Never Trust, Always Verify
In polite society, we grant our friends and work associates an implicit level of trust simply because we recognize them.
Similarly, digital security used to treat a person inside the office building or using a device that the company owns as implicitly safe.
IT security engineers have grown concerned about implicit trust but rolling out solutions requires the support of the whole organization. Installing higher security protocols can generate push back by employees who feel that extra security steps are redundant or even impolite. Busy and important workers with a “don’t you know who I am” mindset can be a challenge for the IT team.
That is changing quickly. Cybercrime has reached a scale that is changing the way we feel about taking extra steps to access our digital resources in both our professional and personal lives.
Not so long ago, MFA (multi-factor authentication) seemed like a pain in the neck. Now, MFA is a reassuring experience reminding us that the bad guys can’t hack into our bank account (or anything else important) so easily anymore.
The security strategy that spawned MFA is expanding. Increasingly aggressive cyberattacks are taking advantage of work environments that no longer have any boundaries. Today, the company’s networks need to support remote users, bring your own devices (BYOD), multiple data centers, applications in the cloud, and real time integration with 3rd party associates.
To improve and maintain security in these environments, cybersecurity managers are adopting a sophisticated set of technologies and protocols called “Zero Trust Architecture.” This is a shift in strategy from defending the network towards monitoring users, assets and resources continuously. From a tech perspective, powerful new technologies are being deployed. From a user’s perspective, we are being asked to participate more actively and frequently in the process of protecting ourselves – that’s called “never trust, always verify.”
“Never trust, always verify” is built on four strategic security pillars:
- Continuous Verification: All users seeking access to company applications, systems or data must be validated every time a link to the network is opened. Even if they are on premises or using a known device, the user’s right to access is never implicit.
- No Network Edge Assumption: Historically, security could be maintained by creating strong firewalls and passwords for a network that was confined to employees using computers in the office. Today, cybersecurity is expected to protect an organization that is more like a jellyfish in the ocean than an office in a building. There is no border (no outer “edge”) to the enterprise that can be clearly defined.
- Minimize Impact: The framework aims to isolate any security breach quickly. In the same way that steel walls can reduce the blast radius of a bomb, the new protocols seek to isolate and compartmentalize a breach within the smallest possible area of the network.
- Automated Context Collection: Building on the power of Endpoint Detection and Response tools, the behavior of every single computer, from mainframes to smartphones, is monitored with AI-powered resources so that unusual activity is brought to the attention of security engineers quickly.
The need for “never trust, always verify” systems is critical because the benefits of today’s dynamic work environment come with the cost of higher security risks. Social engineering is a vulnerability that cannot be perfectly defended. Modern business practices significantly increase the opportunities for malicious social engineering tactics to let a bad actor work its way into the network.
This level of security requires tools that can precisely map how data moves into, through and out of the network with an extreme level of granularity. Artificial intelligence is making this level of management possible. Solutions that can be right sized for specific businesses are now viable so it is time for companies of all sizes to discuss “never trust, always verify” projects with their managed IT partner.