The technology industry has known for many years that usernames and passwords are the worst way to verify a user's identity online. Most progressive organizations today talk a good game about building a zero-trust environment to secure systems. But walking that talk is complicated.
By definition, one of the core principles of a zero-trust architecture is "Trust no one and verify everything." Zero trust builds some friction into the user experience, since additional layers of authentication, such as multifactor authentication, are required. One way to get around this friction is by implementing adaptive authentication, a context-based approach that doesn't require users to further authenticate their identity when it's not necessary.
With adaptive authentication, when a user attempts to access a resource, the identity management system has the capability to factor in where the user is logging on from, on what network and device, and if that device is configured correctly. If any of those conditions are not met — such as an unpatched device — adaptive authentication will still grant access to the resources the user needs, but it will require an extra step to validate their identity. Adaptive authentication marries the context of the user and then changes the policy checks based on those factors to identify the person at the keyboard is who they say they are.
While adaptive authentication enables organizations to create a positive user experience in zero-trust environments where everyone is suspect, its implementation is not without its challenges.
The first and biggest challenge is that many applications in use by mature organizations have been around for a long time — 10, 20, 30 years — but the concept of adaptive authentication is very new. Simply put, old systems don't know how to participate in this kind of a world, because they were hardwired to only accept usernames and passwords. Rewriting them to support modern authentication methods can take months and cost millions.
Consider the major bank that runs its business on an application so well-built that in 20 years, they haven't needed to ever change it. Or an entertainment company that uses 30-year-old software to operate seatbelts in its amusement park rides. This isn't exactly the type of application that is available as a software-as-a-service platform — nobody would ever build it, nor would many need to buy it.
In addition, zero trust requires continual runtime checks to enforce policies. However, centralized systems are often dependent on periodic batch sync jobs to update their information. This can result in the wrong policy being enforced if key data is out of sync.
Another barrier to adaptive authentication is the familiar boil-the-ocean challenge. To get to a zero-trust world, an organization literally has to change everything about every resource. This is an overwhelming, if not impossible, task. To overcome these obstacles, consider the following best practices.
Be surgical: Start by assessing applications based on risk and complexity, to understand how big the challenge is before you start. Prioritize those that have the highest level of reward relative to the lowest level of effort to accomplish. That's pivotal to understanding where to begin.
Modernize gently: When you update a process, do it in a way that doesn't change the application itself. Going back to that example of the amusement park's seatbelt software: Don't rebuild that app if there's no need to. Use abstraction technology to decouple identity from the app itself, and eliminate the need to change the core capabilities of the application while providing a bridge for implementing adaptive authentication.
Start small: Next, pick a small number of apps to start updating — one, five, probably not more than 10. Take each application and apply a zero-trust model. Once done with the batch, if it's less painful than expected, move to the next five, and then do another 10. The process tends to snowball fairly quickly, but starting surgically is absolutely key. Most projects fail when they try to do too much and become so onerous on users that they just say: "This is untenable. I can't do my job."
Keep what you can: Finally, reuse existing systems and technologies wherever possible. Resist putting all your eggs in one basket based on vendor claims that it will solve all your problems. It's no longer possible to centralize everything — IT systems are distributed and becoming more so every day. Instead, leverage the policies and infrastructure that are working and resilient.
Adaptive authentication can make adding zero trust a kinder, gentler experience for users. Implementing a controlled and gradual transition to a world beyond passwords will determine the success or failure of zero-trust projects.