How Zero Trust Strengthens Password Security

How Zero Trust Strengthens Password Security

Password security is crucial to preventing cyberattacks. It is important to find a password manager that enables the zero-trust security model to mitigate the risks of data breaches from compromised user accounts.

The U.S. government released a memorandum earlier this year, detailing the requirement for federal agencies to achieve zero trust by the end of Fiscal Year 2024 in an effort to strengthen their cyberdefenses.

Here is a breakdown of what this security framework is and how Keeper helps with zero-trust compliance requirements.

What is the Zero-Trust Security Model?

Zero trust is a cybersecurity framework that asserts that no user or application should be trusted by default. Zero trust assumes every user and device could be compromised, instead of automatically trusting users and devices within the organization’s network. Anyone and anything, human or machine, is required to be verified before they gain access to the network.

Why is Zero Trust Important?

The zero-trust framework enhances compliance and prevents cyberattacks caused by compromised users and stolen devices. Organizations are able to prevent cyberattacks by taking the necessary steps to verify every user and device before allowing them access to the network.

According to the Zero-Trust Adoption Report from Microsoft, 96% of security decision-makers state that zero trust is crucial to their organization’s success. The model has been heavily adopted in recent years and continues to grow. Reasons that organizations choose zero trust include:

  • Increased security and compliance agility.
  • Speed of cyberthreat detection and remediation.
  • Simplicity and availability of security analytics.

Global Zero-Trust Security Market Size and Future Growth

Grandview Research - Zero-Trust Security Market Size Chart

Due to the COVID-19 pandemic, many businesses had to close their offices and have their employees work remotely, prompting employers to figure out how to secure their networks and combat potential cyberthreats due to personnel working in environments that their employers had no control over. Because of this, the pandemic triggered organizations in every industry to implement measures to strengthen their cybersecurity posture.

These digital workplace trends contribute to the increased adoption of zero-trust policies. The global value of the zero-trust security market was $19.8 billion in 2020 and continues to grow. It is expected to register a compound annual growth rate (CAGR) of 15.2% from 2021 to 2028, according to Grandview Research.

What Are the Main Zero-Trust Principles?

A zero-trust solution must include several functions to ensure that it is effective. Examples include constant monitoring, protecting privileged access and multi-factor authentication (MFA).

1. Monitoring and Validation

“Never Trust, Always Verify” is a common phrase used to describe zero-trust security. The zero-trust model assumes that a breach already exists and treats everything and everyone as untrusted, resulting in continuous monitoring and verification. It is crucial to regularly log activity and record anything suspicious or malicious in order for the model to work.

By continuously monitoring systems and implementing the proper tools, IT and security administrators can more easily recognize the difference between a legitimate employee login and a compromised account.

2. Principle of Least Privilege (PoLP)

The principle of least privilege (PoLP) is a cybersecurity best practice, especially when configuring privileged access to confidential information and assets. Under this principle, admins restrict users to the minimum levels of access and permissions required to perform their job functions.

For example, a company may only give access to specific drives and information to the appropriate teams. Under the principle of least privilege, only the:

  • Accounting team would have access to company financial statements.
  • Marketing team would have login details to company social media accounts.
  • Human resources team would have access to employee files and details.

Instead of giving every employee complete access to the organization’s network, each employee only has access to what is necessary to them. If an individual employee’s account becomes compromised, the cyberattacker will only have access to what that specific user has access to. Additionally, it limits the attacker’s ability to move laterally through the network.

3. Multi-Factor Authentication (MFA)

Multi-factor authentication is an authentication practice in which a user is granted access to websites, applications and services only after providing multiple verification factors that validate who they are. MFA is typically set up after a user has made an account with a site or application. In addition to logging into the account, the account holder may be required to:

Use an authenticator app on a registered mobile device to confirm the login.
Submit a 6-digit code that was delivered to the user’s email address.
Answer personal security questions specific to the user.

How Does the Zero-Trust Approach Affect Password Security?

Password security is fundamental to zero trust.

According to the 2021 ForgeRock Consumer Identity Breach Report, cyberattacks involving usernames and passwords increased 450% in 2020, leading to more than one billion compromised records in the United States alone. Unauthorized access was the most common attack method, making up 43% of breaches.

Securing employee logins through the use of a password manager is a step toward implementing a zero-trust model that can prevent and mitigate cyberattacks. Zero trust addresses the top cause of cyberattacks—weak and stolen credentials. In the United States, the average cost of a breach increased 5.5% to $8.64 million, making the U.S. the most expensive country in the world to recover from a data breach, per the ForgeRock report. Businesses can protect their sensitive data and save money in the long run by implementing zero trust.

Our blog post on zero trust challenges and how to overcome them contains more information that can help teams face some of the most common zero trust problems.

How Keeper Supports Security with a Zero-Trust Framework and Zero-Knowledge Encryption

Keeper is a zero-knowledge and zero-trust password manager, secrets manager and remote desktop gateway. All information stored in Keeper is only accessible by the end-user. Its password management platform provides organizations total control over employee password practices. IT administrators can control password use across an organization and implement role-based access controls.

For company secrets, there is Keeper Secrets Manager — a cloud-based, zero-trust and zero-knowledge solution for securing company secrets such as:

  • API keys
  • Database passwords
  • Access keys
  • Certificates
  • Any other type of confidential data

Keeper Connection Manager provides DevOps and IT teams with instant zero-trust access to infrastructure. This agentless remote desktop gateway can be installed in any on-premise or cloud environment. Organizations are choosing Keeper Connection Manager because of its:

  • User-friendly and intuitive interface
  • Responsive customer support
  • Quick and seamless installation

To read more about how Keeper is supporting password security with its zero-trust framework and zero-knowledge encryption, check out our blog post, Why a successful zero-trust architecture begins with password security.

What Are the Key Pillars of Zero Trust and How Does Keeper Address Each One?

The five pillars of zero trust consist of identity, device, network/environment, application workload and data. Here’s how Keeper covers each one of them:

1. Identity Pillar

Keeper’s solution supports the identity pillar with a zero-knowledge authentication and authorization model. Identities can be entirely managed within Keeper. Our platform is capable of full integration into any existing zero-trust identity provider. Keeper’s security model supports several advanced authentication methods, including continuous validation at the vault, device and record level and real-time machine learning analysis.

2. Device Pillar

Keeper’s solution supports the device pillar with constant device security monitoring, device-based access controls and validation and data access depending on real-time risk analytics. Keeper works with existing device management tools such as Azure’s conditional access policies. Information stored within our platform is encrypted and decrypted locally at the device level. Elliptic Curve (EC) encryption technology is utilized at the device level to protect data and support the zero-trust model.

3. Network/Environment Pillar

Keeper’s solution supports the network/environment pillar with fully distributed ingress/egress micro-perimeters, machine-learning-based threat protection, zero-knowledge encryption and record-level access controls. Information is encrypted at rest using 256-bit AES record-level encryption and device-level EC encryption. Network communication between the Keeper vault on the device to the Keeper cloud is protected with TLS 1.3, plus additional layers of transmission-level encryption to protect against several attack vectors such as MITM, brute force and enumeration.

4. Application Workload Pillar

Keeper’s solution optimizes the application workload pillar where access is continuously authorized and there is strong integration into the application workflow. By default, Keeper can be accessed over the internet without any VPN connection. Administrators can manage user role accessibility through access control policies.

Through Keeper’s automatic deployment capabilities, our software applications and services can be deployed through publicly accessible app stores such as Apple App Store, Google Play or Google Chrome Store, or through private device management or SCCM solutions. Our platform is also hosted in the AWS GovCloud environment, which supports FedRAMP applications.

Keeper’s advanced reporting and alerts module (ARAM) capabilities provide agencies with telemetry data covering hundreds of event types that can trigger real-time alerts or other threat-based actions.

5. Data Pillar

Keeper’s solution supports the data pillar with zero-knowledge encryption. Zero knowledge is a framework that ensures the highest levels of privacy and security. Encryption and decryption take place on each user’s device. Combining 256-bit AES and elliptic curve cryptography, Keeper ensures that our users’ information is safe and secure at every level. Visit our documentation portal to read more about our full encryption model.

Protect Your Company with Keeper

Get started on implementing a zero-trust security solution for your organization and secure every endpoint. For more information on how Keeper can help protect your company with our zero-trust and zero-knowledge solutions, request a demo from our team.

Frequently Asked Questions

What is the difference between zero trust and zero knowledge?

Zero trust and zero knowledge sound similar, but they’re actually quite different. That said, zero knowledge enhances zero trust by helping prevent data from being compromised in the event of a breach. Let’s take a look at how.

Zero knowledge is a security model that utilizes a unique encryption and data segregation framework that prevents IT service providers from having any knowledge as to what is stored on their servers. It ensures that critical encryption and decryption operations, including the encryption keys, are maintained by the customer on their client devices – not by the vendor or any other third party.

In Keeper’s case, all encryption and decryption is done on the client device level; we have “zero knowledge” of our users’ master passwords, encryption keys, and unencrypted vault data. This means that, in the unlikely event Keeper is ever breached, threat actors would be unable to access our customers’ passwords or any other data stored in their vaults. Even our own employees can’t access that information!

What is the Federal Zero-Trust Strategy? Why does it matter to SMBs?

In 2021, the Office of Management and Budget (OMB) released a memorandum detailing the U.S government’s mandatory move towards zero-trust cybersecurity principles. Federal agencies will be required to meet specific cybersecurity standards by the end of Fiscal Year 2024.

This move to implement a mandatory zero-trust strategy for all federal agencies sets the benchmark when it comes to digital security and asset protection. If the zero-trust architecture is being used at a federal level, small and medium-sized businesses (SMBs) should follow suit to strengthen their systems, users and data, too. This is particularly important for federal contractors, many of whom are SMBs.

What is Zero-Trust Network Access (ZTNA)?

Zero-trust network access (ZTNA) is the strategy behind achieving an effective zero-trust model. ZTNA is an IT security framework that provides secure remote access to an organization’s applications, data and services based on clearly defined access control policies. Unlike a virtual private network (VPN), which gives all users access to the entire network, ZTNA grants access only to specific services or applications.

Is zero trust necessary for password security?

Yes, zero trust is necessary for a robust approach to password security. Zero trust is designed to protect environments and networks through the use of strong authentication methods and the principle of least privilege. Zero trust takes all steps necessary to protect your organization’s data by constantly monitoring and verifying all users, devices, and applications that access your network resources.