Beyond Zero Trust: The Future of Continuous and Granular Access

by Asad Ali, Senior Technologist, CTO Office, Thales

The concept of Zero Trust security is not new. The term itself was coined more than a decade ago at Forrester, with a general premise that all network traffic should be considered untrusted. Over the years we have seen refinements to this idea by Google in their BeyondCorp publication, Gartner in their definition of the CARTA framework, and to complete the circle by Forrester again in the Zero Trust eXtended report that explained Zero Trust in light of current cybersecurity challenges. One of these challenges is fine grained and continuous access to resources and data.

The authentication landscape

Validating the identity of an individual is a basic tenet of security – whether an individual is accessing a physical space or a logical service or application. Identity validation has become even more important for modern businesses, where the traditional network security perimeter has vanished because of cloud-first and remote work initiatives.

Although authentication technology has evolved a great deal since Bill Gates announced in 2004 the “death of the password”, passwords are still the foundation of most access decisions. Even though identity federation and modern authentication protocols have established new, effective authentication mechanisms across multiple service providers, frequently access decisions are quite static, relying on factors like knowledge, possession and inheritance.

In modern business environments where data is being accessed from literally anywhere using a multitude of access points, access management should not be defined only by what, when and where a user can access a resource – system, data, application. A crucial factor to consider is the risk environment, which dictates a different approach to authentication, one that evolves with the changing risks.

To make an access decision, organizations are compelled to consider supplementary authentication factors, such as location, surrounding environment, behavior, and past interactions. Therefore, once an access decision is made, we need to be able to re-evaluate it based on user activity and context.

The need for continuous authentication

It is, hence, required to rethink how we approach federated identities. “Increasingly however, whether or not to authorize a user session needs to be based on dynamic data such as the device’s location, IP location, device and app health, and user privileges,” Atul Tulshibagwale, a Google Software Engineer at the time, and currently Chair of CAEP working group in OpenID Foundation, wrote back in 2019. They continued, “Unfortunately, providing this kind of dynamic access authorization can be difficult. Today’s technology determines access authorization only at the time of authentication, typically with the help of a federated identity provider—or in the case of TLS client-auth, by the server-side app itself. Even with enterprise infrastructure such as WiFi routers or VPN servers, it’s hard for cloud-based identity providers to signal a change in session authorization.”

Continuous authentication is the approach to access authorization that enables businesses to control user session properties. There are several reasons justifying the move towards continuous authentication:

·????????Enterprises are increasingly adopting a perimeter-free Zero Trust architecture that requires strong authentication in dynamic environments

·????????The focus of attack is shifting from network penetration to endpoint compromise

·????????Every access needs to be evaluated “in context”. This applies to all things tied to user identity, including access device, 2FA device, client app, location, user behavior

·????????There are multiple sources of truth about user activities; identity providers, device management services, endpoint protection services, service providers, etc.

CAEP: A standards-based approach to continuous authentication

Coined by Google, Continuous Access Evaluation Profile?(CAEP) is a nascent but promising technology that can fundamentally change how we define and implement Zero Trust in web applications. CAEP is based on a publish-and-subscribe (“pub-sub”) approach.

In a typical cloud environment, a service can function either as a publisher or subscriber for various events. For example, an identity provider service is the publisher for authorization decisions or user attributes, but a SaaS app may also be a publisher for client IP address within a session. On the other hand, a SaaS app will typically subscribe to the identity provider’s authorization decisions or user attributes, and the identity provider may subscribe to information about a client IP from a SaaS app.

In other words, with CAEP, a typical cloud session may have multiple publishers such as identity providers, device management services, and security services, etc. It may also have multiple subscribers, e.g., multiple cloud apps, enterprise apps, and VPN and WiFi routers, etc.

CAEP allows publishers and subscribers to communicate a wide range of information about their active user sessions, as per the diagram below.

Those interactions are:

1. ?Service Request, user requests service from a relying party, through device or app.
2. Context Update, the relying party publishes unusual activity and asks other nodes if they have any such information about the user.
3. Policy Update, the policy service collects this information and publishes it to all subscribers
4. Service Response, the relying party either allows or denies the service request

There are many use cases and scenarios where CAEP can continuously assure access security while reducing the burden on individual web applications like identity providers or service providers.?If you would like more on the future of continuous and granular access going beyond Zero Trust, please watch this on demand webinar presented as part of the Thales Trusted Access Summit 2021.