Verify before you trust. In a world bombarded by phishing, pharming, deep fakes and frauds, you simply cannot trust everything you see on the internet, who calls you on the phone or what devices you are connecting to. The societal impact of zero trust will see individuals not trusting anything before it is verified as a reliable, trustworthy source.
Recently, I sat down with Ascertia’s CPO Mike Hathaway to discuss the importance of trust in the digital age, how it impacts society and remote working and the future of zero trust. This blog breaks down the topics we discussed and offers tips on implementing zero trust strategies in your business.
Why is zero trust important?
For the last several years, disinformation and fraudsters have been rife on the internet. You simply cannot trust anything you see or hear digitally without personally verifying that the source is authentic. With most of the world’s population consuming their news online or through social media, this is frightening.
Even more terrifying is that this unreliable information shapes the world’s politics and economic environment. It directly impacts the world around us – even if we are of the minority who do not believe the bot bombardment of fake news.
For example, according to the National Centre for Biotechnology Information, there were over 10,000 bots contributing to the debate during the Brexit campaign. These bots ran a campaign of disinformation that unwitting voters fell for. The disinformation campaign relied on producing mass amounts of incorrect information. For voters researching on the internet and through social media, seeing this disinformation over and over led them to believe it was true.
You may see the same messages multiple times, see videos of spokespeople or organisations you trust or read an article you believe to be true. Before you place your faith in information, verify its validity by ensuring the URL is correct and that it comes from a trusted source – for example, a government website or trusted institution.
Zero trust would mean verifying any information you consume before believing its authenticity. While we have discussed an example of how easy it is to be duped online through disinformation or bot campaigns, it isn’t just about social media. It is also about understanding and validating the identity of people, businesses and devices you connect with.
How can we make the digital age a safer place for society?
While some verification comes down to the consumer, there are many things that organisations can do to ensure the people, businesses and devices they connect with are authentic. There are many ways organisations can introduce zero trust strategies.
Tangible zero trust mechanisms
You can see the source of information, and a fake could be convincing, but you may not be able to tell whether it is real or not. Introducing a zero trust mechanism, such as a digital signature on an email or document, is a tangible indicator of trust that you can check.
Businesses need to have a “everything is not trustworthy unless it has been checked” mentality. Introducing cryptography-based digital signatures and technology that verifies the identity of individuals, businesses and devices will be critical as the digital era matures and cybercrime gets smarter.
Digital identities are a big part of shaping a zero trust future. They are linked with biographical information that identifies who a person is, including first name, last name, email address, serial number, etc. They are issued by a trusted authority, such as an organisation, government, or Trust Service Provider (TSP) issuing Certificate Authority (CA).
Digital identities align with how we have verified identities in the physical world for decades. Take, for instance, applying for a driver's licence or bank account. You cannot just walk into a bank and open an account without first verifying who you are. The same goes for digital trust.
Big data and zero trust at a code level
Don’t just rely on your organisation’s server or devices to identify malicious content or behaviour. Have a zero trust concept down to the code or data level. Ask yourself:
- Who is it?
- Can I verify the information or data cryptographically?
- Has the payload been changed?
- Can I verify the digital signature to make sure it has not been tampered with or altered in any way?
These fundamental concepts will serve as the shield for our internet-based electronic systems. This is especially true when the number of devices or systems outnumber their human users by many thousands to one.
Zero trust begins at the start of the supply chain of these devices. Manufacturers can embed a unique cryptographic credential into the device. This, along with secure software manufacturing, gives businesses out-of-the-box mechanisms to trust that device before you connect it to your corporate network.
Zero trust’s impact on data privacy
From implementing the General Data Protection Regulation to other data privacy laws worldwide, there is a keen government focus on protecting sensitive citizen data. This is the beauty of zero trust. When something impacts us directly, for example, the leak of our personal data, we are more interested in protecting it.
The approach we take with data privacy is the same with zero trust. We ask ourselves:
- Can I authenticate the identity of the owner of the data?
- Have they agreed to share their data with me?
- Have they agreed to have their data processed?
To answer these questions, you need to be able to confidently verify the authenticity and integrity of the data. Having someone use an electronic or, preferably, a cryptographic digital signature is the ideal way to ensure the data’s integrity. It also provides you with a record of the transaction should you need to reference it later.
For a consumer, it works in the opposite direction. You need to ensure you only give your personal information to a legitimate organisation. This ensures your data does not fall into the hands of a cybercriminal.
Distributed workforces, remote working and zero trust
Since the pandemic, we have seen a drastic increase in remote working. While it has fundamental benefits of flexibility, higher productivity and better work/life balances, it does present unique digital trust challenges for organisations.
Before the influx of remote working, organisational security typically remained within the confines of its physical space. Remote working changed that. Organisations can no longer rely on on-premise security measures to protect their infrastructure and data.
Good governance means replacing or adding mechanisms that extend security beyond the confines of your physical business space. For example, implementing digital signatures in forms and transactions and two-factor user authentication for business applications. These give us tangible indicators of trust that businesses can operate safely and securely.
This type of zero trust architecture is sustainable and supports the social benefits of hybrid and remote working. It means less emissions from office commutes and happier, healthier employees who have a healthy work-life balance and the flexibility to spend more time with their families.
Implement a zero trust security model with Ascertia
Ascertia’s offices are in London, but we have employees based all over the globe. We understand the importance of zero trust and secure business transactions, but also embrace remote and hybrid working.
Get in touch to discuss your business’s security goals, and how implementing a zero trust approach can help your business move forward in the digital era.