With so many high-profile hacks this year, it's easy to want to throw up your hands and say, "Is there nothing that can be trusted?!" Interestingly, that lament is what is driving the latest approach to cybersecurity -- zero trust. Zero trust is what it sounds like, a security approach centered on the belief that organizations should not automatically trust anything accessing their systems either inside or outside their perimeters. Instead, all people and devices must be verified before access is granted. To the untrained eye, this seems untenable. How, in this day and age, when we depend on digital information and connection to do most anything, can we use a process where we have to constantly verify identity and access permissions? Luckily, the practice of zero trust is more sophisticated than its premise.
Insider Threat has been a recognized attack and vulnerability vector for some time. In fact, one survey found that government IT professionals report that insider threats are at an all-time high. One source of this increase may be the rise in the use of mobile devices to access government systems. The main challenge in securing mobile access is ensuring that the person who owns the device is the one actually using it and the apps that reside on it. The portability and ease with which devices are lost and misplaced complicate security authentication efforts. But there are ways to mitigate this risk.
Agencies have looked to multi-factor identification to confirm the person accessing the system is who they say they are. This process includes combining two or more credentials. Typically this is something a person knows (a password), and something they have (an access card or a fingerprint). A practice growing in popularity as part of multi-factor identification is behavioral analytics (BA). This looks at how users typically interact with an application or device analyzing things like browsing habits, message syntax, even how they hold the device. If the behavior is out of the realm of normal, the system can lock that user out until they prove their identity another way.
Implementing these types of identity tracking and management is, of course, not without issue. The Department of Homeland Security is being challenged to put more procedures and policies in place to ensure its insider threat program doesn't violate employees' Fourth Amendment rights (protection against unreasonable searches and seizure).
There are many events in the coming months that include a deep look at insider threat and identity management to help navigate these security challenges.