Musings on Zero Trust

"Tom pressed his forehead against the gritted brick. The cold, like little knife-tipped fingers, cut into the back of his neck. He peered down into the void created by his jacket and turned the ID card over. It looked so real. There was even a hologram, a little eagle perched on one of those leather gloves, the kind you see in Game Of Thrones or something. It made sense. An eagle. Eagle eyed. That’s what they were, right? Finance types, supposed to know everything. Smart types. Bachelor degrees and master’s degrees and all that.

Well, we’ll see how smart they are.

He pushed away from the wall, took a breath, and rounded the corner. The guard barely looked.

It did look real.

And then he was inside. The busyness. The city establishment. Folk in suits huddled around the sofas. Lifts filling, emptying. Bored looking guards behind the front barrier desk.

He went up to the first floor. Walked the corridor. Found an interesting looking briefcase leant against a desk. Picked it up. Another room, an iPhone, latest model. Click, in the briefcase it went. In another office there was a cabinet; In the top draw a few suspended files marked Confidential. In they went. Another room, a laptop. Another, a hard drive labelled ‘backup’. Another…. You get the point."

So what just happened here?

A perimeter happened.

Offices used to be like this. A network, computers and servers inside, protected by a firewall. The aim: keep the baddies outside, the goodies (the trusted folk) inside.

But what happens when a pandemic comes along and your perimeter gets broken into hundreds of little pieces and each staff member takes a piece home?

What happens when you’ve scrambled to make all your protected resources, that were previously only accessible from your place of trust, accessible from anywhere in the world?

You need a new approach. One where you don’t inherently trust any connection to your resources. When you don’t check an ID on entry and then go for a coffee break. One that is always checking, are you who you say you are?

• Is your device one that the company gave you? The one that has been secured?
• Is your anti-virus running?
• Are you logging in from the right country?
• Does your fingerprint match?

You pass that? Great, Mr Zero Trust says. But there’s one more thing I have up my sleeve… You can’t have access to the whole office. Just this one room. If you want to go into another, where our confidential files are, you need to pass this again, plus more. Plus your entire network traffic needs to be inspected and your digital pockets searched on the way out.

This is Zero Trust: your stuff diced up into micro segments, protected by context aware rules that get the whole picture. A place that you don’t protect from breaches, but where you assume a breach has already happened.

And all this needs to happen whilst being transparent to the right user and device. Your staff should not be tied down, but freed to work how and where they want, whilst still keeping their company safe.

At first, zero trust is a culture and mindset shift. That’s why we always start with a consultation period, passing designs back and forth, to get the alchemy, the bespoke collection and exact configuration of the services right. Then we can begin.