It is a much simpler task to expound the precepts of Zero Trust Architecture than to actually implement them. Consider a couple of the proposed seven tenets from NIST (Draft (2nd) NIST Special Publication 800-207):
“Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioural attributes!
“All resource authentication and authorisation are dynamic and strictly enforced before access is allowed”.
These seem eminently sensible but hide awkward conundrums.
The pandemic has accelerated the occurrence of flexible and remote working with the times, locations and types of client platforms of a worker changing from day to day. Behavioural patterns need to have a wider tolerance, more importantly, it does not suit the “agile” Organisation to have the Executive Sales Manager needing to phone the Administration Support team to visit a new location tomorrow and convince them he should be so allowed. So one result is increased administration overhead and the inevitable easing of profiles for the most privileged Users who then become the obvious target for hackers.
As the latest mobiles become powerful work horses and the focus of investment, Users will want to use them as clients. Combined with the “new normal” for flexible, remote working the way to ensure trust will be to “use multi-factor authentication (MFA)”. But what MFA to use?
It is ridiculous to have the same mobile as the means of authentication and its ludicrous to have to send passcodes to another separate mobile.
The ultimate dichotomy in Zero Trust Architectures is that you have to trust that the access to the Policy Enforcer Administration is legitimate.
The need for a high grade MFA solution for mobiles will become an increasing requirement. The painful fact is that all current MFA methods have a common, inherent vulnerability; they rely on keeping fixed secrets so discovery by hackers or disclosure from complicit Insiders allow defences to be breached with impunity.
In an Edwardian Mill building in Lancashire, UK a team of four with Colonel (Retd) John Doody as advisor, have over a decade, developed CASQUE, a patented approach to Identity Assurance that does not have this fundamental infirmity. CASQUE is certified as suitable for secret under UK CAPS scheme and easily meets the highest assurance specifications (Level 3) from US NIST Digital Identity Guidelines.
CASQUE changes keys dynamically and is transparent to the User so there are no fixed secrets to discover or disclose and by removing reasons to deny access, provides a powerful deterrent. CASQUE is, in this respect unbreakable.The “Don’t be a Target” Presentation summarises our solution and contains additional links to source documents, including a link to a Competitive Positioning Whitepaper. The CASQUE proposition relies on these principles:
[1] The need for high grade Multi-factor Authentication available on any Client (especially mobiles) with any operating system including “locked-down” clients will increase.
[2] The Customer (not Cloud Providers) should own and control access to their data resources so the capability for independent, federated, Identity Provision will become increasingly valued.
[3] The need to police the most privileged Users requires Identity differentiation of the highest Assurance level.
Notes:
[1] CASQUE needed 4 inventions, one is partly described in US and EU granted patent “A Scalable Authentication System”, the 3 others are kept as private know-how. There is no dependence on any third party IP.
[2] CASQUE has been certified at source code level under UK CAPS scheme as suitable for working at Secret and has successful installations in UK Ministry of Defence.
[3] CASQUE has mutually tested integration with leading Network Gateway manufacturers such as CISCO, Fortinet, Pulse Secure and WSO2.