Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.
How Is Zero Trust Evolving to Be More Continuous in Verifying Trust?How Is Zero Trust Evolving to Be More Continuous in Verifying Trust?
For zero trust to be successful, organizations need to be able to check user identity, device posture, and overall behavior without adding friction to the experience.
December 21, 2021
Question: How is zero trust evolving to be more continuous in nature in verifying trust?
Ash Devata, general manager, Cisco Zero Trust and Duo Security: Zero trust is all about assuming zero trust by default when a user is trying to access a work application and building trust by conducting a set of checks from a baseline of no trust. The three main checks are around user identity, device posture and identity, and overall behavior. To be successful, organizations need to be able to perform these inspections in real time without adding friction for the end user.
Two initial questions emerge when we think about this model. Can trust get transferred between entities in a meaningful way? For example, you proved that you are really you when you logged into your laptop. Now, why do you need to prove your identity again when you are logging into the email client on your laptop? The second question is about post-login. How can we evaluate changes in trust after the session was granted? Some applications grant a session for months and the trust levels change in that time period. For example, a user might turn off disk level encryption on their PC or just move from the hospital building to a coffee shop.
We are working on technologies that solve both questions. Organizations want to continuously evaluate trust even after the user’s session is granted. They want to transfer trust from the device to application when possible. We want to do this without adding friction or delays.
To address the post-login use case, development of a new open standard called Continuous Access Evaluation Protocol (CAEP) is underway. The OpenID Foundation is leading this effort to create more interoperable communication mechanisms for security signals alongside vendors including Cisco, Google, and Microsoft. Progress on the other challenges will continue to evolve as well, to make zero trust a model all organizations can easily adopt.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023