As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Kevin Orr of RSA Federal waxes zero trust philosophy, and the role MFA plays in bolstering your digital transformation.
In enterprise and cybersecurity, two realities remain intrinsically linked: the pressing need to accelerate the digital transformation of business operations and the accompanying increased cyber risk an enterprise assumes through that expanded digitalization.
To maximize the operational and financial benefits of digital transformation efforts, organizations must ensure that technological implementation occurs in lockstep with the supervision, guidance, and best practices identified by the organization’s information security team. But transformation need not be implemented in conflict with the maintenance of security. In fact, when considering the adoption of new technologies, organizations can simultaneously improve business functionality if they bolster their transformation with the principles and tools of a zero-trust identity management architecture.
Zero trust is, simply, a philosophy of continuously verifying the access and identity of all devices, applications, and users in an enterprise. At its core: “never trust, always verify.”
Implementation of a zero-trust philosophy will boost any enterprise’s digital transformation because those discussions are inherently introspective, causing organizations to reckon with real, on-the-ground data representing the usage of its platforms. Important questions foundational to zero-trust implementation can reshape digital transformation plans. Who truly needs access? Who no longer needs access? What level of access do they truly need? When and where must they have that access? For how long? Zero-trust implementation effectively doubles as a user and system audit, presenting technology executives with the realities of their workforces’ true needs and operations.
A Tool Vital to Zero Trust: Multi-Factor Authentication (MFA)
As the cloud, remote work, and other developments continue to challenge the perimeters that have traditionally protected resources; increased risks are presented by compromised credentials. Unfortunately, MFA remains vastly underutilized. Single-sign-on passwords remain a dominant user authentication method, and more complex passwords do little to combat identity theft, which has become the number one attack vector. Verizon’s 2022 Data Breach Investigations Report highlights the importance of proper password protection, noting that over 80 percent of breaches in Basic Web Application Attacks were caused by stolen credentials. Statistics such as this exemplify why assets like MFA are so critical to securing the digital environment today. Existing at an intersection of digital tools and human practice, MFA is an often underestimated but all-too-important aspect of security practice.
As organizations move services to the cloud, continue to enable mobile devices, expand remote work, and more, however, it is vital that the tools supporting the zero-trust philosophy like MFA offer flexibility. In authentication, most access or transaction requests are binary: users are either in, or they’re out; they have access, or they do not. But modern business practices involve a diverse range of users connecting from so many distinct locations, and MFA needs to meet this range of needs and preferences. One size does not fit all, presenting a range of authentication hurdles. Even responsibly sharing assets with trustworthy parties can lead to unintentional exposure of more vulnerable information, requiring active, human-based threat detection augmented by automatic, AI-empowered detection systems.
All of this can seem daunting, which is why user assets, like the ability to administrate on-premises capabilities easily and seamlessly via the cloud, are key in creating a sense of attainability for enterprises to employ these practices. From the user perspective, providers and organizations must offer approachable interfaces, like a common MFA login experience across web, cloud, mobile and on-premises applications. It is also incumbent on hardware manufacturers to establish verifiable ID methods so that application and service providers can extend levels of trust to a device and its associated applications.
Zero-Trust Adoption: Unify The Authentication Standards
Ultimately, an effective zero-trust philosophy should undergird virtually every single one of an organization’s digital platforms and reinvigorate the organizational view on user authentication. The authentication landscape has evolved dramatically in recent years, especially with the unprecedented growth in enterprise cloud-based applications and increasing reliance on mobile devices. With further growth expected and the migration to secure cloud services accelerating, organizations must remain vigilant as they witness increasingly sophisticated malware, phishing attempts, and even social engineering plays—all complicated by complex federal data protection regulations.
There is a clear duality of responsibility: enterprises and their technology leaders must responsibly chart a path forward towards zero-trust adoption, looking deeply into how their digital systems are used so that they can be better protected. The other half of the responsibility rests with security vendors, who must ensure their solutions offer the needed flexibility and organizational individuation to meet customer needs—or else risk forestalling the shift to zero trust even further.
- Bolster Your Digital Transformation with a Zero Trust Philosophy - September 29, 2022