Identity-Verified Zero Trust for Mitigating Insider Threats
This article discusses Cloudflare's partnership with Nametag to enhance zero trust architectures by verifying human identity, addressing the 'identity assurance gap' exploited by sophisticated insider threats like remote IT worker fraud. It details an OpenID Connect (OIDC) based integration that uses biometrics and AI to verify user identity during onboarding and continuously throughout sessions, complementing existing Zero Trust Network Access (ZTNA) policies.
Read original on Cloudflare BlogThe Evolving Threat Landscape: Beyond Device and Credential Trust
Traditional zero trust models primarily focus on verifying devices and credentials, assuming that a valid login from a corporate device signifies a legitimate user. However, this approach leaves a significant "identity assurance gap." Sophisticated attackers, including state-sponsored groups, exploit this gap by using stolen or fabricated identities, generative AI for interviews, and deepfake tools to bypass traditional background checks and identity providers (IdPs). They operate "laptop farms" to mimic legitimate remote workers, gaining access to sensitive internal resources with seemingly valid credentials and corporate devices.
Identity-Verified Zero Trust Architecture with Cloudflare and Nametag
Cloudflare addresses this vulnerability by integrating with Nametag, a workforce identity verification service. This partnership adds a crucial layer of human identity verification to Cloudflare One's SASE (Secure Access Service Edge) platform. The core idea is to move beyond simply knowing *what account* is logging in to knowing *who* is behind the keyboard, especially during critical phases like onboarding and high-risk access.
Technical Integration via OpenID Connect (OIDC)
Nametag integrates with Cloudflare Access using OpenID Connect (OIDC). This allows organizations to configure Nametag as an additional IdP or an external evaluation factor alongside existing primary IdPs (e.g., Okta, Microsoft Entra ID). The OIDC flow facilitates the secure exchange of identity information after successful biometric and cryptographic verification.
- Trigger: User attempts to access a protected onboarding portal.
- Challenge: Cloudflare Access redirects the user to Nametag for authentication via OIDC.
- Verification: User provides work email, takes a selfie, and scans a government ID using their phone. Nametag's Deepfake Defense™ engine uses AI, biometrics, and cryptography to confirm the user is real and matches the ID.
- Attestation: Upon successful verification, Nametag returns an ID token to Cloudflare, completing the OIDC flow.
- Enforcement: Cloudflare Access grants or denies access based on the verified identity and defined Access policies.
Key System Design Principle: Layered Security
This solution exemplifies layered security, where identity verification acts as a critical new layer complementing existing DLP, RBI, and CASB solutions. It shifts the security posture from reactive detection to proactive prevention at the earliest point of access, minimizing the attack surface for insider threats.
Beyond Onboarding: Continuous Identity Assurance
The system extends beyond initial onboarding to continuous verification. Cloudflare Access incorporates user risk scores, enabling security teams to build context-aware policies. If a user's risk score increases, the system can enforce step-up verification (e.g., re-challenge with Nametag) or revoke access, providing adaptive security without necessarily disrupting legitimate users. This is crucial for protecting against compromised accounts or legitimate employees turning malicious.