Cappuccino Chat - Episode 28 - What is Zero Trust

welcome back to another episode of cappuccino chat this time we're talking zero trust and why you should care about it so zero trust what is it and why should you care let's start with what it is it's kind of a rehash of the old saying of deny by default and we've kind of gotten away from that and i think that's why xero trust is really coming back and zero trust mindset if you will or framework however you want to put it is really going to be a deny by default on steroids so let me describe so deny by default if we go back is by default the person or service or program basically is denied to do anything so think of it as if you hire a new employee and when they walk in the door you don't just let them in and you know let them back to the back and show you know you need to identify them what should they have access to those kinds of things so deny by default is by default everything is not allowed and then you specifically open up or allow just what they need to complete their job functions or tasks so if somebody is in accounting of course they're going to need access to the accounting systems but they don't necessarily need access to hr unless that's also one of their tasks or they won't need access to operations and sales because that's not their job so again we want to just give them what they want where xero trust kind of goes with this is it takes it a step further and says okay so you hired this new employee what computer or computers are you assigning them let's just give them access to those computers and no other computers on a windows domain theoretically you can log on on any computer that you want so with this zero trust it would be again hey i trust this person to log on on this computer but not on the rest of the computers xero trust again takes that even further and says okay that person's allowed to log on to that computer but they can only access these five six seven programs if they try to install run do anything of these other programs it won't allow it because it is not trusted for that person now why should you care about this well this is where kind of security is having to go to stay one step ahead of those cyber criminals that are out there um and let's just say you get a link in an email we've all seen them a phishing link now we all know most of us won't click on them because you can see that they're poorly written and so on and so forth but it does happen it just happened a couple weeks ago to a client of ours to someone who should have known better um but you know they clicked on it and did some stuff anyways so it does happen so if something like that does happen and it tries to install something in the back end without the person's knowledge which a lot of this malware and ransomware that's what they're doing they're they're getting control of your machine by installing some programs or using some different programs against you so let's just say they're trying to install something again in that zero trust environment because that zero trust is locked down whatever that that you clicked on it won't have a chance to activate and actually install because it is not an allowed so that would save you from it also some programs still require administrative rights like quickbooks for instance quickbooks really likes to have admin rights otherwise it can act a little funny or just not work so but we don't want to give normal users administrative rights so that they can do anything because again remember if that person clicks on anything the program that they're tr they click the clicked on that's trying to install is going to run with their same privilege level so in other words they'll have full admin rights to the machine that malware will have full admin rights to that machine which is bad so typically the full payload will be able to be deployed whereas if they were a lockdown user yes it may cause some damage but it may not release the full payload because they're not an administrator so it all just depends on the the virus the ransomware the malware and that kind of thing so again in the zero trust method you can actually set up rules so that certain programs that that person is authorized to use can run with elevated privileges so that will again help you lock down your environment to protect you from these new types of attacks that are coming on something else that's going on is president biden in one of his executive orders has talked about cyber security has basically mentioned zero trust now zero trust is kind of an insider term uh to those of us in the i.t industry so it was kind of unique to see that and hear that that he actually mentioned that so what that's going to do is he's basically telling the federal government to start implementing these zero trust frameworks mindset if you will and to basically mandate it going down so basically then anyone doing business with the federal government is going to be needing to work on this zero trust framework if you will which then means state and local governments because those all roll up right so they they go so that means anybody working for state and local government is gonna have to so it's eventually gonna start coming down to all of us i mean if you're in the heating and air conditioning profession and you have contracts or bids for working on city hall or federal buildings state state buildings within the state government you are going to eventually be mandated to follow these same rules or they can't do business with you that's kind of where this cmmc is coming from uh on another topic way off topic but they are mandating those with federal contracts to um do certain things and prove it before they're allowed to do business with them so a lot of people are rushing to do that so i see that being pushed down to the rest of us via some of these other executive orders and mandates that are being done from the federal government it's going to eventually push down now zero trust is a good thing um it's we've all kind of gotten lazy over the years with different things and just practicing better security hygiene is always a good thing so a lot of these things don't necessarily cost money if you will it's going to be time spent and thinking through specifically each employee's job what is it that they need access to so again in that zero trust model so do they need access to get on the internet well depending upon their job i'm going to say no now does that mean that they need email yes so email is trusted for this person but getting to the internet necessarily isn't now there most jobs do require some kind of research getting on the internet but again do they need all of the internet or certain pieces of the internet so this is where this mindset kind of goes we've talked about some of these pieces before now they've really kind of put a name to it with this zero trust and a lot of things fall under that so if you have any questions about xero trust about your overall security i had someone come to us and say hey he tried talking to his current i.t provider and uh asking the question hey do i have enough security and they came back with oh yeah yeah you got you you've got you're good you've got it all you've got what you need it didn't leave a very good um [Music] taste in the gentleman's mouth so he reached out right so again there's never enough security right but you have to get to a certain level and know what your level of acceptable risk is the one of the best ways that i've heard of so far coming out with this to help reduce our overall cyber risk is this zero trust mindset so again please feel free to reach out with any questions you can always call us at 760-770-5200 you