Identity-First Strategies for Zero Trust
Listen to Husnain Bajwa, Vice President of Global Sales Engineering, discuss how identity is critical for a zero trust strategy.
Transcription
Moderator
And now it's time for the penultimate presentation in the Zero Trust Security Megacast. And our next session comes from Beyond Identity. And presenting for Beyond Identity is Husnain Bajwa, Vice President of Global Sales Engineering. Welcome, HB.
Thanks for being here today.
Husnain
Thanks, I appreciate it. It's not often that you get introduced with penultimate. So I appreciate that. So most people call me HB. And the order of our presentation tends to be a little bit weird because our topic is going to be Identity for Strategies for Zero Trust. But five years ago, when I was working on a rather large security project involving security questionnaires for a large managed service offering, I was pulling my hair out.
And I called up one of my good friends who was doing third-party risk platforms, and told him what I was running into. And he said, like, "Look, all you need to do is focus on three things if you want to add real value to the solution on the security side, passwords, patching cadence, and completeness of MFA."
And I really heard those words and changed the way that I thought about the program that I was running and the managed services that we were offering.
And so two years ago, when he called me up and said that he was working with the guys from Michael Lewis's "New New Thing" book, who had done Silicon Graphics and Netscape, and that the team had figured out how to solve the passwords and MFA problem, I was super intrigued and ready to jump in.
But the first thing he did was show me a quick demo. And it was impressive in its kind of unimpressiveness. And so since then, I've always liked to sort of start with a really quick demo. So here, you should be able to see my screen now.
So all we need to do is basically close out my screen. I'm going to log out of my Okta instance, it's going to bring me back to a login page. I have my platform authenticator up. This is my strong device authentication solution that stores asymmetric key information in my Secure Enclave on my macOS.
And all I do is hit Next. It processes on the platform, authenticator asks me for a biometric and immediately logs me in. And my friend showed me that this was all he had to do to log in day in, day out, no second factors, no OTPs, and I was hooked.
But then he also showed me that... And right now we're logged into my production corporate account. He also showed me the ability to set up a rich set of corporate policies so that the user and device credential can essentially be sent up to the cloud serviced with a rich set of policy primitives defined by the corporation.
Enriched with additional external risk signals, and allowing precise on-demand just-in-time security assurance as people log into applications via their SSOs. And from a policy standpoint, just a really quick thing to show like sort of what the zero trust capacity and capabilities are.
When we look at an authentication transaction and are looking to address a specific platform, we can look at macOS, for example, we can add additional attributes that are specific to the Mac environment depending on which platform you choose, they quickly adjust the list of options and gives you a pretty rich set of capabilities to integrate against.
We also have a number of third-party integrations that are available out of the box. As Neuren mentioned during the CrowdStrike session, you know, choosing the right MFA and authentication solution is a pivotal part of a zero trust strategy. And so being able to take in, for example, CrowdStrike Falcon Zero Trust assessment scores, and make a decision is one of the capabilities that we offer.
And in a way, what we're doing is we're shifting what's typically a device level control to a transaction level at the application authentication time. And so really, that's all I wanted to show and also just demonstrate that, you know, we run all of our own technologies, including all of the continuous authentication and zero trust solution that we're going to talk about today.
And so now, returning back to the presentation, you should see the regular screen now, my screen sharing should be down. And a lot of people have been talking about NIST zero trust authentication recommendations. There's been a lot of talk around mandates issued to agencies' activities around updating CISA rules and guidelines around threat and risk assessments. And when you read the material, the letter of the law sometimes is misleading.
It makes very good recommendations, but not all of the recommendations are essentially equal. When a lot of the focus ends up being on passwords, this can be thought of very similarly to how original authentication standards that included directory authentication like X.509.
Back in 1987, when X.509 was released, the standard was focused on strong authentication, but also gave some guidelines around simple authentication for passwords. Many of those recommendations have essentially evolved over time to include things like, you know, showing the password as a user is setting the password, encouraging the use of password managers, securing password storage methods, and avoiding password rotation rules.
But if you look at the actual core of what the real recommendation is moving forward and not looking backward, use of Multi-Factor Authentication along with unphishable credentials is a really core component. If you look at the adversary surface and threat actors in the world, more and more of them are adapting their TTPs to address greater adoption of MFA, but they're specifically targeting phishable MFA, phishable credentials.
And this is where binding users to their devices and leveraging the capabilities of devices that have pretty much been universal since 2012, 2013, relating to Secure Enclaves and TPMs. Places where on your mobile phone, you can safely store your credit card information or your biometrics. Or on your computer the TPM and TEE allows you to do extremely high-security assurance disk encryption.
So these types of tools have been available for a long time. And when they start recommending the unphishable credentials or phishing-resistant MFA, this is really what they're talking about.
And complementing all of this type of work, this trend toward zero trust, you know, the winds of change that are pushing towards zero trust, we can see that adoption of continuous risk-based authentication is also pivotal to this. And continuous risk-based authentication has been available for a relatively long time in the tunneling-centric, encapsulation-centric, and firewall-centric world of kind of infrastructure management.
But at the endpoint, being able to bring it to a transactional level on the application is a new capability. And you're seeing a lot of excitement because of new standards like tape and risk coming out of open IDs shared signals work. And when we look at context-aware device trust, the demonstration that I did was extremely fast, and it didn't really reveal what was going on under the hood.
Fundamentally, we were taking a credential based on asymmetric keys. These types sort of credentials are now being described as passkeys in a lot of environments. And so we've been talking about them as universal passkeys in this context because the idea of migrating from passwords to asymmetric key encryption-based credentials is supercritical.
Storing those credentials in a device-bound non-exportable unclonable manner is supercritical. Once you have that credential and the assurance of where it's from complemented with a right to use the user entering biometric or PIN.
Being able to send that request up to the cloud, process it with corporate policies that can be endlessly enriched with additional risk signals, as well as the organic sensor collection and device telemetry information collected.
Taking that information and then exchanging it in a rich way with sort of the ecosystem of solutions around it is an important part of this Zero Trust authentication trend, and doing MFA the zero trust way. And this is another representation where we're showing the integration to your application or SSO.
For workforce applications, the application or SSO would be something like an Okta or Ping or OneLogin. While the CRM fraud and analytics and other tools can be a variety of ecosystem partners that we have. And looking deeper at the architectural and deployment recommendations that are recently being pre-published by NIST, the zero trust architecture is being enriched.
So traditional policy enforcement and authentication architecture's going back 20, 25 years, has taken this concept of policy enforcement points and policy decision points to heart. And primarily served these things using policy gateways interface to firewalls, VPNs, other types of infrastructure gateway products.
And only enriching these policy decisions are all of these sort of auxiliary sensing components like the identity credential and access management components, the endpoint detection and response, or security analytics or data security.
This policy information point enrichment is supercritical and a reflection of sort of the API-first nature of the cloud, and how it's enabling new types of security integrations and driving that real importance of right-sizing your security infrastructure from the ground up.
So while a lot of people may not have been thinking about authentication, access security as a critical component of their solution, bringing these prevention capabilities to the forefront and using the identity platform as the delivery mechanism for the policy decision point, and most of the policy enforcement point via the platform authenticator is super important.
And when you look at this architectural recommendation, delivering this is all based on having an unphishable multifactor design, binding that user end device, focusing on the friction-free passwordless architecture.
Minimizing the user clicks and secondary device behaviors, both from a user experience standpoint and additional bounce points and potential compromise points. Introducing granular and fine-grained risk policy controls. Ensuring the security of the device having an active posture verification solution that can be coupled with continuous authentication capabilities.
And then using the asymmetric key encryption as a mechanism for signing logs and assuring non-repudiation. So together, all of this stuff is able to provide a much higher level of assurance and access control. It really addresses majority of the issues as people look to take implicit and transitive trust out of their environments and bring it to the zero trust environment.
You can see this as also aligning with sort of this trend towards shift left security. If you look at where a lot of the conventional tooling, EDRs, MDMs, VPNs has existed, it's been at the endpoint to cloud type of layer. And pushing it to the left using zero trust authentication is really where we think leadership comes in and it's some of the most consequential changes to an environment that person can conduct.
Additionally, when we talk about these integrations, example here, taking that CrowdStrike Zero Trust score, being able to both use the zero trust score as an assessment criteria at the time of authentication for every granular authentication that a corporation might do.
And then also assessing posture changes and reflecting them back to the platform, that's a super important capability. So having a bidirectional API-first kind of integration is something that we're able to do because of the sort of unique simplicity and cloud and API-first orientation product.
So again, when you're looking at ideal solutions, all we ask is that people have an open mind. You have a lot of focus on react surface solution that mitigate and intervene on events. That event surface is continuing to be difficult to manage as more and more signals are extracted, and adversaries continue to become more sophisticated.
Alert-centric kind of reactive monitoring and management is really problematic. So as we move towards zero trust and look at what it really entails, part of the program needs to be strong preventative measures. And they're constantly authenticating the users, identifying devices, assuring that only appropriately managed and appropriately patched devices are being brought into the critical application surface.
And then continuously authenticating and re-verifying and quarantining devices is really what we're looking at. And these are the things that we bring together with a frictionless user experience to be the leader in Zero Trust authentication. And, yeah, I think the next presentation is going to be with Zscaler.
And very similar to what we talked about with CrowdStrike because of our API-first architecture, we're able to...within weeks, we'll have an integration to Zscaler, as well. Because as people transition from VPNs to modern SASE architectures, modern MFA, and strong zero trust authentication is going to continue being super important.
Any questions?
Moderator
Yeah. Great presentation HB. And we do have a few questions here. And so before I put up the poll, I'll just leave these links here for a minute. But first one I want to ask you comes from Varun, who's asking how does Beyond Identity differentiate against Okta or PingID for functionality?
Husnain
I think that Beyond Identity was born to solve a very specific problem. The identity platform needs of post password, cloud-centric, zero trust native type of environments.
And one of the core issues that exists with these types of solutions is the ability to be security first. So rather than seeing ourselves as an identity platform, we see ourselves as a security platform, so we like to compliment the likes of Okta and Ping, they're some of our best partners.
And what we're trying to offer is a solution that can plug in and augment those types of large-scale enterprise systems and provide them with upgraded security and eliminate the credential compromised surface that is endemic to most central authentication systems.
So at Beyond Identity's core, what we've done is leveraged the TPMs and Secure Enclaves on the devices to generate distributed asymmetric key pairs, where the private key is always hermetically sealed in the device where it was originated. And all we do is create a simple public key directory that ask the platforms to simply sign and assure that they actually have possession of the credential in question.
So using these types of approaches, we can, you know, allow IT administrators and employees to rest easier that adversaries won't be able to compromise their devices, and their lateral movement will be contained. So again, we see ourselves as a complement to those types of solutions with a focus on sort of as security.
Moderator
Okay, all right, great. And I'm going to go ahead and put the poll up about additional information that people would like from Beyond Identity. Another question in here, HB, comes from Mark, who's asking what are the advantages of using Beyond Identity compared to other vendors and products out there?
Husnain
We focus on right sizing and adapting to existing environments. So whatever your SSO solution is using open standards and minimizing any kind of complex device or workflow login, we're able to be a self-contained solution that can be deployed for one user or all users, for whatever period of time people are interested in.
And our solution offers a universal cryptographic adaptation layer that takes away all of the complexity that's traditionally been associated with Secure Enclaves and TPMs. So we're able to provide all of those cryptographic promises without the challenges of centralized CAs and complex HSMs, and signing ceremonies, and certificate rotation and key rotation that were endemic to earlier versions of kind of PKI deployments.
Moderator
Okay, all right, great. Probably have time for, you know, one more question. Traditional strong authentication methods like MFA tend to drive users away. But is there an alternative? How can we build, like, a zero trust strategy when ramping up authentication without driving users away?
Husnain
So that's a really important point. I think eliminating the friction bringing things to single device wherever possible, leveraging the fact that a TPM or Secure Enclave is identical to a USB security key that a person might have externally, but is incorporated into the device.
And has traditionally been inhibited in adoption because of operating system obtuseness and complexity. So being able to create a simple way to integrate across Android, iOS, macOS, Windows, and Linux with a single consistent user experience that has this policy-driven capability, and focuses on being rich from a security perspective and lightweight enough to not incite any worries about creepiness or overbearing kind of oversight.
I think those are the things, is that like, you know, as we educate the users on the value of strong authentication, using genuinely unphishable credentials protect them, their at-risk developers, high-value finance employees, high-value HR employees. These are the targets that adversaries are going after as they look to destabilize or ransom more and more complicated environments.
So being able to offer this level of personal protection and contrasting it with the kinds of solutions that some organizations are starting to adopt, like overly kind of intrusive virtual desktop scenarios, or continuous decrypting proxies or whatnot, remote browsing isolation. These things have their time and place, but as universal tools that monitor devices or, you know, MDMs that are doing excessive background screen capture or analytics.
Those kinds of things are the trade-offs, like do you want security, or do you want better user experience, or do you want privacy? And I think that zero trust authentication and MFA done the zero trust way with passwordless is the right option to balance all of those concerns.
Moderator
Okay, no, that's great advice. And HB, it looks like we're running out of time. But if somebody wants to get started with Beyond Identity or find out more, what would you recommend as next steps?
Husnain
I'd recommend visiting our website or reaching out to me. My email is on the slides. We're happy to have further conversations. I love talking technical details so if there's any additional questions and sort of low-level stuff, I'm happy to oblige.
But on our website, you can get tons of information, and demos, and trial requests.