Trust is Good – But is Zero-Trust Better?
December 14, 2023
Zero-Trust, which has long been promoted as an alternative to classic network security concepts, sounds quite harsh. Yet it is by no means all about abolishing a trust-based corporate culture; rather, it is about a tangible cyber security concept. So, what is Zero Trust and how can it be achieved?
For network security, a traditional trusted network approach is common. Essentially, that entails making a distinction between a secure internal network and the insecure Internet. Firewalls and VPNs ensure a clear division. In practice, this means that users are more or less free to navigate around computers within an organization. This not only becomes an issue should an inside attacker gain unauthorized access to resources within the network. An additional significant risk is that once an attacker has gained access to the network from the outside, they can often move around it unnoticed.
Who Can Access What Data?
The Zero-Trust approach does away with the notion of a trusted network inside a defined corporate perimeter and instead uses the data itself as its starting point. By constantly monitoring who is accessing what data, this data-centric approach ensures its security.
Common Zero-Trust concepts include determining the sensitivity of data, assessing risk, establishing access rules and enforcing them. Software Defined Perimeters are one of the methods for doing this. Network access and connections are established according to a need-to-know principle. Anyone who wants to access a network app or resource must first be authenticated for that specific usage before they may access and use it without seeing anything of the network. In other words, access management is moved from the network perimeter to the resources or apps.
Undoubtedly, such a security architecture requires some effort. First, what needs to be protected must be defined. This includes sensitive and confidential data as well as applications and IoT devices and services. To decide how transactions are to be protected, data flows must first be evaluated and then any questions about network design and maintenance must be addressed. With this, IAM (Identity and Access Management) gets more and more essential, and all users must authenticate themselves to each system individually based on a set of authorization requirements. Once an IT environment has been established where security is achieved through the highest level of mistrust, a secure authentication solution must also be implemented.
A single password is not enough! There are many issues with passwords. They are susceptible to phishing and social engineering attacks, and if they lack complexity, they can even be second guessed or tested. So, multiple factors should always be considered for authentication. In addition to a secret element, i.e., the password, there should be at least a second factor such as a biometric characteristic or a forgery-proof object. For the latter, there are now very practical solutions that offer additional cryptographic features - such as Swissbit’s iShield FIDO2 Security Key. The most important part of the product name here is FIDO which is short for Fast IDentity Online.
The FIDO Alliance was established in 2013 by a group of international companies with the goal of developing open and license-free industry standards for authentication. The alliance has been successful in achieving this with the WebAuthN standard, formerly U2F (Universal Second Factor), which is used to specify hardware and software for two-factor authentication. The associated communication protocol for passwordless authentication is defined by the Client to Authenticator Protocol (CTAP) standard. The current FIDO2 standard is used to certify products like Windows 10 and Android, for example. The authentication solution provides a public-key cryptography infrastructure.
The FIDO Alliance’s initial goal was to replace passwords in consumer cloud applications, but applications for two-factor authentication within the context of the zero-trust approach are considerably more significant. For example, access to enterprise software in the areas of material management, human resources, finance and business administration, sales management, production planning and control, or supply chain management can be secured using a hardware-based security token. These are all major systems with short names like ERP, PPS, CRM, CMS, and so on.
How Does it Work?
In essence, a FIDO Security Key consists of a security chip, a cryptography module, an NFC and a USB interface. The application is very simple. To register the key, the user is required to unlock the FIDO stick with a fingerprint reader, a securely entered PIN, or another predetermined method. The device then generates a new public and private key pair. The key pair connects the device to an application and the user's account. The online service receives the public key and associates it with the user's account. The private key or other details of the local authentication process (such as biometric information) never leave the local device. When the user logs in, the FIDO server sends a request to the device, which sends it back signed.
The whole process uses the FIDO standard: the Client to Authenticator Protocol (CTAP) for communication between the authentication device and the application, and WebAuthN, the standard programing interface for direct authentication using public-key methods via web browsers. Many platforms such as Windows 10/11 already support WebAuthN natively, and it is available for web browsers including Firefox, Chrome/Chromium, Safari, and Microsoft Edge.
There are numerous separate authentication procedures involved in the implementation of a data-centric Zero-Trust security strategy. Working with software that is secured in this way can be done considerably more easily and quickly with a solution based on the FIDO standard. Whilst methods utilizing one-time passwords, for instance, can be compromised, the use of a hardware security element in two-factor authentication complies with the highest security standards.
Alexander Summerer has been Swissbit's Head of Authentication since October 2023. Before joining Swissbit, he spent over 15 years at Giesecke+Devrient, holding key positions such as Director of Product Management. His expertise in ID, authentication, and IoT solutions underlines his position as a cybersecurity expert.