Question: How is zero trust evolving to be more continuous in nature in verifying trust?
Ash Devata, general manager, Cisco Zero Trust and Duo Security: Zero trust is all about assuming zero trust by default when a user is trying to access a work application and building trust by conducting a set of checks from a baseline of no trust. The three main checks are around user identity, device posture and identity, and overall behavior. To be successful, organizations need to be able to perform these inspections in real time without adding friction for the end user.
Two initial questions emerge when we think about this model. Can trust get transferred between entities in a meaningful way? For example, you proved that you are really you when you logged into your laptop. Now, why do you need to prove your identity again when you are logging into the email client on your laptop? The second question is about post-login. How can we evaluate changes in trust after the session was granted? Some applications grant a session for months and the trust levels change in that time period. For example, a user might turn off disk level encryption on their PC or just move from the hospital building to a coffee shop.
We are working on technologies that solve both questions. Organizations want to continuously evaluate trust even after the user’s session is granted. They want to transfer trust from the device to application when possible. We want to do this without adding friction or delays.
To address the post-login use case, development of a new open standard called Continuous Access Evaluation Protocol (CAEP) is underway. The OpenID Foundation is leading this effort to create more interoperable communication mechanisms for security signals alongside vendors including Cisco, Google, and Microsoft. Progress on the other challenges will continue to evolve as well, to make zero trust a model all organizations can easily adopt.