In Zero, We Trust

Zero Trust. Used to be how you described your feelings about that ex who cheated on you a few years back, now it's a name for a security model that does what it says on the tin. Zero Trust means we have zero trust in any one trying to access our organisation's data and systems without them first proving who they are, even for people already inside our network perimeter.

Here I will be attempting to explain the Zero Trust model with a tenuous analogy to nightclub bouncers. 

More than MFA

Identity attacks are consistently on the rise, via phishing scams, vishing scams, absolutely bizarre emails like this one I received the other day...

So it's no wonder that our infosec teams are having to tighten security controls around identity and access management. Identity should be a key element of any good security strategy, and I know I mention MFA enough that I should rebrand myself to Emma Faye, but realistically, with attackers becoming increasingly sophisticated in their methods, we're moving to a point where multi-factor needs to mean more than a code sent to your mobile...

With vulnerabilities being exploited on mobile devices, like the Simjacker hacks, users authenticating with their mobile numbers (as a lot of us do) could be open to exploits, with cybercriminals being able to read your text messages, including the MFA codes, and therefore gain access to corporate systems and data.

Your Name's Not Down, You're Not Coming In

So how we do we combat the problem? Well I promised you an analogy...

Let's imagine our security environment is a top nightclub in London, and our security controls are the bouncer, Big Dave. Currently, when a little Scallywag is trying to get into the members-only club to sip champagne with the celebs, the only thing Big Dave asks is the guy's name. Scallywag says the wrong one, Dave comes back with a "your name's not down, you're not coming in".

But if Scallywag says the right name, he's straight in there at the bar, twerking and sipping on a candyfloss mojito.

 So we need to help Big Dave get some better control of his guest list i.e. We need to validate the people coming into our environment with a bit more than a credential that, frankly, can be guessed, hacked, or extracted out of people if you're the right kind of scallywag.

Back to the technology. MFA still has a big part to play in this story, but we need to start pushing ourselves to use biometric authentication over simple text codes or phone calls. Biometrics are much more secure (unless you've got a screen protector on your Galaxy S10, in which case anyone can get in to your device) and with the biometric keys now being stored on your device only, it's difficult to hack i.e. there's no server in the cloud with all of your fingerprints and irises on there, just waiting to be stolen.

For Windows devices, tools like Windows Hello for Business take the headache out of remembering passwords altogether, with Microsoft itself being on the way to being a fully password-less organisation. How great would that be!

You Don't Normally Drive a Dacia, Do You?

So Big Dave is now checking our name is on the door, and asking for a bit of ID. But with this nightclub being for the social elite (sorry, Gemma & Arg, no D-listers here please), he might also want to check what car they've arrived in. If Prince Harry usually turns up to the club in his Bentley, but today he's arrived in a Dacia, Big Dave should probably be asking some questions.

And that's exactly what our Zero Trust model does. I mean it won't actually question you on your car (thankfully, as I drive a Yaris) but it will assess the device you're attempting to authenticate with. If you're usually logging in via Safari from an iPhone XR that's enrolled in Intune but you then try to log in via Firefox from an unenrolled OnePlus , then Azure AD is going to look at this and think hmmm... what's going on here?

 To assess whether there's something dodgy going on, or whether it is you and you've just ran out of power and borrowed your mate's phone, then AAD will also look at additional factors to decide on the risk of the situation. As well as looking at your device and browser, it will also check your location and what it is that you're accessing.

Get Your Coat, Love

So you're in the queue for the club, you've come in a different car to usual but you're only in the queue cause you've left your coat there from the previous time you went. You only need to go to the cloakroom and get it out and then you're off to get a kebab and a milkshake.

Translated... You want to access a resource within your corporate network, but the resource is essentially your data - a file you've created, for example. Big Dave can now make the decision as to the risk associated with letting you in. You've arrived in the wrong car, but you can tell him who you are and your name is definitely on the list, and you only really want to run in and out anyway to get something that's yours. Big Dave can tick off most of his requirements for letting you in the building, BINGO.

 So Azure AD runs through Dave's checklist, assigns risk levels to the sign in session and then makes decisions as to whether you are you. It doesn't trust that just because you're name is on the list, you'll be let in. But tick all the boxes, and bingo you're through. Which should be easy enough if you are you and not some scallywag. Miss some of the requirements, then Dave might ask you to go back and get the car you usually come in (sign in from a compliant device), escort you into the building (require app protection policies) or he might tell you "not tonight, lads" and send you on your way (block access and require you to talk to your IT team).

If you want to discuss Zero Trust more, or have some recommendations for nice places to drink in London where I won't be accosted by Big Dave on the door, then get in touch!