Zero Trust Maturity: Knowing Your User
Rooted in the principle of “never trust, always verify,” Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. Every aspect of an organization’s security infrastructure is affected by a Zero Trust approach, from the access management system to the network edge to the end points.
To be successful, the system needs to apply verification at all access points and all lifecycle events. Verifying the identity of that user and confirming risk during all access events is necessary to truly comply with the principle of Zero Trust. This requires a flexible verification system with the right tools for each step in that process. How do you know that the user is who they say they are from registration to access?
Digitally Verifying a User on an Ongoing Basis
Identity verification and risk based authentication solve the one time and ongoing needs for Zero Trust access. To “never trust and always verify,” the identity verification system needs one time detailed verification and ongoing checks on the user and device risk. A flexible exchange with policy trees is required to adapt workflows that meet the needs of both of these methods of verification and risk assessment. The suggested steps are biometric identity verification at onboarding, ongoing device risk during authentication and while accessing critical resources.
In the “old days,” an HR representative would look at the new employee during onboarding, glance at their passport and confirm that IT could create a new account for the user. That has to be replaced with a new system to verify the user digitally during remote onboarding. During the account creation process, a user will take a selfie, scan the passport or appropriate document, compare the images and verify the address and date of birth attributes on the document. Being in the onboarding flow eases the process while allowing for even greater security.
Similarly, when a user is accessing resources in a zero trust environment, you can’t just grant access because the user knows a username and password, that is very last century! You wouldn’t go to the same level of scrutiny as during onboarding, but doing a device reputation check to ensure that the device is owned by the user in question and hasn’t been used in fraudulent activities is a frictionless method to verify that is indeed the correct user.
Manage Zero Trust Verification with an Attribute Exchange
All of that verifying seems like a good idea but it has to be easy for an organization to manage. To make Zero Trust work for you, you have to make it frictionless for the user but flexible and powerful for the administrators. The most important aspect is to have powerful verification workflows that can be customized for the appropriate need. ID Dataweb has built identity verification templates that are easy to configure for each use case, decreasing the time to security for your organization.
To truly take advantage of these powerful workflows, an organization needs to tailor the data sources to their specific needs. A credit bureau provides triangulation on address data, DMV data verifies the current information, a fraud consortium determines if the device has been up to no good, a mobile carrier verifies that the phone is owned by the user – each of these scenarios is woven into the correct template. Managing those backend relationships is not your business, ID Dataweb has an easy to use identity attribute exchange to pick primary and backup providers without having to manage the 100+ relationships on your own.
Zero Trust stands zero chance if you don’t start with the building blocks. Before you start building out policies with your ZTNA provider, be certain that the user is the user, verify their identity. Verify once thoroughly during onboarding and every time tactically with adaptive authentication. Zero Trust is achievable but you have to always verify!