Blog   |   February 18, 2020

Zero Trust Is All You Can Trust

by Axel Kloth

The only way to be secure on the internet today is to assume that you cannot trust anything, even if you encrypt all your communications. Even if you use accepted authentication methods to verify that the person on the other end of your communication is who you think it is, you cannot trust that the person or device is who you think it is.

With a zero-trust environment you assume that your internet or your VPN was breached. You assume that who you are talking to is not who you think you are talking to. That makes security difficult.

Take, for example, the recent episode between the Crown Prince of Saudi Arabia and Jeff Bezos, CEO of Amazon. The prince sent a video to Bezos through WhatsApp and embedded in the video was a piece of malware that infected Bezos’ phone and started transmitting gigabytes of data for months to a server in Saudi Arabia. Is it possible that the prince did not know this about the video? Possibly, but not likely. Even with a reasonably secure device and the knowledge of where the content came from, Bezos was not secure, and his phone was breached.

Even if you have set up a VPN between your branch office and your headquarters, if somebody unknowingly drags in malware on a USB stick, the malware will make itself at home where it first penetrated the LAN and the computers, and then migrate through the secure tunnel to your headquarters. So just having encryption between two entities and two sites doesn't mean that there isn’t potential for malware coming in.

Ultimately, a zero-trust approach will have you challenge the person sending you content, explaining that you are unsure of the provenance of the sender’s device or content and possibly whether the person on the other side really is whom they say they are. That enables a better model of security than inherent trust.

As I pointed out in my previous post, there are companies with good technology for authentication, but there are still many ways to get around the defenses. Let's say your computer creates a unique ID for you that always represents you and nobody else. If that computer gets stolen and somebody cracks the password, now you have somebody else who is in possession of your unique ID.

A unique ID created by a device that you own is always going to be more vulnerable against theft, misappropriation, spying, and breaches than anything that makes up who you are. Even DNA these days isn't quite secure anymore, because if you get a bone marrow transplant you will have the DNA of the donor.

But if you have a unique ID that is created through means that are not predicated on you schlepping something around with you that can be stolen, then that is always better than something that is created in software on a device that you own that may be subject to theft.

The fact that there are providers of authentication services is better than not having authentication at all, but it isn’t bulletproof.