When we refer to “zero trust” in the context of network access (ZTNA) one of the safest, and most impractical approaches to adopt, is not being connected to the network at all. While valid, this approach is as useful as Jack Traven’s idea to “shoot the hostage[s]”, in the movie Speed. It does not work well unless the implementation is well thought through.
When we are talking about ZTNA, we are talking about at least two vectors “who” and “what” is getting access (connecting) to the network being protected. For the purpose of this discussion, let’s pretend that Skynet is not yet self-aware, and that connecting a human or another networked asset to your network, is an action that must be performed by an authenticated and trusted entity. That makes authentication the weak link in the process.
ZTNA policy success depends not only in the process implemented, but also on its quality and reliability. With this in mind, let’s build a list of authentication processes that are error free?
NONE.
Short list, I know, but to keep the conversation practical then, let’s reframe ZTNA as a limit function. The closest we are to using a process whose quality and reliability is infinitely difficult to compromise, the closest we are to a ZTNA implementation and protection. (If you saw the mathematical limit of 1 divided by infinity in your mind, congratulations – you are a geek and I’m here with you!)
Friction and Frictionless as it relates to ZTNA.
The ultimate friction (being disconnected from the network) is impractical, and 100 frictionless is useless as well. That makes ZTNA sort of a limit function of how much friction you need to achieve the stated goals of your ZTNA policy.
Physical biometrics do a great job in removing friction from the MFA process. They are convenient, practical, and fast. They are also repeatable, finite, and pilferable. “Google it”, and you will find article upon article of physical biometrics being stolen, and with them the digital identities of the users. Once the file of your fingerprint or facial scan is stolen; it’s gone. Here the frictionless factors defeat the purpose of ZTNA.
If ZTNA is the goal, then a certain level of friction between zero and infinity must be attained, and it must be commensurate with the network, and assets that need to be protected. Behavioral biometrics can be as frictionless as physical biometrics, but for the purposes of security, they can be as close to infinite friction as it is practical to implement, and needed to achieve ZTNA.
Not only are behavioral biometrics PII free (we’ll discuss this in another blog), they are also nearly impossible to repeat, infinite in variation, and untransferable. They are so effective they can be used to tell identical twins apart – let that sink in.
I’ll grant you that some behavioral biometrics-based MFA technologies are more challenging to use; but that is exactly the point; a healthy level of friction is required for achieve ZTNA. And by healthy I don’t mean impractical.
Your written signature as a way to achieve ZTNA
Here is an example – your password could be your signature. Now there is a password that you don’t have to struggle to recall.
When was the last time you thought about HOW you pen and ink your signature? Probably a second ago as you were wondering “self…, how do I write my signature”? How many motions, speeds, angles, direction of your hand (I see you lefties) does it take to make it look like it does? You just do it. What could be more frictionless than that to your brain?
Here is the best part, what your signature looks like is irrelevant; what matters is HOW it comes to be. That is the secret sauce of these behavioral biometrics. Comparing two images is easy. Comparing two reels of film, the order of the frames and a million other attributes in the blink of an eye, is nearly impossible even for AI. That is certainly not frictionless; and with odds that can be in the trillion to 1 for replication, there haven’t lived enough humans (or aliens visited – we hope) that could replicate your signature, and that is at the core of ZTNA – no one can impersonate you.
Easy to use on one side, and (nearly) impossible to steal or duplicate on the other side. That is why behavioral biometrics are ideal for ZTNA implementation.
PS - For everyone’s sanity, and to avoid a million Google searches, Jack Traven was Keanu Reeve’s character in the movie Speed...