The increased need of security with the change of working model and access model of application and also with the Pandemic bringing in new perspective where the security has to maintained irrespective of user perimeter, Zero Trust based solution started to surface in which is a security model based on the principle and thought of maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter. Zero Trust tries to go away from perimeter-based mechanism of security and encourages a model for trusted access no matter where users are coming from.

Zero Trust pushes for the following

Verify/Authenticate always

Authenticate and Authorize always based on all data points including user identity, location, device health, service or workload, data classification, and anomalies

Use least-privilege access

Provide least privilege and Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices to help secure application and data

Assume breach

Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

So where does password based solutions fit in the Zero trust implementations ?

How does a Zero trust solution with password look it.

• Password provides a moderate level of assurance
• Week factor in the MFA solution
• Easier factor to do attack like credential reuse attack
• Need to factor in password management solution

Zero Trust enforce don’t trust on anyone . The moderate level of assurance and lack of trust on Passwords because how easily they are shared, stolen, reused, replayed. Trusting someone with password is totally reduce the benefits of Zero Trust model. It becomes more of a pain to implement a robust Zero trust based solution with password in the system. Removing passwords out of the implementation equation gives the implementor time to focus on everything else.

How does a Zero trust solution with password less look it.

• Solution with higher level of assurance
• Reduced weakness of MFA solution
• Avoiding credential reuse attack
• Lower cost due to avoidance of password management solution and support system