Authentication used to be binary: I give you access or I don’t give you access. But with the rise of remote/hybrid work and the growing number of cloud applications in use, organizations need an even more precise approach to authentication, says Ash Devata, vice-president and general manager of Cisco Zero Trust and Duo Security.
“Every time you’re giving access, you have to inspect the user [and] inspect the device,” Devata says. “End users just want to get their work done. They don’t want to go through all the security checks.“
The security landscape has increased in complexity, with the rise of remote and hybrid work and the accelerated pace of cloud adoption. “The key thing is around, how do we make sure only the right people have access to the applications?” Devata says in his Fast Chat with Dark Reading’s Terry Sweeney.
Devata also expands on the concept of post-login security. “You log into [xbox.com]. You just have the login cookie for six months,” Devata says, in reference to session cookies. So long as the cookies don’t expire, the session is valid and users don’t have to log back in again. However, the session cookie presupposes that nothing has changed to affect the security of the session. It could be the device needing new security updates, or the geographic location.
This is more than risk-based authentication, though. The idea behind continuous password access is to continuously measure all the signals – such as whether device encryption is turned on, if there are pending patches, if the firewall is enabled, and the network location — completely in the backend, without adding friction to the user experience. Once a signal changes, details about what has changed is then communicated back to the application. Depending on the change, the user may be prompted to re-authenticate, even if the session hasn’t expired.
“Once we give trust, how long can the trust last?” Devata asks.