Conducting business in a Zero Trust world: we need an additional, highly secure mechanism to verify identity
This is a guest post by Blair Crawford, Co-founder and Managing Director at Daltrey.
Philosophy majors would tell you that assumption is the mother of all mistakes. In business, the biggest assumption is that we take for granted one of our most valuable commodities: trust.
When we meet someone for the first time, we typically assume they are who they say they are and their intentions are honest. However, sometimes there may be instances when our ‘radar’ is triggered and our trust isn’t automatically given. Perhaps something they say doesn’t quite match their mannerisms, suggesting some sort of subterfuge is in play.
When we deal with the physical and logical security of our workplaces, we don’t have that luxury all the time. For example, when a new employee tells you their name, do you verify they are telling the whole truth? Or when someone logs into your network, do you check that the login is being used by the person it was allocated to? Do you really know who is using the key fob to unlock the office door?
Introducing Zero Trust
Security companies and practitioners have been pushing the idea of Zero Trust for the past decade. Before Forrester Research’s John Kindervag came up with the idea in 2010, there was an assumption that everything inside your network could be trusted. But Kindervag argued that the default position for any device or user that connects to a network is that they can’t be trusted. So, the entire architecture is designed with that assumption.
While it is important to take certain steps with the devices that connect to your network, such as installing security software and ensuring patches are applied, the most critical action you must take is to ensure you know who is logging into your network.
Making the user’s life more difficult
With phishing attacks that result in credential theft and login sharing so prevalent, it’s increasingly difficult to know exactly who is connecting to your network.
The security industry’s response to the challenge of identity in a Zero Trust world has been to make life harder for users. While tools like multi-factor authentication are effective, in many cases they put the onus on users to do more. It is critical that additional authentication steps do not create roadblocks, impact the user experience, or diminish productivity.
Dawn of the biometrics age
In contrast, facial recognition and fingerprint scanners have made it easier for users to log into their mobile devices. These mechanisms are more secure than passcodes, and significantly easier and faster to use. That said, they still fail to establish a robust user identity that’s validated against verified identification documentation. In fact, mobile biometrics are often simply auto-filling passcodes and passwords that are inherently weak in the first place.
What if we could combine the ease of use of biometrics – such as fingerprint scanning, facial recognition and retinal scans – with a properly verified identity? That would provide us with a trustworthy form of ID that couldn’t be shared, would be extremely hard to crack and would simplify life for users and enterprises. It would also render lists of stolen credentials worthless and disrupt a major tool used in security breaches.
Combining biometrics with verified ID
When we use a verified identity and match it with a highly secure biometric token, we take an identity that starts as ‘untrusted’ and watch it earn our trust. If we verify this document against the appropriate level of validated documentation, that identity earns your trust. And the addition of a biometric means you can trust that the person logging in is exactly who you expect. Instead of seeing the world through the lens of Zero Trust – where you can’t believe anyone or anything on your network is who they claim to be – you shift to an earned-trust perspective where you’ve taken steps to ensure you know who is logging in and that their credentials are verified.
About the author
Blair Crawford is a biometrics and identity management specialist with extensive experience helping global organisations solve their most pressing security, risk and compliance challenges. Leveraging this wealth of experience, he recently established Daltrey – a unique security solution that delivers biometrics as a service for workforce authentication, across all physical and logical access scenarios.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of Biometric Update.