Why Adaptive Authentication Should Be a Core Component of Zero Trust Networks

Zero-trust networks (ZTNs) have emerged as the best approach for managing both threats attempting to get in and those already present on an organization’s network. In addition to microsegmentation to restrict what users and devices can “see,” subjects attempting to access resources must be continually assessed for associated risk. Here’s a look at how adaptive authentication solutions enable organizations to manage subject authentication on ZTNs.

What is a ZTN?

According to NIST SP-800-207 Zero Trust ArchitectureOpens a new window , a zero-trust architecture (ZTA) is “…designed to prevent data breaches and limit internal lateral movement.” The lateral movement prevented applies to all subjects. A subject is any entity (human or non-human) attempting to access information resources.

Designing a ZTN begins with microsegmentation. Microsegmentation in a ZTN pulls in the security perimeter to surround each critical resource or set of resources. In a ZTN, the traffic from a subject is assessed every time it tries crossing a perimeter to access a resource or a set of resources. Business rules placed on the perimeters enable traffic control based on the subject’s risk profile and the resource accessed.

ZTA depends on always knowing at a high level of certainty that the subject’s identity is correct. Because attackers can compromise subjects, organizations must not rely only on simple point-in-time authentication. Once a user or application is authenticated, malicious actors can then use the authenticated subject to access allowable servers and data.

As I wrote in a previous article, this ability to always know the risk profile of an authenticated subject is known as continuous authentication. Point-in-time authentication is no longer good enough to ensure the entity using an authenticated identity is still the person or application that initially proved who they were.

Learn More: Why the Evolution of Zero Trust Must Begin With Data Protection

Implicit Trust Zones

Microsegmentation creates implicit trust zones (ITZ). According to SP 800-207, an ITZ “…represents an area where all the entities are trusted to at least the level of the last PDP/PEP [Policy Decision Point/Policy Enforcement Point] gateway.” ITZs are essentially trust boundaries where trust levels change. In an ITZ, identity verification and risk reassessment are needed before a subject passes from an ITZ of lower trust to an ITZ where a higher level of trust is necessary. No subject is inherently trusted.

Figure 2 is a detailed look at what a PDP/PEP might look like and what it might consider. As a subject enters a network or attempts to enter a higher-trust ITZ, it is assessed again to ensure its risk profile is adequate. One of the ways this is done is via adaptive authentication.

Figure 1: PDP/PEP (from NIST SP 800-207)

Adaptive Authentication

Adaptive authentication uses multiple characteristics of a subject to determine its risk profile. Each subject’s risk profile changes based on several factors, as detailed below.

Role of users: A common factor is the user’s role in the organization. Role-based access controls enforce least privilege, need-to-know, and separation of duties. This approach was considered sufficient in the past, but today’s threats require augmenting RBAC with additional factors.

Before looking at the various factors, it is crucial to understand that each subject has a pattern of access behavior. Adaptive authentication solutions look at a subject over a defined period to learn its behavior as a baseline.

The subject’s location: Adaptive authentication solutions detect the subject’s geographic location. Understanding whether the user is on the internal network, at home, or in another country is important for assessing risk. For example, a user visiting Russia or China is at significant risk of compromise. Most users connect to and use information resources during business hours. When a subject attempts to connect at 2 AM or over the weekend, an attacker might use a compromised identity for access. 

Resources sought to be accessed: Another important factor involves the resource the subject seeks to access. Access might be granted or not based on other factors. For example, a user might access the financial system from the office or home during business hours. Adaptive authentication might deny access if the user requests after business hours or from an unknown location.

Related to what resource is accessed, adaptive authentication also checks what the subject wants to do with the resource. If this violates policy, access is either denied or the action prevented, based on the subject’s risk profile.

User behavior: On a ZTN, it is also essential to identify subject behavior that deviates meaningfully from a baseline. If this happens, the adaptive authentication solution should block access to further resources until the subject re-authenticates. Not all adaptive authentication solutions might offer this, but it is a good capability for which to ask.

Figure 2: Risk Profile-based Access (from MicrosoftOpens a new window )

Learn More: How to Get Started With Zero Trust Network Architecture in a Perimeter-less World

Types of Adaptive Authentication Policy

All of these factors contributing to a subject’s risk profile are controlled by business policies implemented at each PDP/PEP. The policies can be of two types: static or dynamic. 

Static policies determine a subject’s risk profile and access based on all factors above except behavior. Dynamic policies make risk profile adjustments based on behavior. Both policy types usually affect a subject’s risk profile.

Policies include whether or not a subject has to use multifactor authentication (MFA) to access one or more resources. For example, a user attempting to access an ITZ from the internal network might only need a strong password. However, if accessing the same ITZ from an unknown location, the organization would require the user to use MFA.

Example: Microsoft’s Azure Solution

Microsoft’s adaptive authentication solution, known as conditional authentication (CA), can be implemented by organizations through Azure AD Premium P2 licenses. CA uses both static and dynamic policies to control subject access. One of the most straightforward risk profile management solutions is elevating the risk profile for administrators by requiring MFA for all administrators. Figure 3 shows some of the policies administrators can apply. Note that organizations can create and apply custom access controls.

Figure 3: Azure Conditional Access Controls

Final Thoughts

We have known for years that the traditional network perimeter is not impenetrable. Requiring the same authentication for point-in-time authentication to cross that perimeter, no matter the subject’s risk profile is no longer good enough. Many organizations have already implemented or are moving towards a ZTA approach. A ZTA must be supported by adaptive authentication that assesses a subject’s risk profile over time. In addition, a security framework should assess risk profiles whenever a subject attempts to cross over to a higher risk ITZ. Moving to ZTA supported by adaptive authentication does not have to be done all at once, though. The move can be graduated, addressing higher-risk assets first.

Do you think adaptive authentication is robust enough to keep your organization’s network secure from unauthorized access? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!