Research Project – Identity Controls
Research work
Subject: Identity Controles
Reference:
CIS Control 4: Controlled Use of Administrative Privileges (cisecurity.org)
15 pages – APA style
PASSWORD-LESS
TECHNOLOGY 1
EC-Council University
Password-less Technology:
Microsoft Leadership in Future Secure Platforms with Password-less Protection Technology
Fernando Michel Alves Andreazi
PASSWORD-LESS TECHNOLOGY 2
Table of Contents
Abstract …………………………………………………………………………………………………………………………………….. 3
Introduction ………………………………………………………………………………………………………………………………. 4
Problem statement …………………………………………………………………………………………………………………….. 5
Objectives ……………………………………………………………………………………………………………………………… 6
Results …………………………………………………………………………………………………………………………………… 6
Online Resources and Passwordless Technology …………………………………………………………………………. 7
Evolving Passwordless Technology …………………………………………………………………………………………… 11
Lowered secondary costs ………………………………………………………………………………………………………….. 13
Why enterprises are interested in going Password-less ………………………………………………………………. 14
Benefits of password-less authentication ……………………………………………………………………………….. 15
Stumbling Blocks To Passwordless Organizational Future: Legal Issues ……………………………………. 17
Legacy authentication ………………………………………………………………………………………………………….. 17
Hardware Requirements ………………………………………………………………………………………………………. 18
Windows 10 is a testing ground for Microsoft Password-less technology ……………………………………. 18
The new FIDO2 password less technology ………………………………………………………………………………… 19
Microsoft Azure ………………………………………………………………………………………………………………………. 20
Microsoft 365 Password-less technology ……………………………………………………………………………………. 22
Biometric Password-less authentication devices ………………………………………………………………………… 24
Summary …………………………………………………………………………………………………………………………………. 25
Reference ………………………………………………………………………………………………………………………………… 27
PASSWORD-LESS TECHNOLOGY 3
Abstract
Enterprises often struggle with balancing security and ease-of-use trade-offs.
Passwordless solutions enhance the user experience, but also enhance security of the computer
system as compared to previous security mechanisms. When companies transition to
passwordless solutions, they considerably reduce their exposure to data breaches. Contrary to
companies that store their customers’ passwords on their servers, passwordless solutions require
no personal information to be stored for authentication purposes. When authentication is
performed on the user side, no personal information is transmitted over the internet, making
man-in-the-middle attacks virtually impossible. With the authentication data, such as the
biometrics of the user, kept on the user device, there is no single collection point for cyber
criminals to get access to a customer biometric dataset: this dataset does not exist. As a result,
the risk probability of online fraud and identity theft is greatly reduced. There are down-sides,
too: should users lose their authenticator, for instance if it is tied to a physical device, resetting
access can be more cumbersome than a password reset. Better end-user security. As criminals
and computers have become more effective at stealing and guessing passwords, password
hygiene rules have developed exponentially. Recognizing that these rules were difficult to
enforce, an inflexion point was reached recently with experts calling to simplify password
management protocols. When using passwordless solutions to authenticate, there are no
passwords for cyber criminals to steal out of a platform server. There is no information stored by
companies that could be leveraged by hackers to infer or brute force a password. Users are hence
better protected.
PASSWORD-LESS TECHNOLOGY 4
Introduction
While it is critical to build out a long-term strategy for authentication, experts concur that
the next digital breakthrough will be passwordless authentication, primarily for security and
identification reasons. Passwordless authentication offers four key advantages over traditional,
knowledge-based authentication. First, it makes sense financially: it increases revenues and
lowers costs. Second, it makes sense from a customer perspective, provides a better user
experience. Third, from a strategic point of view, it can help redefine competition by unlocking
value from interoperability. Fourth, as already mentioned, it greatly improves security.
Cybersecurity has been traditionally perceived as a cost centre, so the financial consideration is
perhaps the most notable reason why companies should consider transitioning to passwordless
authentication. Not only does it lower costs associated with password management and data
breaches, it actually improves revenues through increased productivity and customer ratings.
From an economic point of view, employees worldwide spend an average of 11 hours each year
entering or resetting their password. For a company of 15,000 employees, on average, this
represents a direct productivity loss of $5.2 million. There will be costs associated with
transitioning to a passwordless ecosystem but they are expected to be rapidly offset by the
productivity boost alone. With standards such as the ones developed by the FIDO Alliance,
which allow for most of the authentication to be performed on the user side, password
administration is significantly simplified. System administrators and call centre operators are
going to have a much better experience liaising with employees and customers and this will
indirectly improve company reputation and customer ratings.
A convenient, seamless user experience is essential to widespread acceptance and use of
authentication. The experience economy will be more important than price. Approximately 86%
PASSWORD-LESS TECHNOLOGY 5
of customers are indeed ready to pay a premium for more user-friendly experience. This means
that if a platform’s authentication experience is subpar, some customers will prefer a platform
with inferior services but a better authentication experience. Passwordless authentication is
seamless. It emulates the way in which human beings have recognized each other for millennia:
by looking for either identifying belongings or personal traits, such as uniforms, height or body
shape. In other words, passwordless authentication is becoming a competitive differentiator, and
a key consideration for digital transformation leaders. It is the entry door to an online service.
Users are less likely to try to circumvent security measures when users are asked to remember
over 100 credentials and passwords, they naturally look for ways to reduce their burden and re-
use passwords, choose weak ones, or note them down on their phone, email account or below
their keyboard. A better user experience means that users are more likely to use the
authentication system as it is meant to be: reducing the number of rules improves user
endorsement which in turn, improves security. Ubiquity Passwordless authentication is
customer-centric (Tehranipoor et al., 2017). Passwordless authentication technologies leverage
fast and convenient solutions that work everywhere, relying on the same devices that many
people use every day such as smartphones.
Problem statement
The financial services industry is used as an example to demonstrate the forefront of
adoption of next-generation passwordless authentication technology. The financial industry note
that, passwordless technology will be driven by user experience improvement and security
(Bolotin, Lemelev, & Singer, 2018). The financial industry has recognized that password
authentication was a source of consumer dissatisfaction, impacting use of their digital services
and driving increasing operating costs. With millions of consumers, even a minor improvement
PASSWORD-LESS TECHNOLOGY 6
would have a significant impact on ROI. The new passwordless technology will aim at
increasing authentication success rate, improve convenience, save time, and increase the general
user experience.
Objectives
Describe the principles behind passwordless technology;
Determine the application of passwordless technology;
Demonstrate the efficacy of passwordless technology.
Results
Various embodiments described for passwordless technology provide methods, systems,
and devices for alternate and more secure ways for authenticating users to access both offline
and online resources, instead of entry of a username and password. As used passwordless
technology is not limited to an online resource may refer to any content that is accessible via a
network, such as web-based or cloud-based data, applications, and services. Examples of online
resources may include, but are not limited to, web-based or cloud based data storage services,
social networking applications, shopping services, microblogging accounts, payment services,
multimedia content delivery services and financial services. In particular, the passwordless
embodiments allow customers to sign-in or login to one or more accounts associated with online
applications or services using a trusted device (such as a mobile phone, a smartphone, a tablet, or
other portable electronic terminal) that has been previously registered or linked to the account(s).
For example, a visible code may be displayed on a desktop computer alongside (or instead of) a
password-based sign-in window that is typically used to access a customer account for a web-
based service. A mobile phone that has been previously registered with the same customer
account can scan the displayed code using its camera, and can send the scanned code to a web
PASSWORD-LESS TECHNOLOGY 7
server that provides the web-based service. In response to receiving the scanned code, the web
server can identify the mobile phone as being associated with the customer account based on the
prior registration, and can thereby authenticate the desktop computer for access to the web-based
service based on recognition of the scanned code (Dorfman, & Sengpiehl, 2018). Thus, the
desktop computer may be automatically signed-in to the web-based service based on recognition
of the mobile phone as a trusted device, without requiring the customer to enter his username and
password.
Online Resources and Passwordless Technology
Online resources benefit more from this technology. The online resources can be
accessed in accordance with embodiments allowing access using a web browser executing on a
computer, as well as with native applications executing on non-traditional computing devices,
such as televisions or external set-top boxes connected to a television. New and developing
Passwordless embodiments therefore can be integrated to allow an unregistered device to access
a customer account responsive to receiving authenticating information from a trusted device that
has been previously registered with the customer account (Kim, 2016). Accordingly, new
technology and passwordless embodiments in use today may reduce demands on the customer’s
aspect of remembering usernames and passwords as well as obviate many security risks as
compared to traditional password-based authentication methods.
Overall Architecture for Using a Trusted Device to Authenticate Another Device
Passwordless technology provides opportunity for using trusted devices to authenticate another
device. As shown in Fig 1, a block diagram of systems, devices, methods, and computer program
products for authenticating a customer for access to account-based online resources using a
trusted device, according to available passwordless technology. When describing the
PASSWORD-LESS TECHNOLOGY 8
functionality of passwordless technology, account-based online resource are designated to refer
to network-accessible data, applications, services, or combinations that require a customer
account or subscription to access the provided content or services. As shown in Fig 1. a
communications environment or system 100 may include a mobile electronic device 110 and
another electronic device 120 that are accessible to a user 101 and are configured for
communication via a network 140. The mobile device 110 (also referred to as “primary device”
associated with the user 101) may be a wireless communication terminal, such as a cellular
telephone, smartphone, electronic book reader, tablet, or other portable electronic terminal that is
configured to access the network 140 over a wireless connection, for example, via a base station
transceiver 108. The electronic device 120 (also referred to as a “secondary device” accessible to
the user 101) may be a wired or wireless communication terminal, such as a desktop computer,
laptop computer, smartphone, tablet, network-ready television, set-top box, and the like, and may
be configured to access the network 140 via a wired or wireless connection. The secondary
device 120 may be configured to access the network using a web browser or a native application
execution. In some embodiments, the mobile device 110 may have a physical size or form factor
that enables it to be easily carried or transported by a user 101, while the electronic device 120
may have a larger physical size or form factor than the mobile device 110.
The devices 110 and 120 are configured to access online resources, including web-based or
cloud-based data, applications, and services, via the network 140. The network 140 may
represent one or more of a local area network (LAN), a wide area network (WAN), an Intranet or
other private network that may not be accessible by the general public, or a global network, such
as the Internet or other publicly accessible network. The network 140 provides communication
PASSWORD-LESS TECHNOLOGY 9
between the devices 110 and 120 and one or more online resource providers 150 (such as web
servers) configured to provide the aforementioned online data, applications, or services. The
online resource provider 150 may include a network transceiver, processor, memory, and or
other circuitry configured to coordinate and manage operations for delivering online resources to
the devices 110 and 120 via the network 140. While illustrated as a single entity in Fig 1, it will
be understood that, in some passwordless technology configurations the online resource provider
150 may represent one or more physical or virtual servers that are configured to deliver online
resources to the devices 110 and 120. Examples of the online resources provided by the online
resource provider 150 may include, but are not limited to, web-based or cloud based data storage
services, social networking applications, shopping services, microblogging accounts, payment
services, multimedia content delivery services such as online magazines, music, and video, and
financial services such as credit/banking services.
The online resource provider 150 may require a subscription or customer account in order to
access each of the different online resources provided thereby. As such, the system 100 also
includes a customer account store 135 that contains customer account information for one or
more customers, such as the user 101. The customer account store 135 may be embodied in
nonvolatile memory, such as flash, magnetic, or optical rewritable nonvolatile memory. The
customer account information stored in the customer account store 135 may include a listing of
customer accounts and online resources to which the accounts correspond. The customer
accounts may include information identifying each user or customer that has registered for each
online resource, such as the customer’s name, mailing address, e-mail address, phone number,
payment. The customer account information may also include information that may be used to
verify or authenticate the customer to access the account. For example, for each customer
PASSWORD-LESS TECHNOLOGY 10
account, the customer account information may include a username and a password selected by
the customer to access the account. However, as noted above, such password-based
authentication may be cumbersome for a customer and may also be vulnerable from a security
standpoint.
PASSWORD-LESS TECHNOLOGY 11
Evolving Passwordless Technology
Security technologies tend to be short-lived and evolve rapidly. Whether operational one
year or 10 or more, cyber criminals are generally adept at finding ways to circumvent security
controls. Authentication technologies are no exception. It is consequently critical to build out a
long-term security strategy. While transitioning away from knowledge-based authentication is
long overdue, and passwordless authentication is the way forward for more secure platforms.
The following six principles are to be considered when building an authentication programme
capable of passing the test of time: security, privacy, sustainability, inclusiveness, scalability,
and user experience. Security logically comes first when building a strategy for an authentication
system. Security in an authentication system will be based on multiple considerations, from its
relative strength compared to other solutions, to its lifespan against known threats and the new
threats to which it exposes the system, along with the hardware and software vulnerabilities that
it solves and those that it introduces. The security of an authentication system will also depend
on its efficiency in reducing fraud and risk, and on the accountability that it allows through the
logs it records (Pikrammenos, Toils & Petrakis, 2019).
Passwords have been the source of numerous data breaches that have negatively impacted
privacy globally (Shin, & Kim2018). Acknowledging the various regulations and cultural aspects
needed to ensure privacy, future-oriented authentication technologies should be mindful of these
and, for global acceptance, ensure compatibility with the most stringent. While certain
authentication solutions may fall within the category of Privacy-Enhancing Technologies, others
will not. Sustainability is another key element to confirm that technological choices fit in a long-
term vision strategy. Transitioning to passwordless authentication cuts costs and potentially
increases revenues. The actual costs will depend on the size of the company. For some
PASSWORD-LESS TECHNOLOGY 12
companies, the sheer scale of their IT systems might call for a phased approach, which in turn
requires new and legacy authentication solutions to coexist. Along the same line, authentication
technologies are closely linked to identity and access management: ensuring that authentication
and identification systems are compatible is also key to a sustained advantage (Papadamou ., et
al 2019). The externalities of the authentication system must be considered when considering
sustainability. For example, utility costs and human resources costs must be considered as part of
the new passwordless technology sustainability.
Inclusiveness in the new era authentication systems are the entry points to digital
services, so making sure that they are inclusive – as opposed to discriminatory will be essential
for platform businesses. Such systems should strive to avoid discrimination of any kind, whether
due to age, culture, disability, language, name, nationality, medical condition, origin, religious
belief, sexual orientation, skin colour, among other factors. For example, authentication
technologies are increasingly using AI. Therefore, the machine learning biases must be addressed
when developing new authentication technologies.
The economics of new passwordless technology must be scalable. The world industrial
platform economy calls for solutions that scale. Employees and end-users are increasingly going
to authenticate across different platforms. It is therefore critical to consider authentication
solutions from the perspective of scale: when a platform reaches critical mass and starts
experiencing network effects, growth can be exponential. The performance targets of the
authentication system need to be planned long in advance, notably around reliability and
availability. Similarly, the “growth potential” of the solution will be important in subsequent
phases. For instance, off-the-shelf solutions may not allow for the expected level of
customization needed for a large company operating multiple IT environments. Elsewhere, the
PASSWORD-LESS TECHNOLOGY 13
user experience is no longer a nice-to-have, it has become a key differentiator: the quality of the
user experience determines user choice, preference and behaviour. As such, future authentication
should strive to offer a seamless user experience to ensure adoption.
Lowered secondary costs
The average global cost of a data breach in 2019 is $3.92 million – a 1.5% increase from
the year before. When there are no passwords to infer or to steal, this seriously hinders the ability
of criminals to access and exfiltrate data. Even password hashes are useful to criminals who can
brute force them without any limitation imposed by the authentication server. From a risk
management perspective, this implies that transitioning to passwordless authentication allows
companies to cut the budgets associated with their breach risk exposure by 4/5. This translates
immediately into lower cyber insurance premiums and password reset overhead savings. When it
comes to IT departments and call centres, companies spend on average 2.5 months resetting
internal passwords. Approximately 20% to 50% of all calls to the IT helpdesk concern password
resets, and the estimated cost of a single reset ranges from $30 to $70. LastPass, a well-known
password-safe company, estimates that companies spend on average $1 million per year in
staffing helpdesks alone to deal with password resets. A Fortune 500 US health insurance
company transitioned to passwordless authentication in 2018. In this type of sector, users log into
key services intermitted. Consequently, password resets and helpdesk congestion are common
around the time of customer re-enrolment. This type of business model and user experience
incurs spikes in costs and lowers overall authentication frequency for the customer.
PASSWORD-LESS TECHNOLOGY 14
Organizations observing the above-listed steps will be able to improve their security environment
even if password blocking is not possible. Constant use of voice calls or text messages for
confirmation of identities is also recommended.
Why enterprises are interested in going Password-less
Although passwords have played a critical role in human history to distinguish who could
enter a specific area, on the other hand, they also pose a lot of insecurity. Individuals have
witnessed the frustration of password forgetfulness to vital accounts. As a result, they have been
forced to go through a tedious process of redeeming the forgotten password or creating new
ones. The lengthy procedures and guidelines on how to create a secure password have resulted
in a complicated string of characters that can easily be forgotten the next time a person wants to
log into the system.
Also, an organization with crucial accounts that want to go online to conduct
transactions, including banking and donations, need authentication systems, that won’t give
problems every time they want to make repeated purchases. That is the reason enterprises wish
to go password-less authentication. With password-less, the system allows users to implement a
different verification method that does not ask to remember an array set of characters. Also,
users can log in into their systems by simply scanning their finger and entering a passcode that
may be delivered via phone or authorizing their account through email (Atick et al., 1997).
PASSWORD-LESS TECHNOLOGY 15
Benefits of password-less authentication
1. Password-less authentication is a lot more secure
In the past few years, there has been the experience of vast cases of stolen or hacked
passwords. Owing to the aforementioned, passwords pose more problems than solutions to
keeping the user’s information secure. Furthermore, many websites mandate users to create an
account where users have to juggle through multiple passwords to remember which one belongs
to each account. As a result, for users to remember the passwords, they have to choose
comfortable passwords such as a birthday. These similarities in passwords lead to more unsafe
accounts and easy guess for hackers to get access. The setbacks, as mentioned earlier, can better
be avoided by the use of passwordless authentication. Hackers will have more difficulty in
gaining access to individual or company’s user’s fingerprints, phones, or even email accounts.
Therefore, the user accounts will remain more secure compared with traditional password
protection. Notably, passwordless authentication creates another verification step that proves
users are who they are. Also, these methods pertain to a lesser likelihood of getting hacked by
fraudsters (Morijj, et al., 2017).
2. Password-less authentication is cost-effective and easy to implement
There is a misconception that password-less authentication is expensive and a non-viable
option. That is far from the truth because companies have a better chance of exploring password
fewer options. Companies who want to go password-less should locate providers that fit their
budget and of high quality. They should work with providers that make the implementation
process much smoother. They can do this best by attending workshops on how to use the
password-less tool. Organizations can go password less, by use of inexpensive tools available
that are easy to implement and start using.
PASSWORD-LESS TECHNOLOGY 16
3. Password-less protect companies along with their users
Since companies store information on the user’s account, such as payment and much
more, the user database can be more vulnerable to the data breach. However, in the case of a data
breach, no amount of password protection can keep companies protected (Morijj, et al., 2017).
Cybercriminals can access the database by cracking the critical encrypted information the same
way they would break a password. Also, they can gain access by intruding internal accounts by
use of high-level permissions.
Furthermore, many accounts do not use secure credentials, thus easing the process for hackers
that one might think. That is the reason why companies should also ensure their employees adopt
passwordless authentication. A company can implement passwordless login into their internal
accounts so that employees do not need to deal with the hassle of creating and memorizing
complex passwords. By protecting the user’s accounts on both fronts internally and externally for
employees, a more robust infrastructure is guaranteed.
In a nutshell, passwordless authentication does not only protect a company but its users. By
implementing more security internally, a company’s vital information is better protected from
unauthorized or malicious users.
PASSWORD-LESS TECHNOLOGY 17
Stumbling Blocks To Passwordless Organizational Future: Legal Issues
Presently, over 80 percent of users can sign-in to networks without having to enter
passwords (Pikrammenos, Toils & Petrakis, 2019). According to Julisch, Microsoft is making it
easy for users to eliminate passwords across its organizations (2008). However, one of the key
stumbling blocks to passwords for the future is a legal compliance requirement in various
industry segments. Despite the directive, until the regulations are updated in technology, the
user’s segment will continue using passwords. At the moment, to ease the issue, organizations are
recommended to create two user groups, for users in response to compliance restrictions and
another one for anyone using the systems.
Legacy authentication
Users that need to use usernames and passwords may be restricted by “legacy
authentication” protocols that use it, also referred to as basic authentication by Microsoft. This
hindrance poses a massive obstacle to eliminating passwords. However, many organizations
encounter challenges when attempting to disable their basic authentication. This is due to some
applications attached, such as Older Microsoft office apps, using specific email protocols such as
POP, IMAP, and SMTP, that are inherently connected to it. These apps and services might be
broken if the basic authentication gets detached or disabled (Tehranipoor et al., 2017).
Notably, only organizations solely using cloud computing services won’t be affected by
the blocking of basic authentication (Tehranipoor et al., 2017). Furthermore, the process of
blocking or disabling authentication is tiresome, time-consuming, and complicated, especially
when it breaks services. If a company is already using cloud computing, it doesn’t have to use
any legacy authentication, and password elimination is more natural. Moreover, another reason
for disabling basic authentication is its inability to support multifactor authentication MA, which
PASSWORD-LESS TECHNOLOGY 18
is a crucial component of Microsoft’s password less for the future. Multifactor authentication is
an enhanced security.
Hardware Requirements
Microsoft prescribed various requirements that organizations need before implementing
password-less. The requirements state that all hardware devices should be upgraded to enable the
system to support biometric authentication. Examples are face scans via camera enabler and
fingerprint reader. Also, they should be updated to allow Trusted Platform Module 2.0 or FiDO2
support or any other newer versions.
Microsoft recommended organizations without passwords to use FiDO2 support for
Azure to test the use of USB thumb drives that allows them to sign in to Azure AD accounts
without the use of passwords. FIDO2, and FAST identity online 2.0, is a standard web
authentication for users without a password. However, those organizations that cannot eliminate
the use of passwords are asked to create a list of banned passwords using Azure Ad Password
Protection. Azure Ad is a service that allows disabling the use of similarity in passwords such as
12345, and other attackers that hackers are likely to guess (Microsoft to secure Windows 10 with
FIDO two-factor authentication including biometrics).
Windows 10 is a testing ground for Microsoft Password-less technology
Microsoft is on the move to introduce Windows 10 test build up with additional and
improved new features regularly. Recently the company launched Windows 10 build 18936 a
feature tester in the fast ring (Microsoft to secure Windows 10 with FIDO two-factor
authentication including biometrics). With the latest build-ups apps, all devices are made
password-less in the sign-in option via settings. Users can go to setting, then accounts, and
PASSWORD-LESS TECHNOLOGY 19
select sign in options, then turn on the password-less option. With Microsoft accounts on
windows ten devices, users can switch to hello face, or finder spring or PIN. The newly
launched test build is introduced in small portions, and they hope to go on with more.
Also, Microsoft announced publicly on Azure Active Directory, a preview of FIDO2,
where users can try the ability to deliver FIDO2 security keys, which authenticate users to
windows 10 Azure Active directory conjoined device. The build-in apps provide an option to
read a quick event from the taskbar by simply clicking on the date in the toolbar. Also, Microsoft
is expanding the enabling apps on the phone screens. The feature is available on Surface laptop,
Pro, 4, 5 6, and Surface book starting with Bild 18936 (Atick, 1997).
Although many companies have been working hard to disable passwords options from
Windows 10 and its Microsoft Accounts. Microsoft has taken the next major shift to update to
windows 10. Soon, users will not be able to enable password-less sign-in for Microsoft on
Windows. All PCs will use windows hello face authenticating, fingerprint and Pin. The
password option will be disabled from the login screen for those using the new device password
less feature.
The new FIDO2 password less technology
The Fast Identity Online (FIDO2) is a new open authentication standard. The industry
lease with more than 250 company members that include Goggle, Facebook, Intel, PayPal,
Amazon, MasterCard, Visa, and Samsung. Its main objective is to open authentication
standards that assist in minimizing the world’s reliance on passwords and as means of cyber
identity authentication. Its key agenda is to allow users to log in is without the use of
passwords. They do so by creating password-less flows or Strong MFA for users sign in and
PASSWORD-LESS TECHNOLOGY 20
long in websites. FIDO standard is not limited to other web applications with support coming
to Azure Active Directory and other native apps. The technology works by creating private
and public authenticating keys. They enable authentication to happen without a secret key
between the user and the Platform. The technology brings an array of benefits, such as a
comfortable and safe way to login in at the same time, making phishing attempts extremely
difficulty (Bole, et al., n.d)
FIDO protocol authentication work by use of public-key cryptography techniques to
provide a safer and more robust authentication. The user client registers with an online
service by creating a pair of new keys. The system work by retaining the private key and
registering the public key with the online service. The authentication process is done through
the client devices, which process the private key to the service by signing a challenge.
Notably, the client’s private keys can be used only after the user device locks it out. The
local unlock done by the user-friendly and secure action like entering a Pin, swiping a finger,
of speaking on a microphone. Other attempts include inserting a second-factor device SFD,
or by pressing any button.
Microsoft Azure MFA
Microsoft Azure Multi-Factor authentication help organizations minimize risks by
providing an extra layer of authentication to the already existing ones in the user’s account
credentials.
Organizations must still on increased data protection and data bleaching necessities by
addressing any threats to security at the same time embracing the digital transformation.
Presently, a lot of organizations are embracing the idea by shifting to cloud security service
PASSWORD-LESS TECHNOLOGY 21
providers. All IT-related businesses need an authentic, trusted partner, to process and build cloud
services to increase business agility, and securing enterprise data and other assets.
Microsoft Azure comprise of mitigations that provide an array of integrated services for
clients to protect and secure business assets while minimizing costs, management overhead, and
other complexities. Microsoft Azure builds a principle of security by providing a managed
service approach for enterprise to cover significant areas in data protection, security, workload
threat protection, and detection, identity and safety protection as well as infrastructure
management security. Clients may opt for various levels of security from the providers who take
care of them by administering their operations and help them improve their security for cloud
and hybrid assets.
Microsoft Azure works like any other could computing service provider. However,
Microsoft Azure is managed by Microsoft and is used to build, test, and execute and manage
applications through global online data centers. The entire Azure data structure involves server
operating at the data centers globally. It employs a virtualization technology where users can
have access or control of devices and virtual computers remotely. The azure feature is achieved
by Hypervisor software, which creates and runs virtual machines or databases. The devices are
compatible with any operating system, such as Windows and Linux. Also, Azure provides a set
of other services, which include Software as a service (SaaS), Infrastructure as a service (IaaS),
and Platform as a service (PaaS). All these provide support to Microsoft specific and third
parties, tools, and other framework systems (Bole, et al., n.d).
Microsoft Azure presently caters for 54 Regions and 140 Countries worldwide (Microsoft
to secure Windows 10 with FIDO two-factor authentication including biometrics). Each Azure
data center comprises of a variety of rack of servers. Every racker contains the Software referred
PASSWORD-LESS TECHNOLOGY 22
to as a Fabric controller. However, the Microsoft Azure fabric controller is an accessory of the
Microsoft Azure platform that monitors and manages services. Also, it assists in coordinating
resources for Software applications.
Microsoft 365 Password-less technology
Citizens and other public servants place their trust in government institutions. They trust
that the agencies representing their needs act in good faith in protecting their interests. These
interests include food, medications, information, Infrastructure, national security, as well as the
sustainability of the social contract. The government and its constituents, on the other hand,
requires the same trust from citizens to retain their public trust. Notably, for government
functions to run smoothly, there is a need for the flow of data on a massive scale. These include
sensitive information on public safety-critical Infrastructure and security (Microsoft to secure
Windows 10 with FIDO two-factor authentication including biometrics). The more attractive
the information is, the more data sensitivity and protection is required. Owing to such,
government systems, due to financial gain and political gain is subject to constant attempts of
attacks. Initially, the prevailing paradigm for the security system was to guard the perimeter or
to protect the network entry and exit point through firewalls, and virtual private networks (VPN)
(). However, this traditional method has become obsolete in the wake of innovations changes,
such as the expansion of mobile networks. The swift development in digital data, the rise of
cyber-attacks, and the proliferation of shadow It has effected advanced changes. Presently more
and more enterprises are shifting to zero trust models for their devices and user’s security. The
default untrustworthy and default are applied to all users, devices, and all applications and data.
Microsoft, 365 is a new auto- authentication app, that is reliable and secure. It assists
government institutions and other private enterprises on their zero trust journey for
PASSWORD-LESS TECHNOLOGY 23
authentication. With the use of Microsoft 365, the government, as well as other private bodies,
can initiate the immediate steps towards zero trust as a security model. The Microsoft 365,
create the first step by creating a secure environment with an open verification of identity. Most
cyber attackers use phishing to break into unauthorized data. Phishing can lead to users with
sensitive information be compromised. Also, it can open doors for attackers to steal valuable
information. Cybercriminals like stealing sensitive data, but before they gain access, they need
an identity breach, which is a common tactic to gain access to data (Microsoft to secure
Windows 10 with FIDO two-factor authentication including biometrics).
The government and other private bodies by the use of Microsoft 365, password-less, is
their crucial initial step in the cybersecurity strategy of protecting identity and managing access
to unauthorized users. This new authentication method is safe until someone hacks it, and
whoever hacks, has to have access to all your passwords. The model utilizes additional security
layers. They include Microsoft secure score and the evolution of office 365 safe score. The
service provides enterprises with a report card for their security positions, alerting them to assess
where they need to make changes quickly. The changes include turning on Multifactor
authentication or email forwarding.
Microsoft is creating protections by this approach, and make it a new solution for
Microsoft 365 subscribers. Also, the strategy entails a combination of a range of services that
caters to both online and remote. Threat protection n are similar to email accounts, where users
Pcs, documents, and other Infrastructure can detect and mitigate attacks. Cybersecurity remains a
central issue in the digital age. Most Organizations daily take precious time and resources to
defend their assets against cyber attackers. They operate with dozens of complex tools, yet the
threat remains. Also, their security team struggles to keep update with skilled expertise.
PASSWORD-LESS TECHNOLOGY 24
Biometric Password-less authentication devices
Biometric password-less authentication devices are used for more security than
convenience. These devices assist businesses along with their partners to speedily take
advantage of the core technology and verify their identity with unique functionality. They do so
with the use of liveness detection across online through traditional voice, mobile devices, and
other physical access devices. The R&D technology has designed a unique approach to
biometric authentication that doesn’t need to store any biometric data, called ID R&D’ solutions
build up apps on biometric technologies (Sathiya & palanisamy, 2018 )
Engrained apps include voice, biometric, facial biometrics, behavior biometrics, and
liveness detection. The voice biometrics function by comparing the characteristics of the user’s
voice and the stored voice known as voiceprint to determine the matching criteria. Facial
biometrics work by comparing the different patterns of the user’s facial structure, excluding eye,
skin color, with those of stored template to determine the match. Behavioral biometrics, on the
other hand, utilize unique identifiable patterns in user’s activity, such as keystroke dynamics or
how they type to verify their identity. Lastly, the liveness detection uses liveness identification
features such as presentation attacks, such as recorded voice, video, photos, computer-generated
voice, masks, and more impersonate authorized users.
Biometric authentication devices do not guarantee an alternative solution. Although they
do not provide security certificates which many enterprises need for their users, the advantages
outweigh the drawbacks, hence making it a security device that countless users use in existing
accounts (Williamson, 2006). The use of biometric authentication can address many issues:
PASSWORD-LESS TECHNOLOGY 25
Merits
▪ The method of scanning fingerprint is cheap, fast and relatively secure
▪ The devices use voice recognition, which is easy but ambiguous to manipulate for the
attackers.
▪ The use of feature deification like iris is very secure at the same time potentially more
convenient compared with the fingerprint.
▪ The model provides address security concerns among users at the same time ensuring the
security
Drawbacks
▪ The Software does not apply in all applications
▪ The cost to deploy the model is expensive
▪ The biometric support is limited in some platforms
▪ Some applications in biometrics are disabled
▪ The technology does not provide a silver bullet, and they still hold some insecurity; thus,
it can be compromised.
Summary
The research paper analyzed the password-less technology approaches, and its primary
purpose in Enterprise IT security. As such password-less technology and its application policies
are dependent on correctly identifying users requesting access and putting providing the identity
management the priority in defense of enterprise security. Notably, traditional password
authentication solutions are mostly considered as high friction, time-consuming hence
PASSWORD-LESS TECHNOLOGY 26
challenging to users. Organizations are presently considering a password-less strategy to
authentication that can improve user productivity while assuring security. Password
authentication entails three methods, namely voice print, biometric fingerprint, and other unique
behavior, which include encrypted tokens.
However, it is imperative to recognize that there exists no single way of authentications
that will be optimally secure and user-friendly in all cases. Most organizations opt for multiple
approaches and related costs. Although there is increased awareness of the value or importance
of providing low friction authentication, there exist vital inhibitors to the adoption of the
technology approaches. They include concerns about the complexity of the deployment of
authentication solutions and the costs. Nonetheless, many organizations are hesitant or reluctant
to embrace password-less authentication technology because they believe it might bring
disruption to business operations. The password-less technology providers should ensure the
viable solutions are included that support the “Fours Is” of password-less authentication, which
provides for intuitive, informative, intelligent, and integrated.
PASSWORD-LESS TECHNOLOGY 27
Reference
Atick, J. J., Griffin, P. M., & Redlich, A. N. (1997). . Human Detection and Positive
Identification: Methods and Technologies. https://doi.org/10.1117/12.265388
Banerjee, S. P., & Woodard, D. (2012). Biometric Authentication and Identification Using
Keystroke Dynamics: A Survey. Journal of Pattern Recognition Research, 7(1), 116-139.
https://doi.org/10.13176/11.427
Bolle, R., Pankanti, S., & Ratha, N. (n.d.). Evaluation techniques for biometrics-based
authentication systems (FRR). Proceedings 15th International Conference on Pattern
Recognition. ICPR-2000. https://doi.org/10.1109/icpr.2000.906204
Bolotin, L. M., Lemelev, A., & Singer, M. (2018). U.S. Patent Application No. 16/103,983.
Dorfman, S., & Sengpiehl, D. P. (2018). U.S. Patent No. 9,923,885. Washington, DC: U.S. Patent
and Trademark Office.
Gong, G., Xinxin, F. A. N., & Zhu, B. (2018). U.S. Patent No. 10,136,315. Washington, DC: U.S.
Patent and Trademark Office.
Julisch, K. (2008). Security compliance. Proceedings of the 2008 workshop on New security
paradigms – NSPW ’08. https://doi.org/10.1145/1595676.1595687
Kelley, P. G., Komanduri, J. L., Maass, M., Mazurek, M. L., Passaro, T., Shay, R., Vidas, T.,
Bauer, N., & Cranor, L. F. (2012). How Does Your Password Measure Up? The Effect of
Strength Meters on Password Creation. 2012. USENIX Security,.
Kim, J. R. (2016). U.S. Patent No. 9,519,767. Washington, DC: U.S. Patent and Trademark Office.
Microsoft to secure Windows 10 with FIDO two-factor authentication including biometrics.
(2015). Biometric Technology Today, 2015(3), 1-2. https://doi.org/10.1016/s0969-
4765(15)30024-2
https://doi.org10.1117/12.265388
https://doi.org10.13176/11.427
https://doi.org10.1109/icpr.2000.906204
https://doi.org10.1145/1595676.1595687
https://doi.org10.1016/s0969-4765(15)30024-2
https://doi.org10.1016/s0969-4765(15)30024-2
PASSWORD-LESS TECHNOLOGY 28
Morii, M., Tanioka, H., Ohira, K., Sano, M., Seki, Y., Matsuura, K., & Ueta, T. (2017). Research
on Integrated Authentication Using Passwordless Authentication Method. 2017 IEEE
41st Annual Computer Software and Applications Conference (COMPSAC).
https://doi.org/10.1109/compsac.2017.198
Papadamou, K., Zannettou, S., Chifor, B., Teican, S., Gugulea, G., Caponi, A., … & Xenakis, C.
(2019). Killing the Password and Preserving Privacy with Device-Centric and Attribute-
based Authentication. IEEE Transactions on Information Forensics and Security.
Pikrammenos, I. A., Tolis, P., & Perakis, P. (2019). Authentication Mechanism Enhancement
Utilising Secure Repository for Password Less Handshake. International Journal of
Network Security & Its Applications (IJNSA) Vol, 11.
Sathiya, L., & Palanisamy, V. (2018). A Survey on Finger Knuckle Print based Biometric
Authentication. International Journal of Computer Sciences and Engineering, 6(8), 236-
240. https://doi.org/10.26438/ijcse/v6i8.236240
Shin, S. M., & Kim, M. (2018). PC User Authentication using Hand Gesture Recognition and
Challenge-Response. JOURNAL OF ADVANCED INFORMATION TECHNOLOGY AND
CONVERGENCE, 8(2), 79-87.
Tehranipoor, F., Karimian, N., Wortman, P. A., Haque, A., Fahrny, J., & Chandy, J. A. (2017).
Exploring methods of authentication for the internet of things. In Internet of Things (pp.
71-90). Chapman and Hall/CRC.
Williamson, G. D. (2006). Enhanced authentication in online banking. J. of Econ. Crime
Management, 4(2).
https://doi.org10.1109/compsac.2017.198
https://doi.org10.26438/ijcse/v6i8.236240
Runninghead: ZERO TRUST NETWORK
1
Zero Trust Network: More Security Features
Fernando Andreazi
EC-Council University
ZERO TRUST NETWORK 2
Table of Contents
Zero Trust Network ………………………………………………………………………………………………….. 3
Abstract ……………………………………………………………………………………………………………………. 3
Introduction ……………………………………………………………………………………………………………… 5
Background ……………………………………………………………………………………………………………… 6
Problem Statement……………………………………………………………………………………………………. 8
Objectives of the project ………………………………………………………………………………………….. 8
Literature review ……………………………………………………………………………………………………… 9
Zero Trust Security…………………………………………………………………………………………………… 9
The Principles of Zero Trust ………………………………………………………………………………… 11
The History of Zero Trust Security ………………………………………………………………………. 12
How is the Zero Security model different from a traditional model? ……………………………. 13
How Zero trust security supports security in a cloud environment? ………………………. 13
Zero trusts security micro-segmentation ………………………………………………………………. 14
Why modern organizations need to adopt Zero trust security technique ……………………….. 14
Zero Trust Architecture ………………………………………………………………………………………….. 15
Zero Trust Microsoft ………………………………………………………………………………………………. 17
How do Zero Trust capabilities work in Microsoft? ………………………………………………. 18
Zero Trust Networks ………………………………………………………………………………………………. 19
Methodology adopted ……………………………………………………………………………………………… 20
Results-Project findings ……………………………………………………………………………………….. 20
Recommendations …………………………………………………………………………………………………… 25
ZERO TRUST NETWORK 3
Conclusion ……………………………………………………………………………………………………………… 25
References ………………………………………………………………………………………………………………. 26
Zero Trust Network
Abstract
The conventional system security within networks rely on the principals of creating a
safe computer environment. The principles of network security follows a philosophy that
everything inside the network is secure while everything outside the network is unsafe. The
new cyber security opportunities being built across the industry aim at zero intrusion and 100
percent safe. The cyber network security experts and engineers are not relenting on the cyber
security they create because a threat can come from inside the network as outside. Therefore,
the Zero Trust network aims at improving security while considering every interaction as a
risk to the data safety. With the inevitable use of cloud computing, the cyber world is
becoming completely high risk considering, but efforts such as Zero Trust security networks
will solve the problem of cyber safety.
The Zero Trust network security is a modern alternative of IT security, which will
replace the VPN mechanisms. It will solve the paradigm of perimeter-centred with legacy
approaches and technologies that uphold the concept of trust verification process. The novel
principle behind Zero Trust network is working under ‘trust yet verification’ and ‘never
confidence, always test’ principles. The Zero Trust network security will become a
mandatory for organizations that believe in secure computing. Analysis of the Zero Trust
network will be done using analysis of existing literature, developer’s opinions and
description of the network in addition to comparison with the VPN systems. The Zero Trust
ZERO TRUST NETWORK 4
environment assume that every user is working in an open environment that has unlimited
vulnerabilities and threats, but they are secure.
ZERO TRUST NETWORK 5
Introduction
Zero trusts (ZT) is the terminology employed in describing the paradigms of
cybersecurity, which are continually evolving. They tend to shift network defences ranging
from perimeter networks that are static and try to put more effort into the numerous users,
investments, and resources. The architecture, for instance, employs the principle of zero trusts
in planning enterprise workflows and infrastructure (Mazzagatte, Bajo, & Rathod, 2017).
Zero trust postulates that there is no indirect trust that is given to either user accounts or
assets primarily on the basis of their network or physical locations, for instance, the internet
versus the local area network. The authorization and authentication of both the device and
user are functions that are discrete and that take place before resource enterprise session is
established. Zero trusts have the primary responsibility of ensuring that trends in networks,
which include assets based on cloud and remote users, are not situated within a network
boundary owned by an enterprise (Uttarwar, & Kalia, 2019). Additionally, zero trust puts
more effort into safeguarding resources rather than the segments of the network; this s
because the location of the network is no longer perceived as a major constituent of security
resources. The document conveys a brief elaboration of the approach and provides overall
execution models and use scenarios where zero trusts could enhance the enterprise’s general
performance.
There are numerous advantages of replacing the ancient system with the Zero Trust
network. Within the environs of zero-trust network structure, it is postulated that we are
undertaking operations in an open environment characterized by a wide variety of constant
vulnerabilities and threats (Scott, 2018). It, therefore, makes sure that every bit of data,
whether incoming or outgoing, is encrypted to prevent any miscellaneous activity. However,
the process causes some inconveniences to the user since cookies that always keep them
logged in are not provided. Moreover, the administrator’s privileges are restricted. The
ZERO TRUST NETWORK 6
admins are prohibited from accessing or employing their power almost every time.
Furthermore, the systems are divided into portions to ensure that they can work with the
approach of zero trusts. They are thus divided into separate sections to avoid any foreigner
from gaining access to information that is sensitive.
Background
The IT industry and infrastructure has continued to grow increasingly complex.
Security is also becoming highly complex. Large enterprises operate both internal and
external networks. They remote offices that have local infrastructure and must connect
through the cloud using mobile or cloud services. Such complexity has outgrown traditional
systems of perimeter-based network security mechanisms because there no single or easily
identified perimeter that works with zero threats (Uttarwar, & Kalia, 2019). The perimeter-
based network security systems have insufficient safety from attackers and security breaches.
Consequently, the traditional security hinder access to embedded and important services for
fear of safety. The complex enterprises have led to the need to develop a new model for
cyber security principles that offer safety while providing access to all the open locations.
The “zero trust” (ZT) promise a revolutionary cyber security system that guarantee safety
while providing wider access to open resource points.
A ZT approach primarily focuses on data and information protection with an
opportunity to expand to other enterprise assets; hence giving devices, and infrastructures
wide access opportunities to even previously untrusted locations. The ZT security models
offer assumptions that an attacker has a fulltime presence on the network, hence you need to
access remote services (Uttarwar, & Kalia, 2019). While currently, organizations rely solely
on the enterprise-owned network infrastructure, there is no access to outside the private
owned network. The ZT is different because it treats both enterprise-owned networks similar
ZERO TRUST NETWORK 7
to non-enterprise-owned networks. The principle behind such treatment is that it enhances
safety in both environment. The new paradigm in cybersecurity is continuous with ane
valuation of the risks of both internal and external assets of business functions (Uttarwar, &
Kalia, 2019). Therefore, the ZT allow for maximized asset access to all users without
compromising the safety of the date being accessed.
A zero trust architecture (ZTA) comprise of an enterprise of cybersecurity strategy
designed to work on ZT principles. The ZTA is designed with an aim of preventing data
breach while creating a limit within an internal lateral environment (Stafford, n.d).
Components of ZTA include its logical components including the possibility of its
deployment scenarios and how it functions with threats (Stafford, n.d). The ZTA architecture
also present a general roadmap of design that can be adopted by any organization. The ZTA
also discusses significant policy controls and regulations allowing its use from relevant
authorities (Uttarwar, & Kalia, 2019). The future influence of ZTA can be deduced from its
architecture as shown in figure 1. The ZTA does not comprise of a single-network
architecture but it is a set of guiding principles that make up a network infrastructure with
systems and operational design elements for enhanced security protocols.
Organization’s transitions to the ZTA might seem as journey because the ZT cannot
be built on an existing platform. Therefore, it is not a whole sale replacement technology;
hence is going to be a preserve of large organizations (Stafford, n.d). Large organizations
have advantages of deploying the ZT because of the need to increase the security and data
safety and more so because of the need to be within the functional business. Organizations
should seek future technologies, hence the need to develop an increased investment in ZT
security technologies. The need to protect organizational data is itself an investment. Today,
most enterprises will be using hybrid infrastructure to enhance security, but the perimeter-
based systems will continue becoming burdensome to investors who will find organizations
ZERO TRUST NETWORK 8
having optimal information with resilient practices of cyber security safety that protect
against common and advanced threats (Uttarwar, & Kalia, 2019). Improving organization’s
security posture is not a question of discussion, but it’s mandatory.
Problem Statement
Increasing reliance on IT is increasing cyber threats that are beyond control. The Zero
Trust network is designed to work opposite of the VPN network system. The VPN network
system offer security to internal network enterprises and locks out external access from
outside or from inside the network. The problem with denied access because of security
reasons reduced opportunities may otherwise be essential within the network. Organizations
are therefore, seeking a solution that can offer 100% safety without compromising with
perimeters. The Zero Trust network occurs with a fundamental principal of providing access
to all network locations through the internet without comprising safety within or outside the
enterprise network. The Zero Trust network maybe costly to the organizations, but there is
need to understand its working mechanisms while presenting its future capability. ZT seems
as the solution for internet safety that is awaiting deployment for public usage. The concerns
to the public is whether the technology can promise these enhanced safety, which is better
and preferred than the current systems.
Objectives of the project
• The main objective of the current project is to establish the current status and use of
Zero Trust Network Security System.
• The project will assess the superiority of Zero Trust security network that will be
compared to VPN network
ZERO TRUST NETWORK 9
Literature review
Zero Trust Security
The Zero-Trust Security model is a new network micro-segmentation for creating
secure zones in the data centers and cloud computing. It facilitates an avenue for isolation
between network loads at the same time to protect them. It differs from the conventional
security models as it provides zero-trust security. Presently most companies are shifting to
focus on implementing micro-segmentation that provides the foundation to implement a zero-
trust security model.
The process of micro-segmentation involves creating secure zones in the data center
and cloud as well as designing isolation between workloads that protect them. Micro-
segmentation provides organizations with greater ease to manipulate over servers, bypassing,
perimeter targeting the security gear. In case of any data breaches by hackers, micro-
segmentation can limit the capacity of lateral exploration of networks.
Zero Trust is a security design concept or a policy that gives companies the perception
that they no longer need something mechanically inside or outside their infrastructure
perimeters. Organizations should verify any incoming connections trying to connect to their
systems before providing access. The system follows a system address until users are sure
about who the other user is and whether they are authorized.
Organizations can become more secure by adopting the concepts of Zero trust and
architectural components at the same time, easing the compliance burdens, and reducing
costs. In zero-trust, the users assume all network traffic is untrusted. That means, the security
personnel, and other professionals must at all times instill the discipline and ensure that all
the infrastructure and resources are accessed in a secure mode regardless of location. Also,
they should adopt the least privilege approach, at the same time adhering to strict access
control, inspect and apply the log all traffic. The 21st-century organizations require new and
ZERO TRUST NETWORK 10
more effective security models, adapts to the complexity of the modern environment,
integrates with the mobile workforce, and that which protects people, infrastructure, apps,
devices, and data whenever they are located.
Kindervag, 2010, defines Zero Trust Security as an Information Security model that
works in line with the strict principle of ensuring every person or device that access the
resource from outside is verified. The strict authentication identity needs to be adhered to
regardless of whether the user is from outside or inside the network perimeter. The model
mentioned above is not associated with any technology; instead, it utilizes a holistic method
to network security that integrated various diverse ideologies and technologies. The
conventional IT network security employs a concept known as castle and moat. This concept
complicates the connection from outside the network. However, for every inside user or
device is recognized as trusted by default (Kindervag, 2010). Although the approach is safe,
it possesses some drawbacks since in case a security breach occurs to the network, the hacker
can reign and create havoc over the entire system. Notably, the castle and moat security
approach possess some vulnerability. The system is crucial as it is exacerbated by the fact
data is not placed in one place, and organizations have no control over the data. With the
present age of the internet, data mining has become the order of the day. Information seems
to be scattered all over the cloud vendors, and this becomes difficult for computer analysts to
redesign a single security control measure that can guard the entire network from hackers.
Hence zero-trust security, approach work by assuming that no single users, whether internal
or external, are trusted by default network. The network is not required to gain access to the
organization’s resources without verification. This extra layer of security has demonstrated to
inhibit data breaches.
ZERO TRUST NETWORK 11
The Principles of Zero Trust
The concept work by assuming everything behind the corporate firewall is not safe.
Notably, the Zero Trust Model assumes breaches and ensure verification of every request as
though it originates from an open-source or network. Furthermore, zero trusts teach us that
regardless of where the request originates from or what nature of the resource it accesses,
“never trust,” and “always verify.” Any access or request is fully authenticated, authorized,
or encrypted before granted access. The process of micro-segmentation, least privilege
access principles are applied to reduce the lateral movement. Also, rich intelligence and
analytics to draft and bare employed to detect and respond to any anomalies in real-time or
before any break-in (Scott,
2018).
The philosophy that accompanies Zero-Trust Network presumes that the network is
all rounded liable to attacks. With this in mind, no user or machine or any other resource;
hence no should automatically be trusted. The other principle behind Zero Trust Security is
the provision of least-privilege access. Least privilege access involves providing users with
only needed access no much of what they need, such as an army general giving its soldiers
information on a need to know basis. With this strategy at hand, the user’s exposure to
crucial network components is minimized or curtailed (Lefler, 2013 ). Furthermore, zero trust
networks employ the practice of micro-segmentation. Micro-segmentation is a way of
dividing the security perimeters into minor components or parts and retain separate access to
single parts of the networks. For instance, a network with single data-centered that is entitled
to use micro-segmentation may comprise of other dozens of single units of secure zones.
Thus any users, program, or device with access to one of the smaller units will not be
permitted to access any of the other minute sections without a distinct authorization. Also,
Multi-Factor Authentication (MFA) is an essential part of Zero Trust Security. As such,
MFA means adding a layer of security evidence since passwords alone are not strong enough
ZERO TRUST NETWORK 12
to allow access. The frequently used MFA application is a 2-factor authentication 2FA,
utilized on most online platforms such as Google and Facebook. Aside from entering a
password, users are required to enter a 2MFA with these services. Then a code is sent on
another device, such as a mobile phone or email, which completes the two pieces of evidence
mandated to show or claim who they are. Control on users’ access to Zero Trust entails strict
control over access to devices (Leftler, 2013. However, zero trust systems require
administrators to keep an eye on how many other different devices are attempting to gain
access to their network and confirm that every device is approved. With this, further attacks
on the surface are curtailed.
The History of Zero Trust Security
VPNs, despite making use of encryption, have historically been the chosen option for
remote access. However, its technology was not developed for security and eventually lead
to frustration to user experience, especially on mobile. Organizations allow employees to
take work to home or wherever they go, and expect them to login in freely from any device at
hand. If VPN connections prove slow or disconnecting frequently, then cloud-centric
infrastructure technology allows users to conduct a bypass to VPN and connect to the
required resource directly. If the VPN fails to deliver the expected services, it is regarded as
effectively redundant. Having said that, just because users can access the corporate resources
through a VPN, does not mean they are authentically who they are. The corporate network
has become increasingly vulnerable to porous accommodations and outsourcing due to
flexible working. It is imperative to conduct proper governance to provide sophisticated
access control instead of the present free rein granted under VPNs. (Kindervg, Kelley Mak et
al., 2012).
ZERO TRUST NETWORK 13
With the 21st century corporate evolving, cloud infrastructures are replaced with the
ABYOD programs, which are increasingly getting adopted. Now companies need to fully
understand what the endpoints of accessing the corporate resources are. The present
companies cannot implicitly rely on trust indicators. That is the reason why Zero Trust
mentally is necessary to improve corporate resilience, regardless of how misanthropic it
sounds.
The Zero trust concept was first discovered and presented by analyst Forrester
Research Inc. In 2012. Later on, goggle announced the implementation of zero trusty security
to their networks, which aroused the interest of many companies and individual users in
adopting it within the tech community (Kindervg, Kelley Mak et al., 2012).
How is the Zero Security model different from a traditional model?
Convectional security model functions in a way that assumes that the company’s
internal network can be relied on. The traditional convectional security model is designed to
shield the threats that get inside the network, that are invisible, uninspected, and free to
morph anywhere to pick or extract sensitive enterprise data. Conversely, Zero trust models
are rooted inside the presupposition of “never trust, always confirm” designed to cope with
lateral hazard motion in the community through leveraging micro-segmentation and granular
perimeters, executed, based on consumers preference, information as well as location (Scott,
2018).
How Zero trust security supports security in a cloud environment?
The Zero-Trust approach employs various existing technologies, along with
governance tactics, to conducts its venture of security the enterprises and its IT environments.
It recommends enterprises to leverage micro-segmentation and granular perimeter, on total
consumers, devices, and locations. It utilizes multifactor authentication IAM, files system
permission, encryption analysts, and scoring to access information. The technique forces
ZERO TRUST NETWORK 14
every connected element, users, software, element, in the remote web took to authenticate
itself on a regular basis. The model can be enabled on software by software-defined
perimeter (SDP) where the get entry rights are controlled via regulations that updated without
problems across premises and cloud environment. Software-defined perimeter SDP
architectures can combine with other devices that provide authentication factors such as the
location of the device in the query (Scott, 2018). Zero trust security intrinsically provides
greater flexibility, is more relaxed than factor-to-factor architectures. This feature enables it
to be among other blessings, and give the possibility of lateral motion on which attackers
mechanically rely on it to explore infiltrated networks.
Zero trusts security micro-segmentation
When we consider Zero Trust security, we think of the micro-segmentation technique.
Micro-segmentation is a technique in zero-trust security where organizations enhance
protection by carving networks into tiny granular zones, to a single application or machine
(Uttarwar, & Kalia, 2019). The technology entails an intricate problem: a control problem to
be precise. Protection regulations explode a micro-segmented world, where several policies
turn into several others, scaling conceivable controls.
Why modern organizations need to adopt Zero trust security technique
Below are the reasons why enterprises display real interests in incorporating platform
approaches they look to reach their security infrastructure.
1. It provides a total breadth of products and services
Enterprises across network, endpoints, and cloud need to guard their businesses
against the advanced threats that arise every day. As soon as the threats are identified,
the orchestrating talents imply the venture by responding to the attacks throughout the
linked devices along with cellular. This nature of the platform is advantageous as it
ZERO TRUST NETWORK 15
can prevent a breach earlier that it can happen, hence minimizing, the catch, and
enabling proper mitigation steps in the location.
2. It arouses an awareness, that, enterprise information may be in many places
Enterprise information does not only exist in traditionally community data centers;
rather, it could be in cloud SaaS apps, Azure, AWS workloads, mobile gadgets, as
well as in IoT devices both company and persona and thumb drives.
3. Provided the increasingly more strict compliance approaches
With the introduction of GDPR, particularly in Europe, most platforms offer
tremendous help where it comes to secure records, enforce identify and control
admission access on gadgets, community, segmented networks, and other workloads.
Zero Trust Architecture
BlackRidge, 2012 defines the term Zero trust architecture as an emerging set of
security network models that shift network defenses from a broad network perimeter and
tailor-make it to fit small groups or resources. The strategy Zero Trust Architecture (ZTA)
applies that no implicit trust is permitted to systems irrespective of their remote or network
location, i.e., Local network and internets. Data accessibility is granted when the resources
and authentication are needed. However, authentication to users, devices, and other resources
is performed before any connections are established. In addition, ZTA is a strategic reaction
to the organization’s network trends. These trends include physical internet users, assets, and
cloud-based users within the vicinity of the organization’s network (Lefler, 2013). ZTA’s
primary focus is to provide full protection to enterprise resources and not network segments
since network locations are not regarded as the prime components to the security state of the
resource (Scott, 2018).
ZERO TRUST NETWORK 16
DeCusatis et al. assert Zero Trust Architecture can be defined as a strategic endpoint
process to network, access management, data security, endpoints, credentials, operations,
hosting locations, as well as their interconnecting infrastructure. The strategic network
approach places its focus on data protection (2017). The primary focus is restricting
resource access to only those authorized and needs to know. The conventional enterprises
have placed focus on perimeter defense, leaving their users to have the autonomy to access to
resources. As such, unauthorized and other lateral movements within the network has been
the root cause of the immense challenges faced by enterprises and federal agencies.
Although the Trusted Internet Connections (TIC) and enterprise conventional perimeter
firewalls resources provide powerful internet openings that help block attackers from
meddling into their internet, they are not suitable when it comes to detecting and obstructing
outside attacks from network.
Nonetheless, Zero Trust Architecture (ZTA) is a combination of concepts and ideas,
architecture components, and associations tailored to curb the uncertainty in implementing
viable decisions in information systems and services access (Moubayed et al., 2019). The
bottom line is to block unauthorized access to data, infrastructure, and services while making
access control enforcement in a granular manner as much as possible. ZTA is about resource
access, such as computer resources, printers, IoT actuators, and not merely data access. The
least privilege rules are minimized as possible. The system ensures the users are
trustworthy, and the request is valid. Zero trust infrastructure technology capabilities allow
closer to resources. The idea to authenticate and authorization flows into the network from
application to data.
Fig- Zero Trust Access
ZERO TRUST NETWORK 17
The above figure shows user/machine access to an enterprise resource. Also, it shows how
access is permitted via an approach called Policy Decision Point (PDP). The system needs to
confirm the user is ‘trustworthy” and the request valid.
Zero Trust Microsoft
Implementing Zero Trust Security with Microsoft 365 with zero trust architecture can
be a daunting work to engineering analysts. They have to design a built-in a robust, and
mutually supportive framework of tools to ensure all endpoints of data and resources align
with zero trust methodology. However, the Azure Active Directory (AD) is a base of
executing Zero trust security in Windows Microsoft. The software functions by a strategy
known as restriction access mode where the Azure Directory Identity Protection (ADIP)
conducts dynamic access control decisions. They restriction strategy work on a case by case
analysis of each user, device, resource location, and sessions. Notably, the assessment work
is done per request on each resource (Lefter, 2013). The whole process is done by combining
ZERO TRUST NETWORK 18
confirmed runtime signals on every security state of a windows device. Also, it assesses the
user authenticities, sessions, and respond with a maximum security configuration.
Furthermore, conditional access establishes a set of rules that are tailored to monitor
and regulate every runtime session in which the user attempts to access the enterprise
resources. The level of control is maintained at the heart of the zero-trust security principle.
Azure AD is one component of Microsoft 365 that plays a critical role in establishing a zero-
trust network. Also, Microsoft 365 Windows Defender Advanced Threat Protection has
endpoint protection (EPP) that acts as an additional protective layer, and an Endpoint
Detection Response (EDR) engrained together to form powerful technology hardware called
Windows Defender Advanced Threat Protection (ATP).
How do Zero Trust capabilities work in Microsoft?
ATP is an intelligence-driven protection piece that breach detection that investigates
and provide endpoint response capabilities. It works by combining built-in behavioral
sensors with machine learning. The security analysts work continuously by monitoring the
devices, state, and take precautionary actions if need be. Windows Defender (ATP), work
uniquely by mitigating breaches, through separating compromised machines and users from
additional cloud resource access. One way attackers can conduct a breach is by obtaining
hashed user credentials from a device via the Pass-the-Hash PtH and Pass the Ticket for
Kerberos technology.
Further, the cybercriminals use the credentials to roam about the entire system. In the
case of breaches, Microsoft tools, such as Windows Defender Credential Guard and System
Guard, helps to block these attacks. ATP acts on these attacks via endpoint protection and
detection response by creating a mitigation level for all compromised devices involved.
ZERO TRUST NETWORK 19
After the ATP sheds light on the risks to the machine, the assessment can be used to make the
decision to provide a token or to use other resources (Shaurette & Schleppenbach, 2012).
Zero Trust Networks
Zero Trust Network, work by scrutinizing and verifying everything that attempts to
connect to its systems, be it internal or external. Notably, Zero Trust Network inhibits any
access until the resource is verified or authorized. The concept does not mean the network
refuses access to all machines, but rather, each request to connect is first vetted and approved.
The network utilizes short term and temporary credentials.
Furthermore, credentials are strictly monitored and limited to a particular user’s
device attempting to connect to a specific location of the network-specific at a particular
time. Cyber-attacks have become sophisticated, and the high level of the network is carefully
controlled, monitored, and authorized on a case by case basis. Zero Trust Network has been
proved to be more realistic technologies that have evolved that make the network trust
approaches more effective (Uttarwar, & Kalia, 2019).
Zero trust network is more secure because it employs the philosophy of “never trust,”
“verify.” All connections are tested, unlike the conventional model, where the network allows
actors to connect application before testing and evaluating the connections. The methodology
of Zero Trust Network works by introducing a protocol test and validation process before any
single packet attempts to engage in its systems. It does this through vetting every connection
attempts, both from internal and external sources. This makes it difficult for bad actors to
attempt through the front, back, or window. It manages any lateral movement or threat
within the network by the use of micro-segmentation technology. The technology is through
enforcing granular perimeters and analyzing users, location, and other data throughout the
process. The modern enterprise should consider the transition into Zero trust philology. It is
ZERO TRUST NETWORK 20
more of an ideal than reality. Despite the urgent need, Zero Trusts should need to be done in
planned caution stages. Enterprises should not rush into the system without rethinking the
strategy.
Methodology adopted
The methodology adopted for this study comprise of the review. The review focus on
assessing available information regarding Zero Trust Network security. The review consider
assessing notes from ZT developers and computer security agencies that will approve the
technology for use. The Federal government of the U.S. has already started using the ZT
network and will provided an adequate source of information for its adoption.
Results-Project findings
Analysis of the ZT Network Security System has established a logical components
that create the entire ZTA. The components include deployment and usage within enterprises
using open network structures. The components operate as within or outside the network
premises and can be used for cloud-based services (Kindervag, 2010). The presentation of the
conceptual framework model for ZTA and infrastructure is presented in Figure 1. The figure
shows basic relationship representation between the components and how they make
interactions. The figure is considered as an ideal model representing the logical interacting
components for network policy engines and policy decision-making interactions.
ZERO TRUST NETWORK 21
Figure 1: Zero Trust Components
The variations existing within the Zero Trust Architecture can be found in several
enterprises that create a main source components of organization’s IT policy management.
Approaches to implementing the tenets of ZT can utilize two primary driver policies
(Kindervag, 2010). These policies include governance driven networks that include logical
micro-architecture presentation and next generation firewalls that are integrated into the
organizational networks. Organizations look forward to existing policy approaches that
modify networks from complex entities to simple ZT philosophy networks (Uttarwar, &
Kalia, 2019). An organization looking forward to develop the ZTA system for its enterprise
will find that the ZT network already has an existing policies management point (Stafford,
n.d). The approach to implementing the new architecture may seem more difficult, but the
solution is viable for current and future security needs of the organization. Organizations
should also understand that deploying the new ZT networks does not that other networks are
not viable, but can be integrated to even though the ZT will dominate over existing networks
(Uttarwar, & Kalia, 2019). Enterprises need to conduct their flow of business and using ZT
now is considered essential for future business flows.
ZERO TRUST NETWORK 22
Within ZT, the enhanced identity governance and approach focus on developing a
system that rely on the identity of its actors. The key component of the policy creation
development for ZTA is to access open networks (Stafford, n.d). The subjects of requesting
access allows the need to create an enterprise resource that has access policies with subject to
enterprise resources. The primary requirement for any network security resource is to gain
access to a platform, but this is based on the available access privileges granted to the users.
Other factors of consideration include the type of device used, the type of asset status, and the
type of environmental that may alter or support access utilization (Uttarwar, & Kalia, 2019).
The organization using ZT should tailor its results in a way of granting full or partial access
to the network location. Individual resources and components of protecting network resource
utilize policy engines that aim at authenticating requests to grant access to networks using
governance-based approaches with a model for enterprise visitors and access to policy
founding (Uttarwar, & Kalia, 2019). The non-enterprise approaches focus create a network,
which is often enhanced with identity-driven in the appropriate portals or devices of
approach. Identity status is critical not only in the current networks, but also in the future ZT
networks.
Going forward identity requests are accomplished at policy engine level while
authentication occurs at granting access level. The ZT network model is also visitors’ friendly
where enterprises initiate activities of identified approach privileges of resource potential
(Uttarwar, & Kalia, 2019). Other network models that are in question include the segmented
protected gateways that provide access to group resource. The gateway devices request
clients develop access to components that provide dynamic pathways while creating an
approach to security components (Uttarwar, & Kalia, 2019). Networks are asset-based.
Therefore, even ZT must allow appropriate access to individuals with privileges as compared
to individuals with other gateway security components of enterprise approach.
ZERO TRUST NETWORK 23
In ZT network system, data access is provided with secondary support elements. The
micro-segmentation allow enterprises to implement their segment networks with protected
segment gateway component. An enterprise has the option of choosing, a network resource to
implement ZT (Uttarwar, & Kalia, 2019). In the ZT approach, the enterprise use the NGFWs
as gateway devices that continue acting on a PEPs protection point for the each of the
deployed group of resources. The gateway devices remain dynamic while granting access to
client’s requests of asset. Depending on the network model, the ZT imbedded gateway occur
as a sole component of multiparty projection of getway assisted client aiming at approaching
a variety of case deployment with models that offer cyber security (Modderkolk, 2018). The
ZT approach has been found to offer variety of cases use and case access while deployment
activity models as aimed at working to protecting device that house next-generation fire
walls. The activities of management devices offer functionalities that rely on components
providing governance programs that shield gateway components with unauthorized access to
discovery components.
The embedded network approach requires an identity governance program that can
fully function without relying on the gateway components that act as the PEP with a shield of
resources working from unauthorized access and/or discovery. The primary necessity to the
PEP approach is that its components use management effects that react and reconfigure
resources with a needed to response that create threats and change the workflow of the
network protocol (Modderkolk, 2018). It remains a possibility that implement features of the
micro-segmented enterprises through the use of less advanced gateway devices having
stateless firewalls. It follows that the administration costs of PEP resources hinders small
organizations from taking advantage of the ZT networks.
The ZTA network infrastructure protocol is straightforward. The ZT implementation
utilize a by layer of the already existing network. Such an approach increase reference to a
ZERO TRUST NETWORK 24
software that define approach parameters with frequent concerns of network acts focusing on
the pact network decision-making processes. In this approach, the PA acts as the network
controlling system that aim at setting and reconfiguring the network-based architecture for
decision-making with a client that continue to address decision requests of managed networks
(Modderkolk, 2018). An approach to component implementation occurs with an application
network by layer that deploy common model agents with of layer infrastructure. An approach
to network implementation occurs through resource agents that establish common channel get
ways to establish communication with client resources. An established resource occurs due to
logical components that provide necessary system access with single asset platforms with
logical components that consist of multiple hardware layers with elements of task with
enterprise resource PKI while providing responsibility for issuing certificate devices for
authentication purposes (Modderkolk, 2018). For example, an enterprise-managed PKI
increase component with responsible certificate of devices that issue a certificate that occur
with a process issued enterprise of root certificate authority that focus on providing available
components of combined architectural layers.
Approximately selected components of architecture focus on enterprise components
that outline enterprise network with a set-up of multiple deployment models of business and
enterprise processes (Modderkolk, 2018). Device gateways opportunities work by deploying
models that divide components into different enterprise processes. Deployment of resources
directly affect installed devices that offer essential services of proxy resource that allow
administration of component device communications that serve proxy needs (Modderkolk,
2018). The gateway connections occur in providing communication gateway that focus on
configured policy with path administrators and resource enterprises for connection devices
and resource access engines.
ZERO TRUST NETWORK 25
Recommendations
The Zero Trust Network Model will replace the traditional network. Enterprises need
to identify appropriate network resources to deploy ZT networks, which will become
mandatory in the near future. The ZT network implementation process occur as an encryption
offering distant and sensitive work areas that provide protocols of activities that provide
access of important speed networks focusing on network security requirement. There is need
to outline and approximate the cost of ZT network so that enterprises can allocate resources
to create the security network. The return on investment for ZT security network needs to be
quantified to provide a reason for investors to attempt investing in this revolutionary
technology.
Conclusion
In a ZT environment, there is revolutionary cyber networking infrastructure that
separate logical cyber security needs with common access to network controlling devices.
The application process occurs with network control platforms focusing data safety with an
inclined process protocol. The components of ZT offer adequate security and communication
flows while using control and configuring a network process while applying communication
protocols and network performance within an organization. There is often broken down
control architecture plane for ZT network control communication process while planar data
application occurs with controlled communication flows using various infrastructural
components. The control planner apply various infrastructure components that can be owned
by the enterprise or third party vendor. Installation of ZT include components that judge and
grant or deny access to assigned resources. The ZT has shown improved protocols of cyber
security while playing as communication network that can replace VPN while offering the
advantage of open, but secure access of the cloud services.
ZERO TRUST NETWORK 26
References
BlackRidge. (2012, August). “Dynamic network segmentation
2http://www.blackridge.us/images/site/page-
content/BlackRidge_Dynamic_Network_Segmentation (last accessed April 27,
2016).
DeCusatis, C., Liengtiraphan, P., & Sager, A. (2017). Zero Trust Cloud Networks using
Transport Access Control and High Availability Optical Bypass Switching. Advances
in Science, Technology and Engineering Systems Journal, 2(3), 30-35.
https://doi.org/10.25046/aj020305
Kindervag , Kelley Mak, J., Balaouras, S., & Mak, K. (2012, November/December). Build
Security Into Your Network’s DNA: The Zero Trust Network Architecture. FOR
SECURITY & RISK PROFESSIONALS.
Kindervag, J. (2010). No more chewy centers: Introducing the zero trust model of
information security. Forrester Research.
Lefler, R. (2013). Aligning Security Services with Business Objectives. Aligning Security
Services with Business Objectives, 1. https://doi.org/10.1016/b978-0-12-417008-
7.00001-5
Mazzagatte, C., Bajo, A., & Rathod, H. (2017). U.S. Patent Application No. 15/603,980.
Modderkolk, M. G. (2018). Zero Trust Maturity Matters: Modeling Cyber Security Focus
Areas and Maturity Levels in the Zero Trust Principle (Master’s thesis).
Moubayed, A., Refaey, A., & Shami, A. (2019). Software-Defined Perimeter (SDP): State of
the Art Secure Solution for Modern Networks. IEEE Network, 33(5), 226-233.
https://doi.org/10.1109/mnet.2019.1800324
Scott, B. (2018). How a zero-trust approach can help to secure your AWS environment.
Network Security, 2018(3), 5-8.
https://doi.org10.25046/aj020305
https://doi.org10.1016/b978-0-12-417008-7.00001-5
https://doi.org10.1016/b978-0-12-417008-7.00001-5
https://doi.org10.1109/mnet.2019.1800324
ZERO TRUST NETWORK 27
Shaurette, K., & Schleppenbach, T. (2012). A “Zero Trust” Model for Security. Information
Security Management Handbook, Sixth Edition, Volume 6, 175-190.
https://doi.org/10.1201/b11802-21
Stafford, V. A. (n.d.) Zero Trust Architecture. Retrieved on March 26, 2020 from
https://pdfs.semanticscholar.org/fb8e/26de6d6eb7bd700f441a8f9839e48480e8cf
Uttarwar, V. U., & Kalia, A. A. (2019). Latest Trend in Network Security as Zero Trust
Security Model. National Journal of Computer and Applied Science
https://doi.org10.1201/b11802-21