Why Zero Trust is Needed in the Real World Too
Zero Trust is one of the hot trends in cyber security these days. Just a few years ago it was perceived as a somewhat academic approach focused on “microsegmentation” and then on multi-factor authentication. Now, it’s seen more generally as a set of guiding principles that require explicit permission for all access to and usage of digital resources. In short, it’s simply the right way to do cybersecurity.
But the need for Zero Trust doesn’t stop at the cyber edge. With so many processes in our daily lives becoming digitized, how that information is controlled has direct, real-world impact.
A real-word example of why Zero Trust matters
I was driving to the pharmacy to pick up a prescription that a doctor had just sent in. Within minutes, I got a text message from the pharmacy telling me it was “too soon” and they wouldn’t be filling the prescription for another two months. So, I called the pharmacist to check. She looked up my records and said “your insurance company says the prescription was filled on December 25th at [a different chain of pharmacies]” so you’ll have to wait. Umm, nope. “I just got the prescription; before this I hadn’t seen a doctor in two years; and I certainly didn’t go on Christmas Day to any pharmacy, let alone a different chain.”
Fortunately, an hour on the phone with the insurance company got things straightened out. But how it happened illustrated the very issues that Zero Trust is intended to counter.
A month before (on Christmas Day), somebody with the same birthday as me needed to fill or refill a prescription for the same relatively common medicine. So, he went to a pharmacy that coincidentally was about 30 miles from my house. It turns out that he had the same health insurance carrier as me and had a name that was similar to mine (it’s a common set of sounds).
In the US, most pharmacies now use your date of birth as the primary identifier when looking you up. They then ask your name and use that select from the list of people with that birthday. Sometimes, they’ll ask if you still have whatever insurance carrier is listed in their records. But in this case, it was Christmas, the person was probably in a rush, and the clerk didn’t listen closely to the name or take note that there were multiple people with similar names. Oops.
Looking at the situation from a security perspective
From a security perspective, several things went wrong. The primary identifier (date of birth) the pharmacy used is not unique. They didn’t do an exact match on the secondary identifier (given and family names) which also is not unique. Nor is the name of the insurance carrier. They don’t usually check the one thing that is unique: your insurance id number; This is probably because it would slow down processing—something that would be an extra annoyance for customers. But, skipping that step also means anybody who has been authenticated using the non-unique attributes is implicitly ‘trusted’ to have access to resources (medicine in this case) they shouldn’t have.
That’s what Zero Trust helps fix: making sure that people have explicit permission at every step in the process. People used to think the convenience (to the user and to the security teams) outweighed the potential risk. But, as we’re all so keenly aware, we live in a different world now, and old assumptions no longer apply. Neither do old security approaches. Fortunately, new ways of doing security, such as Secure Access Service Edge (SASE), are rapidly gaining traction and provide a way to deliver Zero Trust as a service (ZTaaS). But that’s a topic for another day.
For those who want to dig a bit deeper, here's a video where Petko Stoyanov, our CTO, Global Governments, Forcepoint explains how identity controls fit into an adaptive ZeroTrust architecture.