Authenticate everything: Why your device security is no longer enough

Zero Trust means checking user devices for vulnerabilities they may not even know about

Securing an increasingly complex landscape of user devices requires enterprises to re-examine their benchmark for trust, according to a Cisco Duo executive who noted that many companies are sticking to long-discredited trust models built around easily compromised user credentials.

Those security models have long been a universal baseline capability but do nothing to protect against the increasingly common exploitation of legitimate but stolen credentials – or access by compromised employee devices – John Skubel, regional vice president, global with Cisco Duo told the audience at this week’s Cisco Live! Cybersecurity Innovation Day.

Noting that 81 percent of data breaches involve stolen or weak credentials and 70 percent involve compromised devices, Skubel argued that a more appropriate mechanism for authentication is to require participation in a rules-based access management regime underscored by the notion of Zero Trust.

“I’m not here saying the firewall is going away,” he said, “but it is no longer an end-to-end complete solution for the IT world that we live in. You can no longer trust something just because it’s on the inside of your firewall.”

That IT world had become far more complicated in the era of ubiquitous bring your own device (BYOD) usage, where security practitioners were having to deal with users running an unknown range of devices, security and authentication capabilities.

Users could easily be bringing compromised devices into the corporate network, providing free access to a wealth of sensitive corporate data by malicious hackers that were proving highly capable at tricking users into installing their malicious code.

Trusting devices that access the network required much better insight into the characteristics of those devices – which requires an authentication mechanism that leverages a policy-enforcement engine installed on those devices.

Skubel pointed to the example of Fortescue Metal Groups (FMG), a recent customer that had identified a business risk around uncontrolled access to Office 365, remote access, and other SaaS applications.

The company deployed Cisco Duo to over 7000 employees and contractors over a 4-week period, providing self-service options and a lower total cost of ownership that head of cyber security Mark Wallace said was a “seamless process, delivering immediate value through ease of deployment and intuitive user-centric experience.”

That user-centric experience was critical for ensuring broad buy-in amongst users, who had proven consistently willing to bypass security controls they found inconvenient or burdensome

 But it was exactly those controls that was now critical to protecting the organisation from the many unknowns that employees could easily bring into the organisation without knowing it.

“We should be doing the same checks and balances on every authentication within the organisation,” Skubel said. “Security is all about being able to trust every authentication that happens in your enterprise.”

“This means getting visibility into the devices that are being used to access your business applications, and enforcing policies about who can access what – and under what conditions. At every step, you should have the same checks and balances.”