Many organizations are moving away from using the network perimeter as a trust indicator when building and enforcing access policies for apps and other IT resources. An increasing number of enterprises have started implementing authentication solutions that perform user identity verification and device security checks for every access attempt regardless of user location, and data shows they are increasingly favoring biometrics-type authentication.
The move from on-site IT infrastructure to cloud-hosted applications and services coupled with bring-your-own-device (BYOD) policies and an increasing number of roaming employees has generated major challenges for enterprise IT security teams over the past decade.
Early attempts to address those challenges involved the use of VPN, network access control (NAC) and mobile device management (MDM) solutions to ensure that devices used by remote employees are secure before being allowed onto the internal enterprise networks. However, threat actors have also evolved their techniques and malicious lateral movement inside corporate networks is now a common component in many security breaches.
This means it's no longer enough to perform device security checks at the network perimeter and then allow those connecting systems unrestricted access to all assets. Devices can be compromised while they're already inside networks and credentials can be stolen in a variety of ways.
Verify users and devices
"Fundamentally we've all figured out that you can't trust everything just because it's on the inside of your firewall; just because it's on your network," says Wendy Nather, director of Advisory CISOs at Duo Security, a multi-factor authentication (MFA) solutions provider that is now part of Cisco Systems. "So, if you agree with that, the question becomes: What are we trusting today that we really shouldn't be trusting and what should we be verifying even more than we have been? The answer is really that you have to verify users more carefully than you have before, you have to verify their devices and you need to do it based on the sensitivity of what they're getting access to, and you also need to do it frequently, not just once when you let them inside your firewall."
"You should be checking early and often and if you're checking at every access request. you're more likely to catch things that you didn't know before," Nather says.
Duo refers to this as the zero-trust network security principle and it's inspired by previous de-perimeterization efforts like those of the Jericho Forum dating back to 2004, Google's BeyondCorp enterprise network security approach published in 2014, and Gartner's Continuous Adaptive Risk and Trust Assessment (CARTA) model.
Of course, the enterprise network perimeters will not disappear anytime soon, and they don't need to. What changes is that security policies and access controls are being refocused on user and device identity, regardless of where those users and the assets they access are located: in the cloud or on-premise, remote or local. And this also influences how authentication is performed and what verification methods and devices are preferred by organizations.
Biometric authentication on the rise
The 2019 Duo Trusted Access Report released today shows that 77% of mobile devices used to access business applications have biometrics configured and that over two-thirds of users authenticate using mobile push-based applications over more traditional methods like phone calls and SMS. The use of authentication codes sent via SMS -- still a widely used two-factor authentication method for many online services -- has dropped to only 2.8% among Duo's customers, the company's data shows.
Duo's report is based on an analysis of a half-billion monthly user access requests from 24 million business devices to over 1 million corporate applications and resources both on-premise and in the cloud. The anonymized data covers 15,000 organizations from all industry segments.
The company has also observed a 7% increase in the number of iOS devices used by corporate employees year-over-year and a 2% increase in the use of Android devices. Windows remains the most common operating system seen on corporate devices with 47%, but its overall usage has actually decreased by 8% from last year. The good news is that Windows 10 adoption continues to rise and now accounts for two-thirds of all Windows endpoint devices observed by Duo.
What iOS, Android and Windows 10 have in common is that they all support some form of biometrics-based authentication: Apple devices have Touch ID and Face ID, Android has fingerprint sensors and Windows 10 has Windows Hello.
Verified authentication requests speed zero-day response
Verifying device identity and security for every authentication request also allows IT security teams to respond to publicly known vulnerabilities and force users to apply security updates faster. An example of that was a zero-day vulnerability in Google Chrome that was announced at the end of March and was being exploited in the wild.
The day the vulnerability was publicized, Duo observed a 79% spike in the use of the out-of-date browser policy setting in its product, which resulted in 30 times more declined authentication attempts than normal. This means IT security teams made use of this policy setting to respond to a security threat faster than they would have otherwise been able to through network access controls.
Based on Duo's data, the browser that's most often out of date on users' devices is Microsoft Edge with a rate of 73%, followed by Mozilla Firefox with 35%, Safari with 23% and Chrome with 15%. As far as operating systems go, devices running Android are the most frequently out-of-date ones with a rate of 58% compared to iOS devices at 38%.
The use of biometrics as a form of two-factor authentication and user identity verification is not only being adopted in the enterprise space but are also being pushed by regulators in certain industries. New security and authentication requirements for online payments will come into effect in Europe in September as part of the revised Payment Services Directive (PSD2) which mandates that financial institutions will need to challenge online card transactions with two-factor authentication, for example through an app on mobile phones that supports biometrics verification.