Don’t Trust; Verify

September 4, 2022

A Historical Analogy and Context for Why Relies on A Zero Trust Approach to Cybersecurity

The internet has been a boon for the average person. Unlimited access to information, the ability to communicate and share instantaneously across the globe, and a literal world of opportunities for work. It has also been a golden age of opportunities for business. The same open access the public now relies on allows business to reach more people than ever.

The problem starts when we examine the nefarious side of human nature. No matter how beneficial or secure of a system you put in place, there’s a group out there that will inevitably exploit it for all it’s worth. The most valuable commodity in a connected world is data. Data is the life blood of organizations. Decisions are driven by data, sales are made with data, secrets are contained in data.

The Heist; Sans Money Bag

In the past when we heard about a heist we could conjure up images of masked individuals tunneling into a vault and emerging with sacks filled with sweet sweet money and gold. There was an arms race for a time. The heist would get more complex and the establishment would build a better vault. From the times of kings and castles there has been a cat and mouse game between those seeking to “liberate” wealth and those seeking to protect it.

When you analyze a modern physical security system you see a trend of constant identity and authorization checks. You need passcodes, id badges, biometrics, timed locks, etc. Well, at least if movies have taught us anything. Whether or not this rings true, we’re at least discouraged from robbing fort knox at this point.

When it comes to cyber security, organizations have traditionally looked to the medieval castle for inspiration. The firewall traditionally separates the “secure” from the “not-secure”. Much like a castle wall, the traditional assumption is everything within the wall is trusted and safe and everything over the wall just sailed over the channel and is waiting to attack. When business was conducted from an office with IT having control of the entire environment this was fine, but now we’re increasingly working from home, outside the highly controlled inner perimeter.

Walling In The World

In the past IT professionals have created VPN tunnels to allow safe passage over the wall for external users. This makes several assumptions about security. For one, the devices using the VPN must be assumed to be secured, traditionally this is a work provided device highly locked down. Secondly, the device must be following policy to the letter. Third, the user of the device must be the expected user.

So we’ve made a walled-in world where we assume everyone inside the wall is friendly and who they say they are. But can we afford the assumptions we’re making? 37 billion records containing sensitive user data were leaked in 2020. This is an absolutely astonishing volume of sensitive information being lifted in a single year causing extreme financial ramifications for the people and organizations finding themselves to be victims of these data breaches.

This highlights the problems with security based on assumption. The old adage proves true, assumptions make us look foolish. Paraphrasing aside, it’s true – security needs to rely less on implicit trust.

You Are The Wall

So we’ve covered why the us and them of the firewall is muddled and increasingly foolish, but what’s the alternative? It has been established that the growing prevalence of computing on the cloud and working remotely introduces a multitude of problems, but it also presents us with solutions. Seemingly counter-intuitively, constant exposure to the world wide web allows us to verify your identity at every stage of access.

Instead of your device being implicitly trusted for being on the corporate network, we now have methods of having devices or device profiles be wholly managed through cloud device management. Should the device not be recognized by the device management suite, it shall not be granted access to any sensitive resources. The device can also be restricted to certain assets based upon group or individual device privileges.

In addition to device level security, we also have increased user-level authentication. Users are prompted to sign in via SSO, single-sign-on, that manages their password authentication as well as secondary (two factor) authentication methods. The beauty of SSO is it allows users to be easily tied to group authentication. Assets and information can then be tied to groups so users will only ever see what is relevant to them and never be given blanket access to sensitive information.

Finally, everything is tied together with access proxies. Placing all sensitive information and applications behind an access proxy ensures that no matter what network your users are accessing the application from, all policies are enforced. This allows your users to be checked for device privileges, user privileges, even network privileges. At no point is anything implicitly trusted.

So Why Is The Meeting AI Assistant Talking About Zero Trust?

So you might be asking yourself, “why the cyber security lesson bluecap?” Besides being firm believers in user privacy and data security, we implement all of these best practices into our cloud environments. Your data is never handled with implicit trust, we never make assumptions in our security practices in order to keep our applications secure. With all the challenges you face day to day, worrying about the contents of your meetings should not be one of them! Bluecap™ takes the extra steps to meet HIPAA and PHI compliance, uses breakthrough confidential computing technologies to encrypt data while processing so your teams can collaborate on the cloud without compromise.