coffee shop.

We are working on technologies that solve both questions. Organizations want to continuously evaluate trust even after the user’s session is granted. They want to transfer trust from the device to application when possible. We want to do this without adding friction or delays.

To address the post-login use case, development of a new open standard called Continuous Access Evaluation Protocol (CAEP) is underway. The OpenID Foundation is leading this effort to create more interoperable communication mechanisms for security signals alongside vendors including Cisco, Google, and Microsoft. Progress on the other challenges will continue to evolve as well, to make zero trust a model all organizations can easily adopt.

About the Author(s)

Ash Devata

General Manager, Cisco Zero Trust and Duo Security

Ash Devata is General Manager of Cisco Zero Trust, the most comprehensive platform to secure access for any user, from any device, to any IT application or environment. Ash leads product strategy, engineering, design, and operations functions for Zero Trust products within Cisco’s broader security portfolio, including the Duo business.

Prior to taking the helm of Cisco Zero Trust, Ash led product and go-to-market strategy for Duo, where he helped it grow into a worldwide business with more than 30,000 customers. Before Duo, Ash managed the enterprise solutions portfolio at RSA.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights