When It Comes to Cybersecurity, Trust No One

When It Comes to Cybersecurity, Trust No One

September 13, 2018 Business Insurance and Risk Management, The Beacon Blog 0 Comments

In a post last March 6 I mentioned the concept of “zero trust” in cybersecurity. A recent online article (https://internalaudit360.com/what-internal-auditors-must-know-about-zero-trust-networking/) explains it in detail. Although directed at internal auditors it should be read by anyone concerned with cybersecurity.

For many years security operated on a “trust but verify” basis and once traffic passed through a firewall or other security control it was allowed anywhere in a network. As networks became more complicated this approach was inadequate. Today organizations can have dozens or even hundreds of networks on premises, in the cloud or in virtual environments. Even small companies have officers or employees with personal devices such as smartphones connected to their network, or devices in the Internet of Things that bypass security controls. Modern businesses run on applications and services that may not travel outside the network, so controls aimed at external threats are ineffective. Finally, threat actors steal valid credentials through various forms of social engineering fraud.

The “zero trust” concept was introduced nearly a decade  ago by Forrester Research. It premise is modern networks are too complex for firewalls and perimeter controls based on trust. All traffic is considered hostile and must be verified by strict authentication. Each component has a unique cryptographic identity which allows systems to determine if they are malicious. Authorization is configured on a “least  privilege access” basis so only users who need a particular resource can use it.

Because compliance with regulations such as GDPR or PCI-DSS is part of normal operations, zero trust is a means of insuring compliance.

Implementing  zero trust does not require infrastructure changes. Commercial tools are available. It’s up to administrators or service providers to use them.

About the Author

Harry Cylinder

Harry Cylinder, CPCU, ARM has spent nearly fifty years in the insurance industry, the majority of the time as a consultant. He has been employed by The Beacon Group of Companies since 2008, specializing in the review and analysis of property and casualty coverage forms. Mr. Cylinder has been reviewing policy forms as they have evolved over the past decades. In 2008 he published an article in the CPCU Journal which was the first description of cyber insurance coverage for a general insurance audience. Since that time he has regularly written on cyber and other topics for The Beacon Companies’ blog.