The Future of Trust is Risk-based

The platitude “trust but verify” carries new meaning in today’s hybrid work environment. Here’s how to extend trust without increasing risk.

istock 1212134865
iStock

Whether they’re working remotely or on-site, workers have come to expect frictionless, collaborative experiences. Multiple logins and authentications slow them down and can be frustrating.

Yet, the risks associated with user access across the hybrid workforce have increased. Outside the traditional four walls, employees might log into the corporate network from personal devices at home — ie., their roommate’s, partner’s or child’s computer. They might take their laptop out for lunch and work on tasks via an unsecured WiFi connection at the restaurant. Or, they could access work files 1-2 days per week at the office, then work remotely the other days.

Another issue: A user’s login can last not just hours but days. Even “timed” sessions, where an individual stays logged in for 8 or 12 hours, create long exposure periods for potential exploitation by hackers. And yet, users don’t want to have to keep authenticating just to gain access to their primary work applications.  

What does and doesn’t work

As organizations are learning, it’s possible to achieve a balance. That starts with incorporating zero trust (ZT) principles of “never trust, always verify.” Yet, even some of the basic ZT technologies — such as multifactor authentication (MFA) and identity access management tools — can add friction for users.

That’s why the concept of continuous trusted access is gaining ground. It builds on and extends ZT concepts of risk-based authentication by adding context and trust analysis.

“Continuous trusted access is about dynamically reacting to risks,” said Ted Kietzman, Product Marketing Manager for Duo Security at Cisco. “For example, if you have the same device and same user regularly logging in from the same place, the access rights dynamically take place in the background, without adding steps for the user who’s logging in.”

The dynamics are based on evaluation of user behaviors to analyze risk over time. For example, if a worker based in Chicago logs into a productivity suite in the morning and two hours later downloads a file from an IP address in Singapore, that abnormal behavior would cause a session time-out.

“Trust is built over time and is based on each company’s risk tolerance threshold,” Kietzman said. “Right after initial authentication, trust is high. But that trust might be eroded by actions such as the worker joining a public WiFi network, or turning off the firewall. When that happens, the risk would be broadcasted as a security alert including relevant remediation steps.”

On the other hand, if the user’s actions don’t fall below the risk threshold, their access session can be extended. It’s about continuously evaluating the context around the user’s access.

“This all runs in the background so that users have a frictionless experience, while the organization gains layered security or defense in depth,” Kietzman said. “Continuous trusted access fulfills the security of zero trust without the friction.”

Click here to read more about continuous trusted access.

 

Related:

Copyright © 2022 IDG Communications, Inc.