ZeroTrust – 1st principle
May 7th, 2019 by Jesper Kråkhede
The first principle of ZeroTrust is to verify everything. It sounds like a simple thing but in reality it affects how you build software, use authentication, share documents etc. If we start at the development process the base is that you can never trust any data. You need to verify it, so it conforms to the format you are expecting, that it comes from a source that is verified and from an account that as the rights in the first place. It shouldn´t come out of context and it should conform to the flow of data that you expect. In the end all principles of Secure Development Lifecycle must be adhered to.
When it comes to document sharing or data sharing in general there are no safe repositories anymore. Every object needs to be protected on an individual basis. I generally refer to this as the fourth level firewall, mostly as joke. First level firewall was the physical wall. You needed physical access to the computer to access the information. Second level firewall was the network firewall, so you needed access to the network to access the information. Third level firewall was the device firewall where you needed access to the application to be able to access the information on the device. The fourth level firewall is encryption. You need to have the right credentials to access the information.
The third part of the principle is the authentication system. ZeroTrust implements an identity boundary hence the identity system becomes key to a ZeroTrust implementation. The identity system needs to be trusted and have the capability to verify the identity. The identity needs to consist of as much verifiable components that your security policy requires.