Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Submit a Peer Review for the AI Controls Matrix—a groundbreaking framework to address AI risks and strengthen security.

Authenticating the Authenticators: A Zero Trust Thought Experiment

Published 07/26/2023

Home
Industry Insights
Authenticating the Authenticators: A Zero Trust Thought Experiment
Written by Jason Garbis, Founder and Principal at Numberline Security.

Quis custodiet ipsos custodes?

This first-century Latin phrase translates as “Who watches the watchmen?”, and has made its way through classical philosophy and into popular culture. (Fellow Watchmen fans, I’m thinking of you). Fast-forwarding 2,000 years into our familiar domain of information security, this question remains relevant to our modern authentication best practices and Zero Trust.

To put this in perspective, let’s look at the recent (and unfortunately successful) attack at Microsoft. Now, I’m not here to pick on Microsoft–as a major identity provider and cloud platform, they are clearly under constant and sophisticated attack, and I give them a lot of credit for their transparency and responsiveness around this incident.

This attack is an example of a malicious actor compromising one of the foundational elements of security–the authentication system. In this case, the malicious actor obtained a signing key, and used that key to generate valid access tokens. Because the remainder of the system had cryptographic (i.e., mathematical) proof that the tokens were valid, the malicious actor was able to access private data.

This brings us to our thought experiment, and the relevance of taking a context-based approach. Centralizing identity management and authentication is recommended as best practices–see, for example, the CISA Zero Trust Maturity Model. There are many benefits of doing so, but it does increase the impact of an identity system compromise.

Think about your enterprise systems and the different types of identities–both human and non-person–which are authenticated and granted access. What would happen if all your credentials were stolen or compromised? What other types of controls, processes, monitoring and response systems would apply? What additional context does your security ecosystem rely on beyond credential-based authentication, or possession of a valid cryptographic token?

Zero Trust is centered on taking a contextual approach toward making access decisions, and today’s capable Zero Trust platforms and architectures support the use of MFA, and the creation of adaptive access policies. Such systems provide us with the backstops we need to authenticate our authenticators.

When an identity attempts to access a resource, even if it has valid credentials or a valid token, our Zero Trust system needs to look at all available contextual information to make a just-in-time access decision, and ideally include aspects across all Zero Trust pillars – Identity, Device, Network, Applications, and Data.

I posit that a well-rounded Zero Trust system will be resilient to a compromised authenticator, through effective and thoughtful use of contextual information, processes, monitoring, and other mechanisms. The good news is that current Zero Trust platforms are capable of this. Enterprise security teams can have confidence that they will be able to deploy and operate these systems, add security and business value quickly.

Not every enterprise is targeted with the same attack frequency or sophistication that Microsoft faces. But every enterprise is a target to some degree, and every enterprise should begin adopting Zero Trust in order to build up their resilience to a compromise of their security infrastructure.


Develop and demonstrate an in-depth understanding of Zero Trust with CSA’s Certificate of Competence in Zero Trust (CCZT). Learn more here.

Identity and Access ManagementZero Trust

Share this content on your favorite social network today!

Future Cloud
Related Resources
Certificate of Competence in Zero Trust (CCZT)
The industry's first Zero Trust certificate program.
AI Organizational Responsibilities
A blueprint for enterprises to secure AI development and deployment.
AI Safety Initiative
Addressing present and future challenges of AI safety and security.
Latest from CSA
Participate in the State of SaaS Security 2025 Survey
Key Management for Public Cloud Migration
Cloud Security for Startups 2024
Secure your cloud data with Zero Trust Training
Related Articles:
Secrets & Non-Human Identity Security in Hybrid Cloud Infrastructure: Strategies for Success

Published: 01/14/2025

How to Secure Cloud Environments and Minimize Data Breach Risks

Published: 01/10/2025

Adapting Strong IAM Strategies to Combat AI-Driven Cyber Threats

Published: 01/08/2025

Enhancing Salesforce Security: Beyond Built-in Features

Published: 01/03/2025