What is zero-trust security?
23 June 2020

What is zero-trust security?

23 June 2020

First coined a decade ago by an analyst at Forrester Research, zero-trust security models assume that all devices and users can’t be trusted. This assumption carries through after a user has initially gained access to the network.

Based on this assumption that a user cannot be trusted, zero-trust models continuously verify and authenticate users no matter where, when and how they access a system. This protects organizations by preventing unauthorized movement within a network’s systems. 

As such, zero-trust security is a radical framework designed to protect organizations from the reputational, legal and operational costs associated with large-scale data breaches.

At Keyless we’re helping enterprises transition to zero-trust security architectures with our breakthrough biometric authentication technology.

What we’ll cover in this article:

  • How zero-trust models work

  • The seven pillars of zero-trust security

  • The difference between trust-based and zero-trust security

  • How to implement zero-trust security

  • The Keyless solution: zero-knowledge biometrics

So, how does zero-trust security work?

This type of architecture employs several security measures, including identity and access management, multi factor authentication, network segmentation, and continuous monitoring of user and device behaviour.

In zero-trust security, users and devices are not granted unrestricted access to network resources, but are granted access only to the resources they need to perform their tasks. This approach reduces the attack surface and limits the damage that can be caused by a breach.

One of the key components of zero-trust security is the use of micro-segmentation, which involves breaking up a network into smaller, isolated segments, each with its own security controls. This limits the ability of an attacker to move laterally across the network and access sensitive resources.

The seven pillars of zero-trust security

There are seven ‘pillars’ that uphold the framework of zero-trust security and form a comprehensive zero-trust strategy. Here’s a breakdown of the seven steps for a better understanding of its workings:

1. Identity Verification

The first pillar focuses on the need to verify the identity of every user and device trying to access network resources. It involves establishing a secure identity and access management system that includes multifactor authentication and password management.

2. Device Security

This step addresses the security of devices that are used to access network resources. It involves implementing measures such as patch management, endpoint security, and encryption to ensure that devices are secure and meet security standards.

3. Network Security

The third pillar focuses on securing the network itself by implementing measures such as segmentation, firewalls, and intrusion detection systems. This helps to limit the potential attack surface and prevent lateral movement within the network.

4. Application Security

Pillar four addresses the security of applications that are used to access network resources. It involves implementing measures such as access controls, encryption, and vulnerability management to ensure that applications are secure and meet security standards.

5. Data Security

The fifth pillar focuses on securing sensitive data by implementing measures such as encryption, data loss prevention, and data classification. This helps to prevent unauthorized access, exfiltration, or modification of sensitive data.

6. Visibility and Analytics

This pillar monitors and analyses user and device behaviour to detect and respond to potential threats. It involves implementing measures such as security information and event management (SIEM) systems, network traffic analysis, and user behaviour analytics.

7. Automation and Orchestration

Finally, this pillar involves automating security processes and responses to improve the speed and efficiency of security operations. It involves implementing measures such as security orchestration, automation, and response (SOAR) systems, and incident response playbooks.

Network security: Trust Models vs Zero-Trust Models

Perimeter-based network security models, like firewalls and VPNs, traditionally trust users who are inside the network.

Unfortunately, this approach leaves organizations susceptible to threats launched from within the network; while also failing to protect against incoming threats when systems are being accessed remotely.

Recent work-from-home orders are highlighting security flaws with the perimeter-based network security approach.

With the rapid rise of users accessing an organization’s systems remotely, (from outside the security perimeters of corporate firewalls), the chances of a successful breach have increased sharply.

Since legacy security systems rely on trust, once a hacker gains access to a network, they’re then able to freely move throughout the network until finding sensitive data.

Malicious attacks aren’t the only issue with legacy security systems. Trust-based models leave organizations susceptible to insider-orchestrated attacks and data leaks.

Thus, the assumption of trust is fundamentally flawed, leaving systems vulnerable to an ever-increasing number of sophisticated attacks. As the classic saying goes, “if it can get hacked, it will”.

With the growing threat of attacks, this is essentially true for all systems that store sensitive data and fail to adequately protect it. Zero-trust models can help organizations restore security and privacy.

How to implement zero-trust security within your organization

As the global workforce moves online, enterprises need authentication solutions that are not only secure, but dynamic and user-friendly at the same time.

We believe that modern access management is about the right people, having the right level of access at the right time, with the least amount of friction possible.

The first step towards implementing a zero-trust security architecture should be to adopt secure passwordless authentication. The second would be to implement access controls at every entry point to an organization’s private systems and databases.

Access controls can be used to prevent lateral movement throughout the network, while ensuring that only privileged users have access to sensitive databases and private resources.

By establishing trust, (via re-authenticating), as the user moves through the network, zero-trust authentication prevents malicious actors from being able to launch large-scale attacks.

The zero-trust model also prevents unauthorized users or employees from accessing data that they shouldn’t have access to.

The Keyless solution: zero-knowledge biometrics

At Keyless, we combine multi-modal biometrics with privacy-enhancing cryptography and state-of-the-art anti-spoofing technology to enable a passwordless, phishing-proof way to authenticate users, leveraging a zero-trust framework.

In doing so, we are able to offer seamless, ‘onelook’, multi-factor authentication for end-users and employees, across all platforms and devices.

With cyberthreats increasing in sophistication and scale, zero-trust models can help transform security architectures and protect enterprises by offering new levels of protection, helping to ease the transition into a digital future where remote work is commonplace.

Our solution offers strong multi-factor security, by design:

  • For the first authentication factor, Keyless verifies users who are accessing from a trusted device. If a device is not registered, the user won’t be able to authenticate

  • For the second authentication factor, we use facial biometrics to verify users across every touchpoint — a universal inherence factor as an added level of security

  • Soon, Keyless will involve behavioural biometrics, which serves as another, transparent third factor — across platforms and devices

In other words, users seamlessly authenticate simply by looking into the camera of their registered device. Our network verifies users in less than 100 milliseconds, less time than it takes to type out an email address and password.

By providing a secure, frictionless way to establish access controls at multiple entry points, Keyless prevents unauthorized movement through private corporate systems.

This protects organizations from a range of threats inside the network, like malicious takeovers, insider attacks and data leaks.

To protect end-users and organizations from other kinds of malicious attacks, like fraudulent attempts to replicate a user’s biometrics, Keyless uses advanced liveness detection and anti-spoofing techniques to ensure that the user is in fact real.

Interested in trialling Keyless to enable zero-trust remote security?

If you’re interested in how Keyless™ authentication can help deliver secure and seamless digital experiences, or if you’d simply like to learn more about our technology, then please feel free to get in touch with our team.

You can email us at info@keyless.io

We’re always keen to have a chat about how we can help businesses on their journeys towards a complete zero-trust security model.

Get In Touch

Find out how our private-by-design MFA can help your organization prevent ATOs, improve UX, and protect your bottom line.