Evolving Our Strategic Vision to Continuous Trusted Access
The way we work and do business is changing. The information technology trends we have been seeing over the last ten years have accelerated dramatically in the last two years because of the global pandemic. Organizations condensed projects that normally would take years into months, or even weeks. Adopting cloud solutions, redefining remote access controls, and enabling work from any device and any location, all became top priorities as the world transitioned to working from home.
As the dust settles from this transition, IT environments are more complex than ever. There are far more variables to consider when assessing the context of a worker looking to securely access corporate resources. Assigning trust to a user based on their presence on a corporate network or use of a managed device is too simplistic and not viable any longer.
How are we to move forward? The principles of Zero Trust provide a nice place to start. To summarize simply: “Trust is neither binary, nor permanent.” Given the explosion of complexity, one way to address the fleeting nature of trust would be to ask users to re-authenticate and re-authorize more frequently. Worried about trust? Boot workers out and have them re-establish that trust!
Obviously, shortening session lengths and forcing more friction will cause headaches for users, help desks, and administrators alike. Moreover, the trend towards the consumerization of IT means that users expect, and deserve, seamless access experiences.
To provide secure access while maintaining a smooth user experience for the workforce, we are proud to announce our vision for Continuous Trusted Access.
To relieve the burden on end users, Continuous Trusted Access will consistently evaluate both user and device trustworthiness behind the scenes, applying the appropriate access experience based on current levels of risk. The goal is that by continuously assessing user risk both before and after login, we can respond more dynamically – expediting access in trusted scenarios and stepping up security requirements in risky ones.
The Continuous Trusted Access vision will be enacted by investing in features that evaluate context and risk both at the point of login, but also throughout an established session. To realize this vision, our first step will be to deliver a modernized take on Risk-Based Authentication – incorporating functionality that reflects the realities of corporate IT today. Our Risk-Based Authentication feature set will be available to all customers for preview later this summer. We will then continue to build risk assessment across the full session. It is not a simple problem to solve, but we have guiding tenets as we build our functionality:
1. Maintain User Privacy
Many companies feel justified collecting intrusive data in the name of security. However, we are taking the strong stance that privacy is a digital right. In cases where we collect contextual signals to inform risk decisions, the goal will be to preserve the highest levels of personal privacy. For example, instead of relying on GPS signals for location, our tools will focus on data that is more readily anonymized.
2. Foster an Open Ecosystem
We believe that to best evaluate risk and context continuously, we’re going to need to work together as an industry. Therefore, we are investing in open standards like the Shared Signals and Events framework which provides easier mechanisms to share relevant signals between tools and vendors. We are proud that Cisco built the first reference architecture for Shared Signals and Events while simultaneously partnering with important companies like Box to encourage industry collaboration.
3. Innovate on Signals and Controls
In our pursuit of Continuous Trusted Access, we will be innovating on both the risk signal and control components of secure access. For signals, the plan is to develop new ways to detect and assess user context outside of traditional mechanisms like IP Address. One way is to use a user's Wi-Fi Fingerprint to intuit their working location and detect changes to that location when the Wi-Fi Fingerprint varies. This signal is a brand-new way to proxy location and patent-pending for Cisco Security. For controls, we are adding new access experiences like Verified Push to provide strong security in cases with higher risk detected.
In an increasingly complicated world, Cisco Security is building towards a future where organizations can realize the security ideals of zero trust without placing unnecessary friction on their users. We started this journey by delivering Passwordless authentication and we will continue by building more dynamic and continuous reactions to risk into our solutions. In the end, our goal is to help security teams be resilient and ready for anything.