Understanding Zero Trust
The US government has recently announced that it will be implementing an expansive and comprehensive initiative to integrate a “zero trust” strategy into all agencies. But what exactly does this mean? It’s a goal to introduce better, more secure multifactor and cryptography-based authentication into existing government agencies, which means more security identity checks but fewer obstacles.
Nothing Is Taken For Granted
As the name implies, the “zero trust” strategy works under the assumption that no one should be taken at face value without verification. In this case, however, verification may occur multiple times through different mechanisms and security features, which is a foundation concept of multifactor authentication combined with cryptographic key pairs.
In a traditional “trusted” security system, one verification is enough. The conventional single-password system is a good example of this. A manager, for example, may have complete access to employee records, employee data like bank account numbers and social security numbers, and even credit numbers and mailing addresses of customers via purchasing database. Complete access and control to all this data are granted through inputting the correct password, which could be as complex as a random string of alphanumeric characters or as simple as the manager using the word “password.” Should that single password ever be stolen or guessed by a criminal, all that access and control, the manager has is now transferred to someone else. In some cases, a password isn’t even required. As long as a person logs into a manager’s desktop computer in the office, complete system, network and data access is granted.
The zero trust strategy makes none of these assumptions, and cryptographic multifactor authentication is a cornerstone of this philosophy. Depending on how extensive the zero trust implementation is, it’s not enough to verify a person’s identity logging in. Even the type of connection and device used for the log-in may also need to be confirmed. The person’s identity is then continually checked for high-value events like accessing sensitive data or conducting a payment transaction.
This is especially important in an age where cloud storage and cloud computing-based applications make it possible for a legitimate user to access software and data anywhere. Multi-factor authentication allows someone accessing confidential data from within their own office at corporate headquarters to quickly do the same thing in Japan from their company-issued smartphone. The key difference is that now, even if someone’s password or smartphone is stolen, the cryptographic-based multifactor authentication philosophy of zero trust now has safeguards to prevent one, two, or even three pieces of stolen verification from being enough.
Multiple verification systems can be fast and easy without being cumbersome through biometrics, digital keys, and other design innovations. Learn more here about how Nok Nok’s modern identity and passwordless authentication technology protects today’s multifactor security measures.
