How Is Zero Trust Architecture Related to ID Authentication

There has been a boom in the use of the buzzword “zero trust” in cybersecurity. The key to understanding Zero Trust is knowing what it is and isn’t.

When implementing Fintech services, identity authentication technology plays a crucial role, especially when it comes to cyber security. As part of a Zero Trust strategy, all digital interactions are continuously validated through the elimination of implicit trust. Zero Trust is based on the principle, “Never trust. Always verify.” By using strong authentication methods, Zero Trust protects modern enterprise infrastructures and facilitates secure digital transformation.

What exactly is a zero trust architecture (ZTA)? And how is it related to ID authentication? In the following article, we would like to tackle these questions and make keynotes for readers, to understand what is meant by ZTA and how a company can benefit from it.

Zero Trust Architecture (ZTA) and NIST

In August 2020, NIST (National Institute of Standards and Technologies) published a report on zero trust architecture, called NIST Special Publication 800-207¹. The NIST report contains an abstract definition of zero trust architecture (ZTA) and gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture. This article is based on the NIST publication, highlighting the key elements and benefits of ZTA.

The Concept

The concept of zero trust has become quite popular in recent years, but many people misunderstand what it truly means. First, zero trust is neither a specification nor a technology for creating products and services. It is a set of guiding principles for designing a cybersecurity architecture. While transitioning to ZTA is a journey the workflows, system designs and operations must be continually examined, and process changes and technology solutions have to be implemented to improve the security posture. The benefits of zero trust can be realized when focusing on evaluating trust on a per-transaction basis which includes users, devices, services as well as data.

As a starting point, let’s examine the concept of zero trust architecture.

1. The network is hostile

Whether it is a public or even private network we should always assume it is not trusted and therefore hostile. In zero trust, we should restrict access to data or services to those with a need and grant only minimum privileges. While for each request to access data or service it should be authenticated and authorized against access rules that are designed as granular as possible.

2. Gain confidence dynamically

If you remove trust from the network, you must instead gain confidence in your users, devices, and services. This requires understanding key actors in the architecture such as users, devices, and services.

Then how to gain confidence? For users accessing services, you must build trust in user identity and behaviours, and device health, before they can access the service. For services interacting with each other, such as data exchange using an API, this is achieved by ensuring that the correct services are communicating with each other and gaining trust in the health of the services that are being hosted.

How much confidence is enough? It may depend on the value of data being accessed or the impact of the action being requested. Thus, the impact of risk and level of authentication strength has to be specified in the access policy.

The Requirements

As a Zero Trust Architecture assumes the network is hostile, it requires authentication and authority for all connections accessing data and services:

1. MFA (Multi-Factor Authentication)

On top of username and password, multi-factor authentication (MFA) offers an additional layer of security. Adding this extra layer of protection does not mean that you have to compromise on the user experience. On modern devices and platforms, strong MFA along with a good user experience can be achieved.
As an example, some authentication solutions require MFA only when the user and registered device are trusted. Push notifications are being sent to the trusted device as a seamless authentication method and users do not need to worry about remembering complicated passwords or carrying a hardware token.
It’s important to note that not every factor of authentication is visible to users. Hence, MFA’s could be a cryptographically backed passwordless login, using a built-in FIDO2 platform authenticator.

2. Usability

Strong authentication must not hinder the usability of a service.
As an example, additional authentication factors should only be asked for, when access requests have a high impact. This involves requests for sensitive data or privileged actions, including the creation of new users. In addition, single sign-on (SSO) should be considered, to reduce the friction of MFA.
To mitigate the higher impact caused by additional authentication factors, a risk-based approach should be considered. That means additional authentication factors can be avoided if there is sufficient confidence in the user.
Passwordless authentication (e.g., FIDO2) is an ideal solution, as it is highly secure and provides a superior user experience. Passwordless authentication is an effective way to deliver a strong, consistent, and positive user experience.

3. Service to Service

To generate a true zero trust architecture, requests between services need to be authenticated as well. This is normally achieved by using API tokens, and frameworks such as OAuth 2.0 or  Public Key Infrastructure (PKI).

To make sure that both service communications are genuine, mutual authentication must be used. This is key when building an allow list, to authorize connections between services based on identity.

Usage Scenarios

Especially in the post-pandemic era, it is very common to make use of clouding and remote work modes in enterprises as many people work remotely from home (WFH). Along with WFH, “bring your own device” (BYOD) is becoming a big trend, as employees use personal devices to connect to their organizational networks. Thus, identity authentication became crucial, and depending on the level of risk, enterprises can set up multiple ways to ensure genuine authentication.

Based on the NIST report, the following scenarios have been identified:
1. Enterprise with Satellite Facilities
2. Multi-cloud/Cloud-to-Cloud Enterprise
3. Enterprise with Contracted Services and/or Nonemployee Access
4. Collaboration Across Enterprise Boundaries
5. Enterprise with Public- or Customer-Facing Services

Conclusion

In a world moving faster and faster toward digital solutions, authentication and trust are essential and ZTA should be a foundational pillar of any effective security strategy. For access data to be safeguarded, a risk-based authentication strategy must be designed. This is where TOPPAN IDGATE comes. With the support of its iDenKey Mobile Device Binding Technology and iDenFace AI Face Recognition Solution TOPPAN IDGATE can support enterprises and governments to implement deployment steps to apply the security architecture in their organization.

 

Interested to know More? Contact Us 

Sources

https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=930420

https://www.ncsc.gov.uk/collection/zero-trust-architecture/authenticate-and-authorise

About TOPPAN Gravity

As a global solutions provider primarily focused on the payment and Identity industries, Toppan Gravity aims at developing the next generation of virtual and physical security documents.

With the vision of becoming the forerunner in the secure ID and payment industry, the company focuses on driving synergies within the Toppan Group, through strategic acquisitions. Toppan Gravity empowers promising companies’ having state-of-the-art technology or businesses in emerging markets, including Asia, Africa, and Latin America to enhance their overall performance. Furthermore, the company enables its acquisitions to take advantage of the opportunities presented by its large, diversified group having numerous resources and extensive know-how.

For more information, visit www.toppangravity.com or contact info@toppangravity.com.

About TOPPAN IDGATE

TOPPAN IDGATE, acquired by Toppan in 2020, was co-founded by a group of tech entrepreneurs with a vision for improving what they saw as a sore spot in the market for identity verification solutions. In a world where we tend to oppose security to user friendliness, TOPPAN IDGATE is striving to offer highly secure but also highly convenient authentication solutions, for digital transformation and online banking services. With our combined years of experience developing data security for the finance industry and proven track-record raising successful businesses, the company understands the fine balance between what banks need and what their customers want.

For more information, visit www.toppanidgate.com or contact info@toppanidgate.com.