Trust and Verify – 3 Reasons Why You Shouldn’t

We all read the headlines about the latest breaches, vulnerabilities, regulations, etc.  The reason for the news worthiness is that this impacts everyone.  No one is immune in this digital world as was evident in the Equifax breach that affected 143 million Americans.

In the enterprise world where technology lives within an organization there are crown jewels that must be protected.  Examples of this could be intellectual property like trade secrets, strategic plans, employee salary information, customer/consumer data, etc.

So what does this have to do with Trust and Verify?  If we go back to when networks where first built the goal was to have one computer talk to another (peer to peer).  We still do this today; for example, when you print or share a drive.  This uses inherent trust in that two devices on the same network / collision domain are allowed to talk to one another.  Verify, for example, is when you password protect that drive you shared.

If you extrapolate this to a network based access model where access to a network is based on a private IP address then an inherent trust chain is established.  This was one reason why network segmentation was engineered.  So, finance team runs on its segmented network, while HR runs on another, and so on.  At this point it’s worth noting 2 things: 1.) that segmentation rather physical or virtual can be hopped and 2.) Just because you are on a network doesn’t mean you should have access to all the systems on said network.

So here’s 3 reasons why you should never trust and always verify:

  1. Lateral movement – Malware comes in a lot of forms worms / zombies / ransomware and from code deconstruction, playbacks, forensic analysis one the first things malware likes to do is move laterally.  Inherent trust is exploited by malware to move from one system to the next.
  2. Least Privileged – The basic concept to least privilege is you only get access to what is needed to do your job.  Just because you work in finance doesn’t mean you have access to the CFO’s data.
  3. There’s a better way – The zero trust model allows organizations to move away from network based access.  This is accomplished by using access point technology.  The access point works as a proxy between the endpoint device and networks that the applications run.  By moving away from network to application based access you break the inherent trust.  This allows for a never trust and always verify way approach.

Zero trust can be implemented using physical devices such as the HP Zero Client device or via software such Google Beyond Corp.  When going with a device approach there are many items to consider such as device cost, deployment and management of devices, network latency, cloud, mobility and overall user experience.

Software approaches will limit up front cost as you only need a browser or thin client software.  Software models also add flexibility such as easy integration into cloud environments and mobility.  From a user experience software approaches can also reduce network latency by not requiring round trips to a centralized aggregation points.

When considering which approach is best for you organization there are several items to consider such as ease of deployment (Big Bang vs Phased Deployment), DLP,  BYOB (managed vs unmanaged) end points, and more.