ACSM
The seven authentication best practices that support zero trust By Geoff Schomburgk, Vice President for Australia and New Zealand at Yubico
I
n 2020, Zero Trust was introduced as a mainstream approach to improve security environments and has continued to be a priority in 2021. Almost all security vendors have been espousing their own alignment with this simple idea, which can at times be complex to implement. Simply put, Zero Trust means no one from inside or outside the network is trusted. The Zero Trust approach demands every person and device provide strict identity verification to access network resources, whether or not they are inside the network perimeters. That said, the first step is to establish a user trust framework and the following seven best practices, if applied, will ensure the protection of a user’s access as a foundational element of building a Zero Trust architecture. 1. Deploy strong phishing resistant authentication Since March 2020, the Australian Cyber Security Centre (ACSC) has seen an increase in a range of different COVID-19 themed scams, online frauds and phishing campaigns. As Australians continue working remotely, organisations recognise the need to bolster security for user authentication with multi-factor authentication (MFA), but need to consider the following: Security: Is it a purpose-built security-focused device or one built primarily for communication (a smartphone) and does it provide 100% protection against phishing? Standardised access: Is the authenticator based on open standards, meaning it will automatically authenticate in a secure fashion across a range of platforms and services?
52 | Australian Cyber Security Magazine
Deployability: Can the authenticator provide security across multiple devices and work offline across mobile in remote locations, or across shared workstations? 2. Adopt Attestation With Zero Trust, there is no implicit trust in the authenticator. Strong authentication is important but the hardware device itself still needs to be validated to ensure it is not compromised. Endpoint management is an important component of Zero Trust as phones and computers are susceptible to malware. Attestation enables validation that the authenticator hardware is from a trusted manufacturer and that credentials generated on devices are not cloned. There are platform authenticators built into devices such as laptops and mobiles, and portable authenticators that are external and carried by users. The best practice is to ensure that the attestation is built-in and certified to the FIDO standard. 3. Integrate authentication policies anywhere a user has to enter their credentials. Most organisations are using Identity and Access Management (IAM) platforms as core components of Zero Trust, which if done right, can deliver a frictionless and secure authentication experience for every user, asset and data interaction providing a foundation for a Zero Trust strategy. These solutions can grant access rights, provide single sign-on from any device, enhance security with MFA, enable
