Trust But Verify
“Trust but verify” is an old Russian proverb. We’re told the phrase rhymes in the native language… Old proverbs survive to grow old because their meaning is profound and “trust but verify” remains very relevant today for those of us trying to protect our clients’ digital infrastructure.
Ransomware has raised the stakes to the point where “trust” can feel like a game of chicken. Even non-malicious actors who touch our networks might do harm to the company by letting in malware unintentionally.
At the highest level, the tech engineers who get deep into the code underlying everything that drives a client’s business forward wish that their client would let them build a “zero trust” network. That is not always an easy sell because, on a human level, we trust our own employees and the guests who need to log on to the Internet when they visit our office.
So yeah, we trust everybody. But today we need to build a network that verifies everything.
For any client we work with, they have what we call “trusted users” and “guest users”. While this isn’t limited to Wi-Fi networks, where you are probably accustomed to seeing these terms, it’s now ubiquitous in almost every office, so it’s the best example I can think of to use in explaining this much broader concept of Zero-trust networks.
Ideally, the set-up has “trusted” Wi-Fi for employees that let them access servers, printers, the Internet, monitors, security cameras, and so on. Separately, you’ve got “guest” Wi-Fi for visitors in your office. They need access to the Internet but they should get that access through a distinct Wi-Fi portal that is 100% compartmentalized away from the Wi-Fi for employees. If a guest is giving a presentation on a big screen, they can use Bluetooth or an HDMI cable.
The reason for this separation is that if a guest’s computer is running anything through your servers, it could be leaving behind malware code even if the guest has no idea that their computer is compromised. The solution is to put them onto a zero-trust network.
This goes double for ethernet ports (a.k.a., those things that look like extra-large telephone jacks around your office). If you are going to allow a guest to plug into an ethernet port, you need color-coded ports for access to different Internet servers. If a guest computer accidentally plugs into an employee port, absolutely nothing should happen—if this is set up correctly.
From there, it can get complicated because often times many “guests” are 3rd party vendors who need access to some subset of your software and files stored on your servers in order to do your job. A company might have a 3rd party monitoring video security cameras or it might have an outside accountant who prepares the taxes using a lot of financial data each year.
“Zero trust” networks need to give vendors access to exactly what they need in a manner that is isolated from gaining access to anything else. If an outside vendor accidentally allows the malware to get into your system, you want the malware to get stuck inside the only places that the 3rd party was allowed to access.
To use a more basic analogy, it would obviously be much simpler to just leave all doors in the building unlocked, rather than getting different locks for various doors based on who needs access to what room, but in the end, we know that’s not a great idea because when a bad-actor shows up they can rob you blind… The same is true here.
While this can be a lot of work for the IT folks, the better trained the IT team is, the more experienced they are with malware hacks and ransomware attacks, the more they are likely to push the boss in the c-suite to invest in “zero trust” networks.
The next level of a “zero trust” strategy requires code level rules, or protocols, that isolate each employee’s access to the servers so that they can only access what they need to be effective in their job. For example, the dental assistant who needs access to all patient files probably does not need access to the accounts receivables data stored on the server while, on the other hand, the financial controller probably does not need access to patient’s health information. IT engineers can’t build compartmentalization into office systems without a solid understanding of each job description. There is a lot of human effort and coding effort required.
Then, the next layer of complexity is devices and mobility. Imagine overlaying all of the “zero trust” protocols with all of the different ways that employees need to access information in hybrid working environments.
The overall and “ideal” goal is that when malware gets onto any device that touches the companies IT systems, that malware can never travel any further than where that specific device is allowed to go itself, thus protecting the overall organization.
Most organizations are a long way from implementing true “zero trust” systems because let’s be honest here, it is a real pain-in-the-ass to perfect the system. But, way too many organizations are not even trying. They purchased a firewall, they did some employee training, they back-up data in the cloud, and they feel like they are good to go.
So, what’s the answer? Start trying today. Corporate management needs to start building these systems into their thinking, because data accessibility isn’t going away, and we are continuously putting more sensitive information into these networks and alleging employees to access it in more complex and remote ways. Listen carefully to your IT partner, if you have one and in turn, the IT partner has to be pragmatic about how to right-size the goal of “zero trust” for each client’s situation.
Together, we work as a team in the pursuit of excellence but we don’t let “perfect” become the enemy of always improving and doing better.
The old proverb really does contain a lot of wisdom. Office operations are inherently a very complex and human endeavor. The company succeeds because a whole lot of good people trust each other. But, in a world where malware and ransomware loom over the company’s ability to function, we need to verify every human activity that touches our IT systems.