The Zero Trust Model

April 16, 2021

The Zero Trust Model is the evolution of our security systems. The original Zero Trust Model of Cybersecurity was developed in 2010 by Forrester. Its intended outcome is to give access to trusted individuals to a system or a network. Who and what you trust is key to your security, privacy, and anonymity. The less you trust, the lower the risk. You have to minimize the number of things that you trust including yourself. It should be applied to everything, trust nothing, trust no one. Evaluate and distribute the trust.


TO PROTECT OUR ASSETS

  • We have to make choices about trust.
  • We have to select:
    • Softwares
    • Operating Systems
    • Storage Devices
    • Password Managers
    • Internet Service Provider
    • or What to Download!
    • Even people that we can trust to protect our assets.
  • Everything will present a level of risk.
  • Evaluate instead of TRUSTING
IT CAN BE MITIGATED BY DISTRIBUTING THE TRUST

EXAMPLE

So here is the scenario, suppose you want to store files online. Therefore, you need to choose a service provider like Google, Dropbox, OneDrive, and, etc. Well, they are popular and therefore may be safe but you should not trust them.

  • You should not trust that they won't view your files. 
  • You should not trust that they will not lose or change your files, so you have to take a risk-based choice based on zero trust. A while ago there was a bug in Google Photos which sent someone else's photos to someone else.
So you ask yourself how important is it that the files remain private without being changed and to be always available. If it is important and you chose to backup.

Encrypt the files or use a service to encrypt the files. Make sure the encryption is client-side with a decryption key that only you have. This way you have distributed the trust to the alternative backup and to yourself via encryption. Find the services that have a zero-knowledge policy.

Zero-Knowledge is when the provider literally has zero knowledge about what it is that they are hosting for their clients. Therefore, it goes some way towards providing a system that you don't necessarily need to trust too much in terms of confidentiality and privacy. If your files are extremely sensitive then trusting a claim of a zero-knowledge system is still questionable because they could always change something; they could recode it as they have control of the application.
IF IT IS IMPORTANT, ALWAYS ADD AN EXTRA LAYER OF ENCRYPTION

Also, the application you run can have a secret backdoor or malware. So, you may choose to run an application in an isolated virtual machine to stop it from being able to communicate.

Instead of trusting it, you're evaluating or mitigating the risk or you might adopt a different application completely and go with a free and open-source one

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.
,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)