The Human Element of Zero Trust

The Awareness of Malicious and Threat Actors

Security specialists have long known that a single weak link in a chain is all that is needed to bring down a cyberdefense. Sometimes this comes down to an errant line of code in a hastily developed API, inadequate penetration testing, or old, unpatched, exploitable code hidden deep within a legacy system. But more often than not, it is because of the actions of one individual – a single person who clicks on a malware payload within a phishing email, or who allows an individual to physically access a workplace unchallenged, or whose work-from-home office features a Wi-Fi router that was never properly secured.

Awareness of malicious and threat actors has encouraged most organizations to rank cybersecurity ever higher in priority, but in many cases, there remains the belief that data and activities occurring inside the fortress walls are safe by virtue of their being on the inside. This, of course, is erroneous, and has given rise to the Zero Trust model, in which all activities, including those occurring within the security perimeter, are to be held to the same standard of trust, which is zero.

Threat Security

This is a welcome leap forward in cybersecurity and helps dispense with the notion that threat actors only attack their targets directly, when in truth, they are more likely to find a weak entry point and then move laterally across a network. But a Zero Trust protocol is still just a set of rules and procedures, and once again falls prey to human weakness in the form of errors, incompetence and – most ironically of all – trust to allow the system to fail once again.

As such, any security strategy must ensure security specialists follow a pattern of cross training and reverse role playing so all sides of the threat landscape are intimately experienced. Ben Walther is principal security engineer at Atlassian. He recommends a practice where a threat modeling exercise is hosted by one security specialist while another person shadows, and then these roles are reversed the next time the exercise is performed. Reversals can be applied not only to security people, but to developers and engineers, and even end users so that the skill set is thoroughly developed and embraced across the organization.

Because this is a dynamic, human-focused practice, we find that it helps to observe someone and then be observed, and then get feedback,” Walther says. “That’s how you can scale up a very human-oriented, practice-based skill.” He goes on to advocate a reverse-pyramid approach, in which one person teaches a group, whose members teach a larger group, and so on.

The increased use of connected technologies, including Internet of Things and work-from-home scenarios, vastly increases an organization’s attack surface and vulnerability. Dr. Lyron Andrews, CISSP, CCSP, SSCP, agrees. As founder of Profabula, a cybersecurity professional, and a trainer and consultant with a concentration on cloud computing, he stresses the need to “think about how to protect that ubiquity – systemically, not one-on-one – through least privilege, Zero Trust access methodology. The specificity of it should be micro segmentation, Zero Trust development and Zero Trust architecture.”

Andrews highlights the relatively new phenomenon of “zoombombing,” named after the most popular of the online videoconference technologies, in which bad actors easily join meetings thanks to unprotected login data. Once there, they are able to post offensive images, disrupt the meetings and exploit the potential for even worse activity.

Although Zoom and other providers of meeting technologies were quick to fix this security hole, two key factors remain:

  • The average end user trusts the technology to work in the way it is supposed to and is ignorant of every possibility of exploitation; and
  • Bad actors will always go where the ubiquity is. Email and Windows have been the ubiquitous technologies for 20 years. Once new platforms become popular, they too get attacked.

Scott Gordon, CISSP-ISSMP, chief marketing officer for Pulse Secure, states: “A mobile workforce, virtualization dynamics, the adoption of cloud, and multicloud applications with IoT and everything else being introduced to what is now a perimeterless environment means organizations must be much more vigilant on verification and authorization, whether someone’s connecting within the network or outside the network. That’s really what Zero Trust is all about.

Gordon highlights recent developments in access security threats in which malicious actors are pursuing new attack vendors such as imitating known popular applications and even corporate suppliers to obtain credentials. This can be something as simple as a forged invoice for services rendered or products delivered. The difference being, the threat actor has taken the time to learn specifics, such as account numbers, people’s names and even habits, to make the falsified correspondence effectively indistinguishable from the real one.

These activities, he says, are not casual. They are based on careful farming of data that comes from successful infiltration of a network. As opposed to simply stealing a “number” like a credit card number, they steal the relationship, and re-build it into documentation and communication that does not elicit suspicion.

He emphasizes that for Zero Trust to be an effective ally alongside trusting, human end users, “the core principle of verifying everything before granting trust will become even more vital in the months to come.” This will demand greater adoption of techniques such as multifactor authentication and blockchain-based certification.

Trust No One

Zero Trust is exceedingly difficult to establish, in applications as well as in humans. Both are prone to oversights and in the case of humans, emotional overrides. Imagine, for example, how difficult it must be for a junior employee to challenge a stranger who is standing outside the glass doors, pretending to look for their pass card. Common decency, or fear of reprisal, will spur that employee to let the stranger in, on the assumption that they work there.

These are the challenges security specialists including CISSPs must be prepared to face. Zero Trust is not just about technology and code. It is a cultural constant being made even more difficult by the chaos of the COVID-19 pandemic, and it will be up to security specialists to communicate and reinforce awareness and vigilance among humans and machines equally.

For more information, read the Proactive Cybersecurity Beyond COVID-19 white paper.

By Steve Prentice

Bitcoin electricity
Bitcoin Heating? Bitcoin mining or cryptocurrency mining has been widely vilified for it’s environmental impact. Why it does draw a huge amount of energy, more and more of it is coming from renewable sources and ...
Rahul Subramanyam
Fixing AWS: The CloudFix Story A conversation with Rahul Subramanyam. CEO at CloudFix, and CTO at ESW Capital AWS is huge, but it’s not perfect. Because of its size and its approach to innovation there ...
Episode 16: Bigger is not always better: the benefits of working with smaller cloud providers
The benefits of working with smaller cloud providers A conversation with Ryan Pollock, VP Product Marketing and Developer Relationships for - Everyone knows who the big players are in the cloud business. But sometimes, ...
JK Chelladurai
Usage-Based Pricing We are now in an era where many businesses are flipping their business model and shifting from subscription-based pricing to usage-based models, to better cater to the modern ‘pay-as-you-consume’ buyer. So what exactly ...
Dan Teichman
Cloud-Native Communications Historically, Communication Service Providers (CSPs) networks ran on purpose-built hardware. However, in the early 2000s organizations started to update their infrastructure, moving to virtualization. Now, providers are looking to take the next step, ...


  • mint


    Mint allows you to see your entire financial situation all on one screen; credit cards, savings, ISAs. investments, budgets, insurance, everything you can imagine. Mint updates and analyzes your information in real time, making judgements and suggestions on savings accounts and credit offers available. 

  • WeathFront


    Wealthfront helps you invest for the long-term while introducing customizable features that are perfect just for you. They also present several Investment options that suit your interest. Asides from this, the Wealthfront software helps balance your portfolio and minimize taxes across your various investments.

  • MoneyBox


    Moneybox is a very simple little app that helps you to save little by little. Bank level encryption protects your savings and information and the money you save can be invested in several different ways, through cash, global shares, or property shares.

  • Betterment


    Betterment is an online investment service aimed at maximizing investment returns, using a combination of smart automation to help invest excess cash and analyze your entire financial situation and an expert team of financial advisors and investors.