"Zero trust is a different model and a different approach, it is going to take time for all the practitioners out there to become ultimately familiar with what this looks like from an operations standpoint."
The news that Jeff Bezos had his phone hacked through a video sent to him by the crown prince off Saudi Arabia tells me one thing: it’s time that developers of IoT systems create and enable zero-trust features in their products.
Zero-trust means users assume that all data flowing into their system are coming from questionable sources. Right now, users can create zero-trust practices by blocking texts and phone calls from unknown sources. They can set hard and fast filters sending any emails not currently in their address book to junk mail. But sometimes, those communications are coming from legitimate sources and filtering each piece of data manually is a time-intensive and inefficient process.
Bezos, who received no small amount of calumny because he accepted and ran the video, is a good example. He knows the prince and assumed that whatever was sent to him is benign because of that relationship. Even with the known misdeeds of the royal, relationships engender trust. Most people, even the most wealthy and powerful people trust other wealthy and powerful people, especially if they don’t operate in the same business circle. Even Jared Kushner was told to replace his phone after the Bezos hack because of his relationship with Saudi royalty.
I have a fairly strict zero-trust policy. Whenever a friend shares an attachment in an email or text message, I always ask if they know where the attachment originated. If not, the communique is trashed and deleted. But I also need to be available to potential sources of news, so my email and social media are kept fairly open to allow people to contact me. It’s a pain in the posterior to vet everything but I do. My devices should make that easier.
Hardware-based authentication, as I wrote about in a previous column, is one step forward. The technology exists to authenticate who is sending what. Intrinsic ID puts that right into the hardware but they haven’t achieved a critical mass in the market because security is either a mystery or an afterthought in most system development.
In a February 4 report, Cybersecurity Insiders said that 75 percent of enterprises are planning on implementing a zero-trust access model by the end of 2020, but almost half of cybersecurity professionals have no idea how to do it. This lack of knowledge is more problematic when one realizes that there are approximately 1 million job openings in cybersecurity going unfilled.
So on the corporate level, the decade-old concept of a zero-trust architecture is a given, but the corporate leadership hasn’t realized their knowledge base doesn’t include competent engineers, according to Jeff Pollard, vice president and principal analyst with Forrester Research
“Zero trust is one of those initiatives that is being driven from the top-down perspective,” he said. “Previous models, security architectures — were very practitioner-driven. They were very organic and grew over time. … But because zero-trust is a different model and a different approach, it is going to take time for all the practitioners out there to become ultimately familiar with what this looks like from an operations standpoint.”
Previous models assigned trust if the user was anyone working behind the firewall, but over the past few years, users have moved to the edge of the computing environment through mobile and other IoT devices used remotely. That has destroyed location-based trust.
“The only way to be secure on the internet today is to assume that you cannot trust anything,” said Axel Kloth, CTO of Axiado. “Even if you encrypt all your communications and use accepted authentication methods, you cannot trust that the person or device is who you think it is. You must assume that your internet or your VPN was breached. You assume that who you are talking to is not who you think you are talking to. That makes security difficult.”
Much of the focus on edge security is looking at the individual device. In a few weeks, I will attend the TechnoSecurity conference in San Diego and ask participants and speakers about the growing vulnerability in IoT. Comments and questions are always welcome and check out the full interviews these columns are based on at Crucial Tech.