When zero trust really means variable trust
- By Anoushka Deshmukh
- Aug 19, 2019
Talk of the “zero trust” model is increasingly common in security discussions, but many misconceptions exist.
The relatively new practice emphasizes securing the application layer by never trusting users or devices and verifying everything. A common misunderstanding is that zero trust will inconvenience organizations because users will have the least possible amount access to applications and devices, which will slow down processes and reduce efficiency all around.
Beau Houser, chief information security officer for the Small Business Administration, defended the model at FCW’s Aug. 6 Cybersecurity Summit, saying that “the name is a bit misleading; it should be called variable trust.”
The SBA uses zero-trust for its email platforms. Employees is trying to access their email gain increasing levels of trust based on the circumstance. An employee using a recognized device with strong authentication will be able to use email as normal, while a staff member logging in from an unrecognized device will have limited email functionality. Another benefit to this model, is that “we can decide which elements we want to place trust in and then we can build trust based on those elements," Houser said. “You can be as creative in the elements you decide to place trust in.”
Zero trust just “offers the ability to scale that access,” Houser said, and helps agencies balance usability and security.
Anoushka Deshmukh is an intern with Public Sector 360, writing for GCN, FCW and Defense Systems.