Evolving to a Zero Trust Digital World

There is an evolving network security approach called a Zero Trust Network that when abstracted seems like a way to think about digital interactions.

One definition of a Zero Trust Network is as follows:

Traditional network security relies on a secure perimeter.  Anything inside the perimeter is trusted, and anything outside the perimeter is not.  A zero trust network treats all traffic as untrusted, restricting access to secure business data and sensitive resources as much as possible to reduce the risk and mitigate the damage of breaches.

Zero trust network security operates under the principle “never trust, always verify.”  Users and network traffic are treated as if they’re operating in the open Internet, where a bad actor could be listening in or impersonating a user to gain access.  Network traffic is encrypted to minimize the risk of interception. Attempts to access a sensitive area of the network from another area are screened as if the person (or app) trying to access the network is untrusted.    

Source:   www.virtua.com

Never trust, always verify.  It sounds like a pretty miserable way to go through life.  Many of us live in a “trust but verify” mode in the physical world and in our in-person interactions.  Frankly, it is rare that we have dealings with people who are completely unverified.  You go to a party at a friend’s house and you meet someone new.  Well, your host or someone at the party knows him.  If you want to know more about him, you ask others.  If no one knows him, a red flag goes up.  If we meet an entrepreneur, most often someone in our network knows her or we were likely introduced to her by someone we trust.  That’s business.  Even then, before we give her money, we do a reference check and a background check.  Trust but verify.

In the digital world, we get exposed to so many more people so much more frequently.  Trust is a harder and harder thing to expect.  For example:

• What percent of your emails each day come from people and sources you do not know?  How careful are you about which ones you open and which ones you discard immediately?  How many obvious phishing emails do you receive each week?   How often do you get an email that looks to be from a known contact that turns out to be phishing?  How many of these do you miss?
• How many of the LinkedIn invitations you receive are from people you really know?  Do you only accept the ones from people you know well?  Do you assume that someone who has 10+ common connections to you is a legitimate person to add to your network?  Do you think your connections use a high bar in screening their connections?  Many people accept every invitation they receive.
• The news is full of reports of Russian manipulation of accounts and news on Facebook, terrorist cells on Twitter, and the creation of fraudulent “trusted personas” on LinkedIn by foreign scammers.

One of our investment theses at Osage Venture Partners relates to zero trust enterprise solutions and the identification of specific enterprise data that requires a higher level of security.  Recent investments include AppBus, a unified endpoint security and management solution that is built on top of a zero trust model architecture, and RiskLens, the leading provider of purpose-built cyber risk quantification solutions that enable business executives to focus security efforts on areas of greatest vulnerability.

Beyond pure security-focused investments, zero trust feels like a concept that will penetrate most digital interactions and will open up a whole new set of business models and business ecosystems.  I think we will see a Zero Trust concept taking hold in a number of different areas.

• People will require a much tighter screen on emails and will only allow truly verified emails to be received.  New emails will go through a multi-stage verification process
• Multi-factor authentication will become the norm and this will continue to evolve.  All of us will find logging into work networks to be more frequent and more time consuming and increasingly requiring advanced technologies such as facial recognition or behavioral pattern tracking.
• People’s networks of relationships in social media will tighten and new distinctions will be created for a small set of truly trusted relationships.  LinkedIn needs to add a new classification of someone as “someone I can vouch for” or “someone I trust and respect”
• New technologies will emerge that will create an increased number of walled gardens of constant verification.  We will elect security over web freedom in the next wave of the internet evolution.

We are surrounded and under attack by brilliant criminals who roam freely in our digital world, just waiting for us, or our families, or our co-workers to make a mistake.  If this many criminals came into our neighborhood each day, we would move somewhere else.  Most likely into a gated community.  We are entering the zero trust digital age, and soon all of us will choose to live (personally and in business) in internet gated communities.  It’s an increasingly dangerous world beyond the walls.

At Osage, our investments in AppBus and RiskLens are aligned with this Zero Trust theme.  We expect these may be the tip of the iceberg.