Implementing Multi-Factor Authentication via Zero Trust Models
Dr. Alexander Tuzhilin, Dean, Computer Science
Updated: February 1, 2024
Published: January 31, 2024
Cybersecurity professionals have a difficult job. In all major corporations, it falls on the cybersecurity team to defend against both external and internal threats to protect their networks. Threats are coming faster than ever and can be extremely costly, with a recent University of Maryland study reporting that a cybersecurity attack occurs every 39 seconds and Cybercrime Magazine estimating the annual cost of cybercrime is expected to hit $10.5 trillion annually by 2025.
External threats are an ever-present danger. Cyberattacks, from sophisticated ransomware attacks to data breaches that can compromise sensitive information, can cause significant financial ramifications, including the cost of remediation, legal representation, and damage to reputation. The proliferation of Internet of Things devices introduces new vulnerabilities, while the use of stolen usernames and passwords, known as credential stuffing, can present a real problem if the perpetrators can gain access to the organization’s network.
The rise of insider threats, whether intentional or unintentional, poses another substantial concern. Phishing involves tricking individuals into revealing sensitive information through deceptive means, while another malicious practice involves employees misusing their credentials to access and share sensitive information.
Even employees with no ill intent can accidentally compromise a network system. Unauthorized device usage, such as connecting personal devices to the corporate network, introduces potential security risks, and inadequate password management can also create vulnerabilities.
Corporations need to safeguard against network weaknesses and ensure that employees are well-educated on cybersecurity best practices to prevent inadvertent security breaches. However, a problem as complex as cybersecurity requires a sophisticated solution that doesn’t rely solely on the ability of your staff to follow data security protocols.
The Harvard Business Journal addresses this topic in their May 2023 article “The Digital World is Changing Rapidly. Your Cybersecurity Needs to Keep Up.” They recommend implementing zero-trust architectures, which “are premised on the assumption that all systems can or will be compromised by adversaries.” Let’s take a closer look at zero-trust systems and how they can protect network infrastructure.
What is a Zero-Trust Model?
The zero trust model in cybersecurity assumes that no entity, whether inside or outside the network, should be inherently trusted. This model challenges the traditional notion of a secure perimeter and adopts a more granular, continuous verification approach to ensure security.
At its core, the zero-trust model operates on the principle of “never trust, always verify.” This means that all users, devices, applications, and networks are treated as potential threats, requiring continuous verification of their identity and security posture.
The main pillars of the zero trust model encompass several key principles. First, strict access controls must be implemented, using the principle of least privilege. This means users and devices should be granted only the minimum permissions required for their specific tasks, lowering the risk of unauthorized access or actions. This reduces the attack surface and restricts lateral movement within the network.
Second, continuous monitoring of the entire network is necessary. Rather than relying on static, periodic security checks, continuous monitoring involves real-time assessment of user and device behavior. Any deviations from established baselines should trigger an alert that allows your system and staff to respond promptly to threats.
Implementing multi-factor authentication ensures users are who they claim to be and adds an extra layer of security beyond traditional username and password combinations. Encryption is also integral to the zero trust model, particularly for data in transit. By encrypting communication channels, organizations can safeguard sensitive information even if it falls into the wrong hands.
Finally, micro-segmentation is employed to divide the network into small, isolated segments. This limits the lateral movement of attackers, containing potential breaches and preventing them from moving freely within the network if they can gain unauthorized access.
Do the Benefits of Zero Trust Outweigh the Risks?
There is a lot of confusion about what zero trust is because the process fundamentally reshapes traditional security paradigms. Cybersecurity professionals understandably want to analyze the pros and cons of this new system before embarking on an implementation plan.
According to Jeffrey Gottschalk, the assistant head of the Massachusetts Institute of Technology’s Lincoln Laboratory’s Cyber Security and Information Sciences Division and a co-lead on a cybersecurity study, zero trust “is a paradigm shift in terms of how to think about security, but holistically it takes a lot of things that we already know how to do — such as multi-factor authentication, encryption, and software-defined networking — and combines them in different ways.”
In other words, implementing a zero-trust system doesn’t have to involve starting from scratch. Instead, you can begin with an existing protocol, like multi-factor authentication, and grow a more proactive security operation from there. By operating with the zero-trust tenet that no entity is inherently trustworthy, it will become clearer what areas of your existing system may need to be reinforced.
Advantages of the zero trust model include the continuous verification and monitoring of users, devices, and networks. This proactive stance enhances your organization’s ability to detect and respond to potential threats in real time, reducing the window of vulnerability and providing the organization with heightened situational awareness. Additionally, by limiting user and device access to the minimum necessary permissions, the potential impact of a breach is mitigated by restricting the lateral movement of attackers within the network.
The zero-trust model is particularly well-suited to remote work environments because it involves shifting from a network-centric approach to a user-centric approach. In traditional models, the focus is often on securing the corporate network perimeter. However, in remote work scenarios, where employees access resources from various locations and devices, the zero trust model centers on verifying the identity and security posture of individual users and devices.
However, the zero-trust model has its challenges. One notable drawback is the potential for increased complexity. Implementing and managing the various components of a zero-trust architecture can be resource-intensive and require specialized expertise. This complexity may pose challenges for organizations with limited resources, as would the high system implementation costs.
Furthermore, user experience can be impacted by the stringent access controls and authentication measures inherent in the zero-trust model. The need for continuous verification and multi-factor authentication may introduce friction for users, potentially affecting productivity. Striking a balance between robust security measures and user convenience is a constant challenge in zero-trust implementations.
As with most things in the business world, there is no one-size-fits-all model for zero-trust architectures; instead, each company must work to determine the best combination of safeguards to protect their network while still maximizing productivity and profit. Some organizations may choose to focus on multi-factor authentication and controlling access to server segments, while others may choose more effective encryption methods.
As a relatively new practice in the cybersecurity world, the guidance on zero trust systems will inevitably change as new research is conducted. In this April 2023 article on the topic,
Carnegie Mellon University outlines eight areas where additional research could help the field to advance. Cybersecurity professionals should strive to stay up-to-date on this topic, whether through reading, certifications, or a higher-level degree in information technology. Only by being aware of the latest threats and proactively protecting your network can you defend against sophisticated cyber attacks.