THE IMPORTANCE OF ZERO TRUST Why you need dynamic user and device authentication Ancient tactic, modern threat. Assume the arrow is already over the wall. By Scott Nursten, CEO, ITHQ Centuries ago, armies might fire letters attached to arrows over the wall into a besieged city, promising a reward to anyone who opened the gates. In 2020, a Tesla employee was contacted by a Russian cybercriminal, promising to pay $1 million if they helped infect the company’s system with malware. (Luckily for Tesla, this employee blew the whistle.) The point is, an ancient tactic was used in a modern setting, highlighting the vulnerability still posed by insiders. Combatting this threat means applying the tenets of Zero Trust, based around the presumption that you’ve already been breached. If the enemy is already inside your defences, your firewall is useless. If they are disguised as someone with all areas access, how will you catch them out?
THE OLD TRUST ZONES ARE GONE
Zero Trust is a new form of security architecture which has replaced the old ‘trust zones’ network design. As a rule, the more exclusive the access to a zone, the higher the trust. A general low-trust zone carried few access requirements. A private zone with more stringent access requirements carried higher trust, while your financial zone, for example, would be accessible to only a few people and would therefore be your highest trust zone. Trust implications might mean data wasn’t encrypted inside the highest trust zone, or that location alone would act as proof that only the right users were in there. With more attacks exploiting the trusted user, their laptop or phone, you can no longer trust authenticity of identity based on access level alone.
The answer now is to create policy decisions and enforcement points across your networks. In other words, replace trust zones with Zero Trust: controlled, conditional, dynamic access in multiple places. Your staff are trustworthy. Hackers pretending to be your staff are not Zero Trust has garnered negative reactions because people infer a lack of trust in their staff. Let’s be clear: this is not about mistrusting individuals in your building. This is about verifying that every user and device on your network is the person and device you expect it to be. Just because a person is logged in as ‘Sam’ doesn't mean it is really them. Without multifactor authentication, biometrics and additional checks, we can't determine authenticity of user or device. Standard access to your cloud-based environments and SaaS platforms, is usually via a username and password, maybe an MFA token: all of which are possible to hack. IP addresses too are no longer suitable as trusted identifi ers. The only way to authenticate reliably is at user and device level every time access is requested. Hence, the rise of Zero Trust.