Zero Trust Continuous Authentication: Getting It RightThree Experts Discuss Challenges and Key Strategies for Security, User Acceptance
An important aspect of the zero trust strategy is continuous adaptive authentication, in which a user is authenticated continuously throughout the session, but implementing the continuous authentication process poses many practical challenges. Three experts - David Fairman, CSO and CIO at Netskope; Naresh Sharma, head of cybersecurity and IT risk at Cathay Pacific Airways; and Chirag Joshi, director at NSW Department of Customer Service and director of the ISACA Sydney Chapter - share their thoughts on why continuous authentication is tough to achieve.
"Continuous adaptive access to me really comes back to how we are monitoring the session through the entire course of that session because: What if something changes?" Fairman says. "What if we identify a threat on that endpoint that we did not identify at the start of that session?"
Fairman says that a risk engine must evaluate many different data points, and then a policy enforcement solution needs to act to secure the session. "And so how do we engineer and craft these ecosystem players to be able to do that?" he says. "I think some of the technologies and vendor platforms out there are lacking in areas for some of these integrations and even the ones doing a good job are doing limited-use cases."
Joshi points out that multifactor authentication, which many organizations now rely on, only provides a one-step challenge. "It does not go through the entire life cycle," he says. "So the question is: How you adapt to that level of challenge? And to me, it comes down to maturing how we currently contextualize trusted devices. Most applications and vendors currently look at your endpoint identity and they also look at your network identity and geolocation - and these are still rudimentary."
Sharma says that multifactor authentication itself creates friction for users. "The challenge for me is: If you have given access, how do we take away that access?" Sharma says. "When I implemented multifactor authentication in our organization, there was a huge pushback as people are not aware of what we are trying to protect. So we need to create that kind of culture and that kind of awareness in the staff to actually start using those technologies."
In this video panel discussion with Information Security Media Group, the three discuss:
- Current practices for continuous adaptive access;
- The practical challenges of implementing continuous access;
- The way ahead for zero trust adoption.
Sharma, who leads IT risk and security at Cathay Pacific Airways, has successfully led strategies and programs to elevate the corporate IT and cybersecurity posture. His focus is on cybersecurity, automation, services and problem management, technology risks, cloud transformation and data center upgrades.
Joshi, who leads the Sydney Chapter of the Information Systems Audit and Control Association, authored the worldwide best-selling book, "7 Rules to Influence Behaviour and Win at Cyber Security Awareness." He previously served as group head of cybersecurity at AMP, a financial services company in Australia.
Fairman, who leads security and IT at Netskope's APAC business, has extensive experience in the global financial services sector. Fairman is also a partner at SixThirty, a venture fund that invests in early-stage enterprise technology companies worldwide.