Giving users access to the tools they need is key to digital transformation. With traditional technologies such as VPN and token-based MFA, IT and security managers have often found themselves walking a tightrope between productivity and security. Typically, making access easy for end users often means failing to provide adequate protection against bad actors. Whereas, having high security requirements creates a terrible user experience, encourages Shadow IT, and inundates the service desk with credential reset requests.

For digital transformation projects to be successful, authentication practices need to be reviewed. The efficacy of authentication can be evaluated by:

  • What you ask
  • When you ask
  • Who you allow

What you ask

Using effective authentication methods when verifying user identity and whether or not they should have access is critical to ensuring that only sanctioned parties can use corporate applications. Complex Identity Access Management (IAM) tools can struggle because the use of tokens is time consuming and are less than seamless. Multi-step token based approaches also suffer security flaws, and phishing tools that bypass token-based MFA are becoming increasingly common.

The Payment Card Industry Security Standards Council recommends that secure multi-factor authentication (MFA) should require:

  • Something you are (like a biometric identifier that is unique to you)
  • Something you have (like a trusted device which can’t be replicated)
  • Something you know (like a password that is difficult to guess)

It is common for biometric readers to be built into many modern laptops and mobile phones and are used as the default method of unlocking them. The use of adaptive access technology can silently verify whether a device has been sanctioned and secure it before requesting a password. Not only is this a much smoother user experience, it is also more secure because credentials have not been entered unnecessarily. Finally, after the security requirements are met, the user enters their password to prove who they are.

When you ask

The stage that a user is asked to authenticate themselves is an often overlooked part of security, and a pitfall for many traditional services. Popular applications such as Salesforce and OneDrive have login pages available on the public internet. If a user can navigate to a service in a browser, or open an app, the presence of a login page reveals that the service exists, meaning that anyone with correct user credentials can access the system, including bad actors. Equally, tools like VPN allow users to connect to network resources and then authenticate. A way of preventing this is by using a Software Defined Perimeter (SDP) built on the principles of Zero Trust, the best practice for secure user access.

An SDP can act as the connective fabric between users and services requiring users to verify themselves before granting visibility of services. The Cloud Security Alliance recommends this approach, as it means that application infrastructure can not be detected by port scanning. The Department of Defense calls this going “black”, and it can mitigate the most common network-based attacks, including server scanning, denial of service, SQL
injection, password cracking, cross-site scripting and many more.

Requiring authentication before allowing connection is especially important for businesses with contractors, partners, and short-term staff. Individuals on the corporate network does not mean they can be trusted with visibility or the ability to connect to corporate resources. A key part of modern Zero Trust Network Access architectures is eliminating unnecessary and ineffective forms of verification such as network location.

Who you allow

Should your sales team or engineers have access to HR records? Managing what users have access to is as important to granting access itself. Unlike VPN solutions which provide users connectivity to all systems within an environment, an SDP allows administrators to tune access rights based on the user’s identity, device health and application.

This control is based on the principles of microsegmentation, and means that only defined and approved applications are visible to the end user. All other applications are “black”, making them invisible and impossible to target if the user’s access is compromised. Microsegmentation enables permissions to be managed at an individual or team level, allowing access based on their business role.

Integration with identity providers such as Azure Active Directory, can be used to enhance microsegmentation, enabling administrators to quickly permit and dismiss access privileges from a single source of truth. This means that users can be empowered with the tools they need, and restricted from those they don’t that may pose a security risk.

Finding the balance

Wandera’s Zero Trust Network Access solution redefines enterprise access and establishes a new benchmark for authentication. The cloud-first approach also provides users with a consistent experience regardless of how or where they work, which is needed to support the expanding range of access use cases. The reinvented security practices, incorporating adaptive access and zero trust principles, mean that, despite users being more easily connected, your business is better protected. Security truly becomes efficacious for your business.

To learn more about Zero Trust Network Access or the Wandera Security Cloud and how they can help your businesses please get in touch with one of our experts.