Thanks to our new “life with COVID,” most of our transactions have shifted to the digital space. As a result, bad actors have set their sights on a new playing field – launching malicious fraud campaigns – geared towards critical services (e.g., e-commerce, online banking). For example, fraudulent activity exponentially increased in financial services due to bad actors employing business email compromise (BEC) and invoice scams in their campaigns, with both seeing a 200% increase.
With COVID-19 rendering the workforce remote, it is easy to see how fraudsters are now using the backdoor to infiltrate the organization’s network via employees’ personal devices or routers, which are rarely patched and lack stringent BYOD (Bring Your Own Device) policies. As a result of the attack surface’s exponential growth, many organizations have had no other choice than to adopt a zero trust framework.
As the name suggests, zero trust requires authentication of each touchpoint connecting to an organization’s network, with the goal of transforming it into an impenetrable fortress. Despite its benefits, even zero trust has its limitations and can create unnecessary friction, hindering employee productivity and taxing security resources. So, what are the alternatives? Is there a solution that can provide the same level of security as zero trust without the rub? The answer: Zero Trust 2.0.
Zero trust and its flaws
Thanks to our workforce’s mass migration, zero trust has become the solution of choice with nearly 40% of cybersecurity professionals confirming accelerated adoption in the last year:
Over 35% citing the remote workforce and insider threats
Nearly 25% citing potential supply chain risks
About 21% citing cloud risk management
However, a Fort-Knox-like approach causes other problems to emerge, such as sustainability. Firstly, zero trust requires significant funding and time to be correctly implemented and maintained. Large corporations, such as Amazon or Apple, have unlimited resources but it might be unattainable for smaller organizations due to limited funding and talent.
Other obstacles often lie in the authentication process which can cause friction and hamper employee productivity. For example, approximately 61% of employees found themselves struggling with corporate networks and systems access during the first half of 2020. The new normal has employees working around the clock, which means instant access to the corporate network is crucial. If zero trust debilitates this workflow (especially if the employee’s device is not properly classified within the network), both productivity and morale are impacted.
Introducing Zero Trust 2.0
Organizations must consider a solution possessing robust cybersecurity measures while simultaneously ensuring employees convenience and productivity. Enter Zero Trust 2.0. With Zero Trust 2.0, the same “Fort Knox” level of security is maintained, but through intelligent passive indicators rather than the layered authentication approach of its predecessor.
Intelligent passive authenticators operate on behavioral analytics, which is essentially information generated from one’s digital transactions or online activity. This entails an employee’s interactions on the organization’s network from their company laptop, smartphone, or tablet. Given the reliance on an employee’s interactions, these authenticators include the following: intelligent swipe authentication, behavior PIN authentication and keystroke dynamics. In doing so, it determines “how” an employee accesses information within a network, using that aspect to confirm a user’s identity, and eliminates the need for passwords and CAPTCHA notifications (selecting corresponding images that contain the same object).
The next generation of anti-fraud and cyber defense
Recall the 2019 incident in which fraudsters used sophisticated AI-based software to deceive the CEO of a UK-based energy company to transfer $243,000 into their account. For context, the CEO genuinely believed he was speaking with his supervisor, a C-suite executive of the energy company’s German parent company, who requested an immediate money transfer to a Hungarian supplier’s account. Unfortunately, this was the ruse of fraudsters leveraging AI-based software to impersonate the supervisor’s voice.
Given their access to advanced technology, fraudsters have rendered their activities more obscure and sophisticated. However, with Zero Trust 2.0’s intelligent passive authenticators, an organization’s employees can simply rely on personal habits that ensure absolute security which are impossible to replicate. Even with AI, it would be incredibly difficult for a fraudster to perfectly mimic personal habits (e.g., holding a phone; the manner of keystrokes, the speed in which you type, etc.). That said, those same unique mannerisms are the key to protecting your data as well as the organization’s data from unauthorized access.
Zero Trust 2.0 is essentially the next generation of anti-fraud and cyber defense, rendering passphrases obsolete. Organizations can better counteract fraudulent activity by leveraging unique employee behavioral profiles catalogued in the network. Zero Trust 2.0 also offers an enhanced user experience as employees no longer have to enter passwords to access files. In fact, Gartner expects 60% of large organizations as well as 90% of medium-sized organizations to adopt password-less methods in multiple circumstances by 2022. This just leaves one question: how can organizations implement this framework on a manageable scale?
Ensuring Zero Trust 2.0 compatibility
For the moment, various industries see zero trust as the solution to the expanding threat landscape. A CISO will likely have this mindset, “If zero trust can elevate our infrastructure to withstand malicious fraud campaigns and the expanding threat landscape, then a little friction is worth it.” This rationale is understandable, but employees may not have the same mindset and will want a solution that adds convenience to their daily routine – this is where Zero Trust 2.0 comes into play.
Laptops, smartphones and tablets already leverage intelligent passive indicators for security measures. Zero Trust 2.0 is attainable on personal devices, but what about implementing on a larger scale? What would it take for organizations to properly implement and maintain this framework for hundreds, thousands or even hundreds of thousands of employees nationwide or even globally?
To be successful, CISO must adopt a solution that does two key things:
Leverage the power of machine learning. Unfortunately, not all authentication events are created equally. A user authenticating via fingerprint reader on a high-end device will likely be more secure than a user authenticating via a PIN on a low-end device. CISOs must consider all factors when adopting any solution. The perfect solution would be able to gather data from vast array of inputs and learn which events are more secure and require more scrutiny.
Employs an orchestration layer to manage identity and access policy. Before orchestration layers, managing the huge and ever-changing ecosystem of users, devices and applications was almost impossible. Now, CISOs and IT managers can create and modify access control policies across different business units and geographies with a few clicks of a mouse, removing their reliance on the scares resource of dev time and making the dream of a dynamic zero trust architecture a reality.
There’s safety in Zero Trust 2.0
Even when workplaces fully reopen, the attack surface will remain vast as many employees will opt to work remotely on a regular basis. With business continuity hanging in the balance, CISOs will have to consider technologies that not only insulate their entire infrastructure, but also meet employees’ preferences for consistent access and speed – namely, convenience.
One distinct advantage: Zero Trust 2.0 is not standalone and has a simple approach. The framework can also be installed with a single software development kit (SDK), meaning organizations can adopt Zero Trust 2.0 via one integration and acquire multiple layers of passive authentication in the process.
With Zero Trust 2.0, organizations can gain the security posture of Fort Knox and a more sustainable solution capable of adapting to each employee’s respective need or preference. Zero Trust 2.0 can help tip the scales in favor of good and halt evil’s advancement across the landscape, while narrowing attack surface in the process.