From “Zero Trust” to “Total Trust”

An image of security icons for a network encircling a digital blue earth.
(Image credit: Shutterstock)

The cybersecurity arms race

Modern work takes place on mobile devices connected to cloud networks, taking it outside the control of traditional security measures and multiplying the number of access points for attackers. As a result, the modern working environment can no longer be governed by the traditional perimeters and boundaries of yesterday. At the same time, new technologies such as artificial intelligence (AI) and machine learning are making bad actors smarter.

There is a cybersecurity arms race and it is becoming increasingly difficult for CISOs to keep up. This is where the concept of zero trust comes in.

The Zero Trust concept

Zero trust is the mindset that an organisation should not automatically trust anything, both inside and outside of its perimeter. It assumes the worst - that everything is compromised - and thus requires anyone and everyone attempting to connect to an organisation's network to be verified. It is a reflection of the unmanaged, post-perimeter, computing environment we find ourselves in today.

The challenge for IT and CISOs is to actually establish trust in this “zero trust” world. Previous methods of identifying insider threats must now be supplemented with well thought-out trust models, which in turn must be supported by a dynamic policy framework including multiple security signals to continuously assess who can access corporate data.

From ‘Zero Trust’ to ‘Total Trust’ in three steps

Cybersecurity vendors are cynics by nature. They love to spread fear and tell stories of how enterprises are destined for a “datapocalypse” as data explodes and smart hackers exploit it. But the main reason the “sky is falling” is that companies are forgetting the basics of security hygiene. Changing your mindset on security can go a long way in ensuring corporate data is not compromised. The key is to start by understanding how your employees like to work and then using this as a foundation to build the rest of your security strategy.

Here are three steps towards building trust in a zero-trust working environment:

Step 1: Understand your people

Forget the technology - it’s of paramount importance that before you begin to tinker with tech, you understand the environment in which your employees want to do their work, not the environment in which you want them to work. If not, you will merely be developing trust in an environment no one is actually working in.

For instance, an agent-based insurance company will need to establish trust in an entirely different working environment than a manufacturing company looking to automate their factory processes. In order to fully understand your employees desired working environment, you must conduct research and engage with employees directly to gauge how they like to work and what environment they require to work efficiently and effectively.

Step 2: Enroll your devices

In the era of modern work, mobile devices are quickly becoming the most prominent device employees choose to consume their business data. This marks a significant switch in the way in which data is accessed, from browsers to applications. Ultimately, this means that critical business data is now resident on the device.

This means a new perimeter must be defined for the device, one that protects data from seeping between apps, while also protecting the user’s private data. Encryption is essential and you will have to set and enforce the appropriate authentication and security policies. IT departments must have the power to install and delete apps over-the-air, and of course, it is essential that any untrusted devices and apps cannot gain access to business services. What’s the answer? Enrolling devices in a unified endpoint management (UEM) solution, so that IT can both protect the business data resident on the device and enforce context-driven access policies.

Step 3: Get dynamic

The term “zero trust” refers to an assumed reality where there is zero visibility. IT has no insight into the level of trust that truly exists, thus it is safer to assume there should be “zero trust”. But the reality is that trust can be established, though the constantly changing context of mobile and cloud computing means that the level of trust will also constantly change. It’s not really a “zero-trust” world, but rather a “dynamic-trust” world.

Mobile devices will switch between networks, new apps will be downloaded, and configurations will change all the time. IT departments must maintain a level of dynamism to keep up. The key is to establish an automated tiered compliance model that monitors for contextual changes and then automatically takes appropriate actions, such as notifying the user, expanding or blocking access, and provisioning or retiring apps. The appropriate solution is to first define your trust model and the signals that should drive action, and then configure automated tiered compliance in your UEM solution.

Who to trust?

Even after all these steps are complete, the question still remains over who should be trusted, and at what level. There is no one-size-fits-all answer for this, but a helpful analogy to solve this problem is to think of trust as a ladder. As you climb higher up the ladder, the level of trust in the user increases, and along with it, the confidence you have in providing them access to data.

In an ideal world, you will have established full trust at the endpoint (OS, device, app, location), full trust in the user, and full trust in the network used to transfer the data. This scenario would mean that users could be granted full access to all confidential company data with a fantastic user experience.

As you move down the trust ladder, additional security measures may be required to ensure the user trying to access data can be trusted. This decision is dynamic. Business needs will change, the apps and modes of accessing data will change, and the level of trust afforded to each individual employee will change. But as long as your trust model is “adaptable by design”, then there is no reason why you can’t establish total trust in what was before a zero-trust environment.

Ojas Rege, Chief Strategy Officer, MobileIron

You might also want to check out our picks for best business VPN.

Ojas Rege

Ojas Rege is Chief Strategy Officer at MobileIron. He coined the term “Mobile First” on TechCrunch in 2007, one week after the launch of the first iPhone, to represent a new model of personal and business computing. He has over 16 years of working experience.