Zero trust security: a safer approach to cyber security
Humans are lazy, we all are, it’s been studied, documented and evidenced time and time again.
The Principal of Least Effort (PLE) or Zipfs Law manifests itself in all our daily behaviours, if there’s a quicker, easier way to achieve a goal, that’s the one we choose.
Of course, we never consider these shortcuts as “lazy”, it’s coined being efficient, fast, productive. In most of our daily lives, the principle of least effort does not carry much risk or consequence. In IT, it can be an extinction event. The majority of successful cyber security incidents derive from exploiting human behaviours, because humans sub-consciously act to preserve energy, and seek the path of least effort. We clicked on the link because we speed-read the email, and it looked OK. We can’t remember passwords, so we use the same one. Everywhere, on everything.
The Zero trust model: A safer approach to manage cyber risk
So, how best do we control the consequences of our Darwinian instincts? Don’t trust anybody or anything! Zero Trust!
It sounds Orwellian, but Zero Trust is simply the principle of:
- Authentication – you are who you say you are,
- Authorisation – checking you have permission to see or access a resource,
- Device Health – ensuring the device being used is also authenticated and authorised.
Zero trust means don’t trust someone or something, device or service, just because of their location, in the office or on a network.
The Zero trust model means every user, every device, and every system should be untrusted until proven otherwise. We verify and we validate, continuously.
Three main elements of the Zero Trust Model
There are three main engagement points to consider with regard to users and their Access Devices.
- User to Device
- User to Service
- Device to Service
User to Device
A device should be unlocked, only after the user has successfully authenticated against it using credentials unique to that user. With desktops, notebooks, tablets, and phones, a password or pin is the primary method for unlocking a device.
Biometrics such as facial recognition or fingerprints present a more secure authentication method. Additionally, this level of authentication should only be used to access the device and not for additional services made available via the device.
Many devices have restrictions on unlocking, such as a 6 digit PIN, so secondary authentication should be implemented for services.
User to Service
When authenticating against a service, stronger controls should be in place. Stronger passwords that have a minimum of 12 characters should be used. Read our password security best practice tips for more insights on creating secure passwords.
Besides passwords, additional security measures should be used to verify that the credentials being supplied are from the actual authorised user, not someone impersonating them, for example, through a hacked or stolen password.
Multi-Factor Authentication (MFA) requires that an additional verification step is taken before access to a service is granted. With MFA a code is commonly sent to a third device that is in the requesting users possession. This is typically a phone, but can be a third email address or perhaps a hardware security key or dongle.
Device to Service
Device Health is the process that ensures the device itself is trustworthy. This process can be implicit and performed alongside user authentication. Trusted Platform Modules (TPM’s) are hardware chips commonly installed in most devices. Even with TPM, it’s important for businesses to ensure that the device being accessed has up-to-date security patches and anti-malware protection.
Managerial and system controls
Mistrust and skepticism should extend beyond user credentials and into attestation of other variables. A full knowledge of your architecture, your users, your devices, your services and data locations is essential to establish a robust Zero Trust environment.
Asset Management for work devices
Asset Management enables you to track where your devices are, whether at home, in office, at a warehouse, store cupboard, in maintenance, or gathering dust under someone’s desk, and monitor the devices health and lifecycle status.
Policies and procedures to govern data access
Policies and Procedures should be in place to control authorisation and access to services. Policies are the foundational element of zero trust. Many security solutions provide controls over accessing location, time and device. For example, if your staff all work from 9-5 in the UK, on Windows 11 machines, you can block any access that does not meet this criteria.
Continual monitoring of user behaviours, device health, service access requests helps establish “normal” behaviour patterns. Behaviors outside of this bell curve should be investigated.
The single biggest risk to your cyber security
And, most importantly, people are the single biggest risk to your organisation. They don’t mean to be, its not egregious, nefarious, or deliberate, its Zipfs Law at work, and they’re usually not aware of it until its too late. All it takes is one person being are under pressure, distracted, or simply not having enough coffee. People are your biggest cyber security risk.
Training, continuous training, on cyber security measures people can take in their daily behaviours and work habits can protect your company from those “commodity” attacks that form the basis of most successful cyber security breaches.
Train your people, have robust policies, and don’t trust any user, or device, or service, until it has been authenticated and validated.