Businesses Are Increasingly Adopting Zero-Trust Principles for Authentication in a Mobile World
Contrary to common assertion, the perimeter still exists. What has changed is the number of accesses through it required by outsiders (mobile workforce, contractors, third-party vendors), often using untrusted devices. The advantage is an always on, always connected workforce.
The disadvantage is that it is harder to know who is connecting from outside, whether their devices are healthy, what data is accessible from the internet and who and what can access that data. While the perimeter still exists, traditional perimeter defenses cannot adequately cope with this type and volume of access. The perimeter is porous.
For its 2019 Trusted Access Report (PDF), Duo Security analyzed data from nearly 24 million devices, more than 1 million applications and services and more than half a billion authentications per month from across its customer-base, spanning North America and Western Europe.
What it discovered is a marked shift towards zero trust authentication principles being used by organizations to solve the new always-on remote access problems. (It is important to note that the figures in this report refer only to existing Duo customers with access to existing Duo services.)
The zero-trust concept began in 2004 when the Jericho Forum was established to tackle the problem of ‘de-perimeterization’. John Kindervag (Forrester) is credited with coining the phrase in 2010 when he described a security model that does not assume internal traffic is any more trustworthy than that originating from outside the perimeter. Google brought the concept to public notice with its BeyondCorp — a large-scale solution to the same problem faced by everyone: a globally scattered workforce with many servers in different countries.
The principle is conceptually simple: protect everything and authenticate everyone before allowing access, with zero assumed trust. The application of zero trust requires that every user is explicitly authenticated, every device is known to be trusted, and access is granted only to authorized assets.
Accurate user authentication is a cornerstone of the zero-trust approach. This requires some form of multi-factor authentication, and the most popular method among Duo customers is Duo’s own Push technology (used by 68% of all customers). It is most popular among higher education customers (72%) and least popular among federal government users (51%). These figures are reversed for the more rarely used hardware token authentication, used by 19% of government customers and just 2% of higher ed customers.
The second most popular method of user authentication is a phone call. This is used by 12% of all users, with healthcare leading the way with 20% of users.
Noticeably, the use of the SMS passcode continues to fall following the 2016 deprecation of the methodology by NIST. It is now used by less than 3% of all users — although Duo echoes the view of Secureworks: even “SMS-based 2FA is better than no 2FA at all.”
Device trust is the second cornerstone of the zero-trust approach. This requires visibility into the device, where one of the key concerns is the use of out-of-date software and operating systems. As an example, Kaspersky claimed that of the 400,000 devices affected by WannaCry in 2017, 98% were running Windows 7. At that time 65% of Duo users had Windows 7 endpoints, with just 27% operating Windows 10. Today that has reversed, with 66% running Windows 10, and just 29% running Windows 7.
Browsers are also a problem area. Chrome is consolidating its number one position with an 8.1% increase over the year. Edge has increased by just 1%, while use of Internet Explorer has dropped by 11.3%.
The zero-trust principle will block any device it doesn’t trust. The application of that principle can be seen in the immediate aftermath of Google disclosing and patching an actively exploited zero-day vulnerability in March 2019.
“The day the Chrome vulnerability was widely announced (March 7), the number of authentications denied due to out-of-date browsers, platforms or plug-ins was more than 30 times higher than the average from the prior week due to our customers implementing the browser out of date policy.” Since Chrome could not be trusted until the patch was applied, Duo users enforced zero-trust by blocking access.
A third method for ensuring trust in devices comes through what Duo terms ‘adaptive policies’. An example is limiting access to known or expected geographical sources — or geo-blocking IP addresses. Between Jan 1, 2019 and May 13, 2019, Duo customers blocked 3 million attempted accesses from 178 different countries — 10% of which originated in China.
A fourth method is to install a certificate on individual trusted remote devices. No certificate, no access. This is easier done, however, where the organization owns the device in question — which in turn may explain why certificates are more frequently used by larger organizations. Forty-two percent of very small businesses have one or more untrusted devices accessing their network, while only 16% of enterprises are in a similar position. Those companies not using a certificate with trusted devices are potentially at greater risk than those that do install certificates.
The third cornerstone of zero-trust is to limit trusted access to authorized services. This can be achieved by micro-segmenting the internal network, effectively redefining a perimeter around each service or business-critical application. Since the user and device have now been authenticated beyond reasonable doubt, internal firewalls can allow access from trusted users and deny all other access. It can be viewed as a variation on whitelisting. Instead of blocking known or suspected bad at the network perimeter, it blocks everything except known and proven good at the application perimeter.
“In summary,” concludes Duo Security, our analysis “reveals that Duo customers are diving head-first into zero-trust security and are adopting the principles of zero trust to protect their workforces, the users and the devices that access their critical business applications.”
Related: Symantec Acquires Zero Trust Cloud Security Startup Luminate Security
Related: The (Re-)Emergence of Zero Trust
Related: 5 Questions to Help Chart Your Course to Zero Trust Security
Related: Patching Not Enough; Organizations Must Adopt Zero-Trust Practices: Report