Monday, March 5, 2018

Trust is blind and dangerous

When trust is on the table, the world divides in two. One side of the population will say that as human beings, we are trustful by nature. It’s in our genes as social animals and the necessities of our society. On the other hand, some may say that human beings are distrustful.  

This division will probably be something that will remain in time, but, as we can see in the news, cybersecurity world must be careful. In CIGTR we want to focus on Bill Mann’s, product director in Centrify, interview made by TechRepublic and ZDNet. In this interview, Bill Mann, explains his point of view on how companies should work on a zero trust basis if they want to be protected against cyberattacks. 

Due to the great importance that trust has in any kind of relationship, personal or professional, it sounds weird that a cybersecurity professional like Bill Mann comes to talk to us about a zero trust model. Mann said that this too much trust tendency are leading us into models that aren’t helping us: “We used to trust that the firewall was going to keep the bad guys out, but the reality is that the bad guys are already in our environment. Also, the reality is that we've got a lot of mobile workers and outsourced IT and we're using stats and infrastructure as a service so a danger is also not residing within the walls that the firewalls were previously protecting.”

Mann’s way of understanding today’s model isn’t about stopping the trust but to stop trusting implicitly and start doing it explicitly. Mann will explain it with an example for us to understand it better: “When you're at home and you're sleeping in bed, you inherently trust your environment because the front door's locked, the windows are locked, and so forth. But just imagine now that the windows were open and the doors were open. How would you think about security at home? And I'd like to think that we'd probably put a lock on our bedroom door, right? And that's kind of the mindset that the IT professional has to think about now as well.”

Despite the model that Mann presents it’s easily understood, it’s complicated to imagine those big companies changing their security policies that they’ve had worked within the last years. To explain how easy this change would be, Mann, shows us the keys to understand the zero trust model and how it works: “The first component of zero trust is knowing the user, really understanding who the user is in your environment. And as you know, we typically understand users today by their username and password, which is a really primitive way of understanding who a user is.”

Once the first element is understood, you have to understand and know the device that the user is using to connect into the network: “Let's make sure it hasn't got any kind of vulnerabilities on it. If you're using a Windows machine, let's make sure it hasn't got a virus on it. So fundamentally it's about making sure that that endpoint that's used to connect into your environment is got a certain amount of security posture, and it's worthy within the environment.”

Once we know who is the user and the device he’s using, we need a third element. Mann talks about limiting the accesses and privileges that users have for resources. “So if Bill's a salesperson and he's just a salesperson, that he's not a regional manager, he should not be able to see everything within Salesforce. Similarly, if Jane is an IT developer and she only has scope to do management for Oracle, she should only be able to do management for Oracle. She should not be able to log into a route account and make other changes and so forth.”

Mann’s model has a lot to do with constant learning that requires a lot of adaptation. If the environment is changing, why wouldn’t our security strategies? This zero trust model ends when you can feel completely safe in your own environment and with every element in your network having been analyzed so you can trust them completely.


Post a Comment