Why Zero-Trust Companies Should Consider 100% Biometric Authentication

To truly adopt a zero-trust security approach, the best solution is to integrate biometrics into your access workflows for full confidence in identity validation.

Sam Bocetta

August 16, 2019

6 Min Read
Why Zero-Trust Companies Should Consider 100% Biometric Authentication
(Image: Pixabay)

Companies across the globe share the same struggle when it comes to hardware, software, and network security. How do you keep all of your internal resources and assets safe while not interfering with daily operations within your organization? New solutions and strategies have emerged in recent years to make corporate security a more efficient process.

One concept that has gained traction in recent years is the zero-trust model that leverages biometrics in the workplace. Instead of trusting that a password is enough to verify someone's identity, biometrics goes one step further and uses a physical element to authenticate users. This can include fingerprint scanning, retina scanning, or some other biological feature.

But what does the zero-trust model actually mean in the modern workplace and how can biometrics can play a key role?

The old model

Decades ago, enterprise IT architecture followed relatively simple models. Companies usually had a set of back-end servers that handled database, web hosting, and application processing duties. To protect them, a firewall was placed around the perimeter of the assets to filter network traffic and block potential attacks.

In order to connect to one of the back-end servers in this traditional model, a user or administrator would simply authenticate with their network credentials. If they happened to be located remotely, they could use a virtual private network (VPN) tool to tunnel their web traffic through the corporate IP address range.

But no matter how strict your firewall policy was configured, there was a great deal of risk in trusting password-based authentication. The security perimeter was only as strong as your weakest link, meaning that if one user's password was exposed or lost, it could mean disaster for the entire organization.

The need for zero-trust

Nowadays, enterprise networks and system architectures are constantly expanding and evolving to meet the changing needs of a business. It's no longer possible to maintain a single firewall perimeter around the various pieces of infrastructure and digital systems being hosted and used.

To address the current predicament facing many organizations, the term zero-trust security has emerged. At a basic level, zero-trust refers to an approach to requiring valid authentication before any access or permission is given to a user, even if they are physically located within the private network. The zero-trust model is designed to safeguard against the risks that come with an increased reliance on the more complex model of cloud computing, especially when it comes to data storage and the hosting that goes along with it.

Even the most oft-recommended cloud hosting companies encounter technical or security issues from time to time, as is evidenced by the recent outage of Google’s Public Cloud - a competitor to Microsoft Azure and Amazon AWS. According to Gary Stevens of community research group HostingCanada.org, many of the ostensibly ‘best’ web hosts have uptimes of only 98 perecent annually. That may sound like a great amount of uptime, but 2 perecent of a year equates to more than seven days of being offline. Ultimately, this means that some of your core resources and data will inevitably live outside your company's immediate control. This is where zero-rust can help.

One of the core pillars of zero-trust network security is called the principle of least privilege (POLP). This stipulates that each individual user in an organization should only be granted the minimum access required in order to fulfill their job duties, a concept that has not been universally embraced by employees. Administrative accounts are not used to gain elevated privileges.

To accompany the POLP principle, organizations need to move past the single perimeter model and adopt a strategy called microsegmentation. This involves analyzing your entire IT infrastructure, including cloud resources, and breaking it up into the smallest pieces possible. From there, access should be controlled at the smallest segment.

Best practices with biometrics

Many data breaches that you hear about in the news are a result of poor password management practices. To help combat this, more companies are beginning to require multi-factor authentication (MFA) for their critical applications and data repositories.

With MFA, each user has to log in with their normal account and password and will then be prompted to verify their identity a second way, typically through a text message code to their cell phone. But of course, if a hacker has managed to compromise a person's account, there is a good chance their phone messages could be vulnerable as well.

To truly adopt a zero-trust security approach, the best solution is to integrate biometrics into your access workflows. It represents the only way to have full confidence in identity validation, given the strength of fingerprint or retina scanning, as well as vocal and facial recognition.

Looking ahead

Investing in biometric scanning technology may be daunting for some organizations, especially smaller companies working within a tight IT budget. Nevertheless, network security should be treated as a top priority and fortunately there are tools on the market today to make that more feasible.

The concept of bring your own device (BYOD) to work is usually seen as a security risk, though companies that have already taken a preventative approach built around traditional tools like security software, VPN-encrypted network internet connections, and firewall protection may find that the technology on smartphones can actually be leveraged in a zero-trust model. Instead of acquiring separate biometric hardware, the second level of verification can occur through a phone's fingerprint scanner, microphone, or camera.

At some point in the future, there's a high likelihood that the password model will become antiquated. Companies will have no choice but to adopt the zero-trust network strategy in order to safeguard their internal data and systems. It will be the new normal to authenticate yourself using biometrics for every action you make with a piece of technology.

Final thoughts

Modern companies face increasing challenges when it comes to protecting their IT systems. With the advancement of cloud computing, enterprise technology is becoming more spread out and harder to control. Putting excessive security on top of systems can slow down the operations of a business and create more problems than it solves.

With the zero-trust network model, an organization forces each user to authenticate themselves before they can perform an action on a server or other piece of infrastructure. Password authentication comes with a huge list of vulnerabilities, which means other solutions should be strongly considered.

Investing in biometrics can greatly reduce a company's risk profile because of the accuracy involved in fingerprint, retina, voice, and face scanning. Whether a cyberattack starts from internal or external threats, having a zero-trust policy in place fortified by biometrics can help stop the damage.

About the Author(s)

Sam Bocetta

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights