How zero-trust authentication and architecture have evolved

Zero-trust architecture has spread across the enterprise security software market, so IT pros should understand the latest advancements in zero-trust authentication.

Interest in zero trust has risen over the past few years as organizations search for better methods to secure corporate data against ever-increasing data breaches.

While the zero-trust model and zero-trust authentication aren't brand new, security vendors are finding new ways to adopt it. IT professionals should understand what zero trust is and understand how it supports EUC security offerings.

What is zero-trust authentication?

As more organizations move to the cloud to help embrace remote workers and BYOD, IT can't assume that users accessing the network are who they say they are. Even if they are real users, IT can't be sure that their devices are secure. This is where zero-trust authentication comes in, and it is best summarized with a simple phrase: never trust, always verify.

Zero-trust architecture is often made up of more than a half dozen different services, including components such as continuous diagnostic and mitigation systems, security information and event management platforms and ID management systems. With each added service, IT can get more granular with policy enforcement. For example, IT pros can continuously monitor logged-in users to ensure endpoints remain secure.

How has zero-trust authentication advanced?

Many security software and service vendors offer tweaked and improved versions of existing zero-trust technology to increase security authentication, isolation, and endpoint security and validation.

Contextual and continuous zero-trust authentication

Zero-trust authentication is the foundational component of zero-trust architecture. Organizations can no longer presume someone who logged into an account with a correct password alone is a legitimate user. They can't trust devices just because they're on a corporate network, either. Initially, user account security focused on multi-factor authentication, but now vendors are working on contextual and continuous authentication technology.

Contextual authentication collects additional factors such as location, device ID and time of day when an employee logs into an application or endpoint. This system then assesses the information and compares it to existing data on logins before access is approved.

Continuous authentication does what its name suggests: it constantly determines the system's confidence that users are who they say they are.

Continuous authentication does what its name suggests: it constantly determines the system's confidence that users are who they say they are. This conclusion relies on factors such as behavior and what the users access or download. For example, a user viewing data within their normal workflow will draw less suspicion than a user suddenly downloading a huge amount of corporate data.

Remote browser isolation

Another aspect of zero trust that is gaining traction in the enterprise is remote browser isolation. The goal of this technology is to keep everything on the local device separate from users' internet browsing activity. With remote browser isolation, employees can browse the web without worrying that visiting a malicious site could affect the rest of the endpoint.

Zero-trust architecture decouples the device from the user, so with remote browser isolation organizations can determine permissions and not have to worry about an employee accidentally introducing a malicious program or macro to the local OS.

Validating endpoints

A third way vendors incorporate zero-trust authentication into existing security architecture is through a mixture of new and old methods of validating endpoints. IT can deploy this technology via a few different tools and platforms.

Mobile device management (MDM), mobile application management (MAM) and device attestation work well for mobile devices, while unified endpoint management (UEM) is a better option for desktops. Organizations that provide corporate devices should lean toward UEM and MDM to keep devices locked down and secure because admins can take as many precautions as they need.

For example, BlackBerry's Secure UEM and Productivity Suite features contextual and continuous authentication and ManageEngine offers browser isolation as part of Desktop Central.

Organizations that are more lenient around device use or offer BYOD can rely on MAM and device attestation. MAM provides security for corporate apps with less worry about the device itself, and device attestation helps admins determine whether a device is secure and if it passes device health checks.

The NIST offers a vendor-neutral zero trust architecture guide that provides organizations with everything needed to adopt zero trust, if they haven't already.

Dig Deeper on Windows OS and management

Virtual Desktop