With the increasing threat landscape and recent workplace shifts to support remote users, many companies are deploying a Zero Trust security model to mitigate, detect, and respond to cyber risks across their environment.
Zero Trust principles help protect against identity and access-based security risks by requiring all users, whether inside or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture checks before granted access to applications and data.
Zero Trust relies on robust user authentication and device validation over network and endpoint security to protect applications and data against new and emergent threats. Instead of security enforcement at the network perimeter, Zero Trust focuses on protecting applications and surface areas. Users and devices are not automatically trusted because they happen to be behind the enterprise perimeter or on a trusted network.
While each organization may have a varying approach to deploying Zero Trust, the building blocks are generally the same, including establishing trust in every access request and securing access across their applications and network.
Deploying a Zero Trust architecture for the workforce provides a series of benefits, including improving the end-user experience by allowing access to some applications or resources that traditionally require VPN access and streamlining authentication through multi-factor authentication (MFA). Organizations can often leverage their existing security investments to deploy Zero Trust, including authentication, network access control, logging, device management, and endpoint detection and response, to improve their overall security posture.
The Move to Passwordless
The same Zero Trust architectural components can also be leveraged for the next evolution in authentication, which is passwordless access. The appeal of moving to passwordless authentication is that it unburdens IT departments that have to continuously manage and reset passwords for users, which is time-consuming and expensive to maintain. For end-users, managing multiple passwords across various applications and devices can be unwieldy, often resulting in re-using the same passwords that can be easily compromised and lead to data breaches.
When implemented correctly, passwordless authentication eliminates the password from the authentication flow while maintaining MFA security. In effect, passwordless enhances security while simultaneously decreasing authentication friction for users – a win-win for IT infrastructure.
While the promise of passwordless authentication is exciting, it’s important to think strategically about deploying new technology. By placing the foundational components of Zero Trust in place first, like SSO, MFA, and Device Trust, the transition to passwordless will be smoother and more secure. As passwordless is a relatively nascent technology trend, organizations should consider a phased rollout, targeting users and authentication scenarios that make the most sense from a technical and business perspective.
Author Brad Arkin is senior vice president and chief security and trust officer at Cisco. Read more guest blogs from Cisco here.
