To achieve Zero Trust security, “never trust, always verify” must extend beyond users to their devices as well. In a previous post, I described the importance of the first step in Zero Trust — the verifying of every user who logs in.
Once you verified that people are who they say they are, then you must also consider the device from which they connect. Is it a known device that’s associated with the user? And more then, more importantly, is it in good security posture?
To ensure real safety, every device must be validated before granting access. To do that, we must first assess how users gain access through their devices today.
“What’s The Password?”
Today, nearly everyone locks their devices with some kind of password. That’s unequivocally a great thing, but it’s still important to keep in mind two universal truths about passwords: 1) they’re not all created equal, and 2) they’re just one piece of the cybersecurity puzzle.
In looking at the first, there’s tons of evidence supporting the idea that passwords are only as good as the user. I’ve said this before many times, but 81% of breaches involve weak and stolen passwords. So how does that happen?
A recent study found that millions of people are using easy-to-guess passwords on sensitive accounts. From popular sports team to musicians — and classics like “123456” and “qwerty” and the all-time great “password” — users do a terrible job of choosing secure passwords.
Now, this doesn’t paint the full picture, and it’s not entirely their fault. When you add the context that the average business user today manages upwards of 200 passwords, it’s not so hard to believe there might be some cut corners somewhere.
So, if not all passwords are created equal, then what are the other pieces of the cybersecurity puzzle needed to keep users safe?
The first step to more secure access is ensuring that users are logging into their device with more than simply a password. Devices need to also have some kind of adaptive multi-factor authentication (MFA) to go along with that password.
An additional layer of security can be applied when these MFA-supported passwords are coupled with some level of device and app management to confirm the right policies and lock them in place. It’s even possible for Next-Gen Access technology to score the “riskiness” of that device under certain conditions — such as where it’s used, what browser it has, etc. — to make a safe (and more informed) access decision.
It’s the combination of these things that allows us to know that the device is associated with an end-user, and it’s in a trustworthy state. However, we’re not done there. For all of the pieces of a Zero Trust model to come together, we must intelligently limit their access. Our next blog will tackle how to make sure users only have access to what they need.
Read the Zero Trust series here:
Zero Trust Series – 1 What Is Zero Trust and Why Is it So Important?
Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”
Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle
Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.
Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust
Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security
Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.
Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.
Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model