The Zero Trust Model is the evolution of our security systems. The original
Zero Trust Model of Cybersecurity was developed in 2010 by Forrester. Its
intended outcome is to give access to trusted individuals to a system or a
network. Who and what you trust is key to your security, privacy,
and anonymity. The less you trust,
the lower the risk. You have to minimize the
number of things that you trust including yourself. It should be
applied to everything, trust nothing, trust no one. Evaluate and distribute
the trust.
TO PROTECT OUR ASSETS
- We have to make choices about trust.
- We have to select:
- Softwares
- Operating Systems
- Storage Devices
- Password Managers
- Internet Service Provider
- or What to Download!
- Even people that we can trust to protect our assets.
- Everything will present a level of risk.
- Evaluate instead of TRUSTING
IT CAN BE MITIGATED BY DISTRIBUTING THE TRUST
EXAMPLE
So here is the scenario, suppose you want to store files online. Therefore,
you need to choose a service provider like Google, Dropbox, OneDrive, and,
etc. Well, they are popular and therefore may be safe but you
should not trust them.
- You should not trust that they won't view your files.
-
You should not trust that they will not lose or change your files, so you
have to take a risk-based choice based on zero trust. A while ago there was
a bug in Google Photos which sent someone else's photos to someone else.
So you ask yourself how important is it that the files remain private without
being changed and to be always available. If it is important and you chose to
backup.
Encrypt the files or use a service to encrypt the files. Make sure the
encryption is client-side with a decryption key that only you have. This way
you have distributed the trust to the alternative backup and to yourself via
encryption. Find the services that have a zero-knowledge policy.
Zero-Knowledge is when the provider literally has zero knowledge about what it
is that they are hosting for their clients. Therefore, it goes some way
towards providing a system that you don't necessarily need to trust too much
in terms of confidentiality and privacy. If your files are extremely sensitive
then trusting a claim of a zero-knowledge system is still questionable because
they could always change something; they could recode it as they have control
of the application.
IF IT IS IMPORTANT, ALWAYS ADD AN EXTRA LAYER OF ENCRYPTION
Also, the application you run can have a secret backdoor or malware. So, you
may choose to run an application in an isolated virtual machine to stop it
from being able to communicate.
Instead of trusting it, you're evaluating or mitigating the risk or you
might adopt a different application completely and go with a free and
open-source one.
We hope this helps. If any suggestions or doubts you can add a comment and we
will reply as soon as possible.
No comments:
Post a Comment