When networks first arrived, authentication began as a relatively straightforward process. Things were either inside or outside the perimeter. It was simple. A short time later, it was easy for adversaries to breach the common network, so firewalls became a necessity. Soon after that, virtual private networks (VPNs) were born. Today, networks are much more interactive and complicated, and require multiple levels of authentication to access resources. They require separate authentication for most resources. Some users complained about the resulting productivity challenges, and single sign-on was created to lessen the problem. But now, applications require authentication to each other to achieve more complicated operations. And finally, we have to contend with the IoT.

 Sadly, that’s just the beginning.

Even the concept of access has become very complicated. For example, people are now replacing the key-based locks on their homes with digital door locks. They want to see who is coming to the door before answering it. They want to prevent packages from being stolen, so they provide a special access code to the delivery service. They want the digital lock to notify them with a message and maybe a photo or video clip when a family member leaves or returns. And they want to be able to remotely lock and unlock the door and turn the alarm on and off.

This level of access control and enablement was never possible before recent innovations in smart home technology. All of this flexibility is possible because a digital key is fundamentally different from a physical key. However, it also introduces new risks. Extending trust while addressing new risks requires pairing digital locks with additional tools, such as digital cameras, motion-activated lights, and an integrated digital alarm system. This notion of pairing controls to safely extend trust is critical for understanding authentication. Authentication now requires tools and technologies to enhance identification verification, with controls such as device identification, multifactor authentication, quarantines, monitoring, tagging, and dynamic encryption being just a few examples of these newly required elements. The fact is that simple authentication alone is no longer enough. The game has changed, and it is time to level up.

THE POWER OF PAIRING AUTHENTICATION WITH ACCESS KEYS OR TOKENS

Pairing authentication with access keys or tokens that provide different access rights allows an organization to create a perimeter with authentication, even where a traditional border may no longer exist. The network edge has become elastic and permeable, making traditional edge-based security less effective. When properly applied, however, authentication, paired with other technologies, can serve as a sort of firewall that can help secure perimeterless environments. The impact of such an approach is difficult to overestimate.

 Modern or trust-based authentication enables us to build more responsive environments; extend security controls deeper into the network; and develop better, more personalized applications so that we can accomplish more. To scale to the next level of interoperability and interconnection, however, you need to build an inherent trust capability into the fabric of the network.

 BROKERAGE CAPABILITIES

To accomplish this, modern authentication also requires brokerage capabilities that can assert and broker on behalf of those people and things that require authentication. This goes beyond simply granting or denying access, extending deeper into why access was granted, the degree to which access should be applied, and when access levels should be adjusted. For example, when a device is behaving well, it’s allowed to achieve new levels of trust to per- form certain actions.

 When it’s not, it’s no longer allowed to do them. This is simple. But what if we were to pair access with keys or tokens that are asserted to enable more specific interactions, such as exchanging access on behalf of a user with better, more fine- grained intention derived by application needs and usage? In this case, authentication itself is not so much about understanding who you are and whether you should have access but extends further into the ecosystem that supports you.

 In this way, the digital ecosystem originates from the combination of authentication and digital rights management that has become ubiquitous as technology becomes increasingly complex. Trust is developed based on the exchange of keys or tokens that the system grants on behalf of the end user and their intention. Having a set of keys that also extend to other devices, applications, and processes enables authentication to do more things for you. If a device or process has a key associated with your identity, as far as the network is concerned, that device is you, and you’re going to be able to scale in ways that were never possible before.

 By comparison, in the traditional monolithic approach to authentication, you might have navigated to a system, entered your password, and been granted access through a set of hard-coded permissions. Today, that is not enough. You might have hundreds of authentication keys associated with your identity and a set of intentions that you want to enable on your behalf. You might have a single password or token to get access to those keys, but once you do, those keys decide whether or not you can access network resources based on a variety of factors.

 And in some cases, developers are building applications that can make dynamic decisions about access, which means traditional authorization mechanisms are failing to keep up.

 When you then tie these authentication keys to microservices, they can provide degrees of access to applications, workflows, or similar resources based on trust. And because you have so many more authentication keys, you also have many more on/off switches that enable you to do your job without compromising the integrity of the network, even if a particular key needs to be turned off for some reason.

Beyond access to resources, authentication can also extend to services and capabilities so that we can interact with our digital world outside of the confines of a specific organization.

Essentially, zero trust environments are critical to modern authentication paradigms. This requires dynamic authentication keys connected to a fluid number of grants and parameters so that we can access resources and conduct transactions across the hyperconnected digital environments we are creating today, such as smart homes, smart cars, and smart cities. Of course, this is an emerging field, and it requires building an open key fabric of some sort that can easily span different networks and systems.

 AUTHENTICATION BEYOND INDIVIDUALS

 In particular, authentication has to extend beyond individuals. As networked devices become smarter, they can increasingly function autonomously on behalf of an individual or even groups of people. We will also see direct relationships between applications, directed by software, to provide specific, customized services based entirely on the identity profile that these devices represent. The implication is that we are going to need zero trust identity validation that can extend trust to more than just human beings by enabling scoped permissions to be carried as part of an identity.

 Establishing and adopting open standards is crucial for making this shift to a new authentication paradigm. Projects like OpenID and OAuth are taking off because identity must extend beyond a specific network or network segment. Users want smart wallets, identity verification, and the ability to dynamically create contracts that travel with them between their work and personal lives. And although it might seem awkward, technology like blockchain may even play a role in how that’s enabled. Blockchain may provide a way to deal with trust boundaries through a voting or crowdsourcing mechanism that enables different ways to establish trust. Ironically, the drive toward more personalized authentication, identity, access, and authorization is happening because, as networks grow and expand and interconnect, we will soon no longer be able to trust the network itself without modern authentication.

Once we can no longer trust the network, we need dynamic authentication keys, enumeration, and logging to protect individuals and their resources with what is, in effect, a very personal and mobile security blanket. If we no longer trust the network, that also means that we will need to fundamentally rethink things like SSL (Secure Socket Layer), TLS (Transport Layer Security), and similar network-based security functions that have enabled authentication in a somewhat lazy way.

 Enabling encryption to function as a next- level authentication capability will require it to operate in a way that is tied not to the network, but instead to the data and identities that it is enabled to share.

One way to approach this is by tying authentication to something like application-level encryption (ALE), which enables the application itself to decide what’s encrypted, how it’s encrypted, and how to protect data so that when it has to transit through a hostile environment, authentication can dynamically determine the scope of its encryption. On the other end of that connection, trust is what allows you to decrypt that information using modern authentication schemes. Of course, all of this will require adding new security features to consumer products based on open standards. The driver will be consumers demanding easier ways to hold and transmit sensitive data so they can do more with their digital capabilities, such as have software operate on their behalf. What is clear is that as everything becomes interconnected, authentication plays an increasingly essential role in security.

 Customer-driven security has significant challenges. Paramount to the evolution of modern authentication, it must be simple—and mostly invisible—to the end user, while not sacrificing security. Among other things, this means we need to get rid of our current password-based access strategy as soon as possible. For too many years we have relied on human verification to access applications, and hackers have finally caught up with that strategy. We can spend time shifting to device identity verification, but they’re going to catch up with that as well, and in a relatively short amount of time. Some signs of that are already occurring.

Consider all of the people logged into Facebook, LinkedIn, and Google who then use their profiles to log into other applications and services. This is an example of extending very fragile human-based identity in ways we never considered before. As you work your way through the identity space, it becomes apparent that trust is the only way forward.

BROKERAGES AS A SECURITY VERIFICATION ECOSYSTEM

We’re going to have to switch to a security verification ecosystem where certified third-party brokerages can assert, identify, verify, and extend trust. These brokers will become the backbone of the interconnected ecosystems that we all work and live in by arranging higher levels of trust that enable us to take advantage of applications and services that now span environments.

As this scales out, we will soon be dealing with issues related to expansive levels of trust that extend in all sorts of directions we haven’t yet conceived of. To achieve that, we must use an open consensus model to address the related challenges.

Collaboration is fast becoming a critical component of problems olving today. Science has reached a point where individual expertise is no longer enough to push the frontiers of research to the next level. Likewise, addressing business issues in a world of hyperconnectivity, smart devices, and big data requires different teams to work together. That’s why we see more and more DevOps and DevSecOps teams pushing collaboration to solve complex problems. And we are seeing a greater need to share, which is pushing the boundaries of business models and the authentication that supports them.

 The minute you start pushing collaboration, however, the question becomes, “Who can you trust?” Collaboration and authentication go hand in hand. Solving a problem as part of an extended team will require individuals, devices, and applications to join a trust ring based on a variety of factors, such as identity and authorization credentials, combined with a crowd number score and even your apparent goal. Being able to authenticate through a system using a goal, and then finding other people with similar, related goals, will dynamically create rings of trust that will enable us to move even faster. Only those who are worthy of trust can participate in environments where collaboration is essential. I don’t want to have to deal with individuals with counter goals until I am ready to test my ideas.

One of the biggest hurdles moving forward is that we have made authentication pretty complicated. It’s identity. It’s authentication.

It’s authorization. It’s IdM (identity management) and IAM (identity and access management) processes. And this segmented way of thinking about authentication is going to interfere with our ability to create a mesh-based system that can open and lock circles of trust based on a dynamic set of requirements. That will require an authentication mechanism different from anything we currently have in place.

 I’ve been doing a study on companies that have invested in higher-end, more advanced security versus those that have opted for more basic and traditional lower-end protection. The data so far is fascinating. Companies that invest in advanced security are not only realizing higher-end revenue through increased productivity and more effective collaboration, but they are also generating a more substantial stake in the industries in which they operate. I believe the future is very bright. However, only by leveraging mechanisms like authentication brokerages and trust models are we going to realize the potential of the interconnected world we are in the process of creating. The ability to adapt to and adopt these new models will determine which organizations and systems not only thrive, but actually survive.