Authentication tools alone will not be enough to secure networks

Remote work conditions underlined deficiencies in PIV authentication, and the need for dynamic authentication to improve zero-trust security.

By Bryan Rosensteel

January 8, 2021

(Getty Images)

Bryan Rosensteel is cybersecurity architect, public sector, at Cisco’s Duo Security. He has more than a decade of enterprise IT and security experience, specializing in zero-trust and data-centric approaches to cybersecurity, including dynamic authentication practices.

For government agencies, the massive shift to telework presented a significant security challenge. Authentication tools for users and devices weren’t built to handle the shift from mostly on-premises devices to user’s devices accessing resources remotely.

Bryan Rosensteel, Cybersecurity Architect, Public Sector, Cisco’s Duo Security

One of the biggest hurdles for enterprise leaders during this transition was their perceptions about what constitutes reliable authentication of a user’s identity. That isn’t entirely surprising. Federal guidance on authentication technologies hasn’t been updated to reflect the access requirements that agencies face.

The administration’s guidance on “Managing Information as a Strategic Resource,” for example, is more than four years old, and still directs agencies to use PIV or derived PIV to access resources on the network. This perspective on authentication makes general assumptions that an employee will only use a managed device. Though that policy worked five to 10 years ago, in-person identity proofing is extremely difficult today, and the additional challenges remote and cloud environments present demand more than strong proof of possession that authentication has been traditionally built around.

Consequently, it’s important that both policy and tools reflect modern technology needs, and core to that is understanding how digital identity changes authentication requirements. Our view is that a user’s digital identity goes beyond identifying the person behind the keyboard and encompasses a more holistic view of both the user and devices involved in the authentication request.

This expanded view of identity has been happening for some time, but the events of 2020 accelerated that understanding, and the National Institute of Standards and Technology (NIST) guidance is certainly helping agencies move in the right direction in adopting dynamic authentication as part of broader recommendations to achieve a zero-trust operating environment.

Authentication and device health is central to zero trust

Zero trust always starts from an assumption that a machine or a user’s credentials have been compromised, or in some way they are not trustworthy and should never be allowed to access agency resources without ongoing authentication.

When agencies sent their workforces home during the pandemic, IT leaders became acutely aware of the inherent weaknesses of the existing PIV and derived PIV authentication workflows — and a wider concern that strong authenticators don’t necessarily equate to reliable authentication.

Cryptographic smart cards serve as an incredibly strong authenticator, but, like all authenticators, only provide proof of possession of that authenticator. This asserts proof of an individual’s identity and, traditionally, this was enough to provide secure authentication.

But in the early part of March 2020, agencies reached out to us with a new security problem. GFE equipment shortages and supply chain issues forced some agencies to adopt the use of personal devices. The challenge they faced was how to secure authentication requests from these devices. But even with derived credentials — or virtual smart cards — IT leaders said they couldn’t trust the authentication because it was coming from personal devices and there was no way for agencies to verify their health and trustworthiness. These agencies had strong authenticators, but that was not enough to establish the necessary trust to authenticate these devices. Dynamic Authentication was needed.

Though organizations have tools that conduct health checks, most work retroactively rather than as a part of a real-time authentication process. In addition, known vulnerabilities in software and applications can often go unchecked, posing a significant threat to agency networks. One of the most glaring concerns for agencies, for example, is the number of Windows 7 workstations still operating on their networks. Apart from physically uninstalling or disabling vulnerable software, many agencies aren’t equipped to fully secure these devices.

How dynamic authentication improves the security posture

That’s one reason why agency leaders need to deepen their understanding of dynamic authentication and how it helps them achieve a zero-trust operating environment.

Currently, agencies already use identity binding — biometrics or a PIV credential to claim the identity of the person — as the standard for identity authentication. Many have also adopted two-factor or multifactor authentication tools to ascertain the user is who they say they are.

However, under current remote work conditions, agencies also need the ability to pair information about the user and their device at the point of authentication.

Dynamic authentication combines cryptography and policies to create a per-session authenticator, which changes with each authentication session. The organization creates the policies for authentication to require confirmation of the correct authenticator tool, the correct account and a healthy device to allow authentication to proceed.

Duo Security customers put this capability to full effect during the 2019 code execution exploit discovered in Chrome. Dynamic authentication tools allowed customers to implement a policy saying, “no Chrome browsers allowed for authentication.” It didn’t require IT teams to physically uninstall or disable Chrome. Rather, the system detected the Chrome version during authentication and did not allow the authentication to proceed. After Chrome released a patch, customers adjusted the policy to allow only the latest version of Chrome.

As a result, Duo saw a 79 percent increase in the number of customers who blocked access to data and applications from out-of-date browsers, thereby protecting themselves from the vulnerability until Chrome released a patch.

These changes were able to be implemented in near-real time, allowing for a speed to security only offered through zero-trust best practices and principles

And these same zero-trust principles allowed Cisco and Duo Security to quickly move to a near 100% remote workforce in early 2020, without significant loss of productivity or security.

Moving into 2021, the lessons from the past year are more important than ever. The strength of the authenticator does not equate to the strength of an organization’s ability to authenticate their user population. Organizations will need enhanced authentication policies that meet today’s authentication workflow requirements.

Learn more about how Cisco’s Duo Security can your organization with two-factor authentication controls.