Authentic.
Authenticate. Authorized.
When you visit a friend’s house, and you knock on the door, she might check to see you are who you purport to be.
Maybe a peephole in the door. Ring doorbell or somesuch mechanism. Then when you’re verified, you’re in.
Website authentication – in theory – works the same way. Username and password are things you know. You provide them, and the website says “ok, come on in” and plunks you in your area and keeps you out of other areas. (Yes, multifactor authentication – MFA – add that).
That’s great if everything’s coded properly.
We assume that online authentication and subsequent actions are guarded and governed. That if Sally logged in, she’s not going to morph into Bob before visiting the next “room,” where Bob has access to remove $10,000…and Sally does not.
We also assume that everyone milling about connected hallways came in through the same authentication mechanism – the front door and the checks. (If you’re in, we trust you). Websites and networks, though, can sometimes be compromised. Missing code. Non-updated code.
If we’re diligent but still following this model, we trust but verify. Okay – you made it through the front door, so mill around this level. But to get through the staircase, you’ve gotta show your ID. Yep, that’s the rules. Upstairs is where the labs are.
Even more diligent is where we’re going – zero trust for electronic representation of people and machines. To do ANYTHING, a user’s verified against the action. On each action of the hokey pokey. Turn yourself around – each foot movement! Ideally, anyway.
Obviously the burden of this can’t be on the user; the machine must bear it. Verify, and then trust.
How can we do this as humans? I’ve been working on something where I have to call organizations that don’t know me and ask them to do things on behalf of my organization. I’m unknown – new – and I’m changing services, addresses, and operational things. Who’s questioning these changes and whether I have the authority to make them? Who I am?
I’m acting with authority, and that gets things done.
There’s a gentle and customer-serviced oriented way to do these checks without being a cynical skeptic. So consider verification of people’s actions a service.
Where does this concept of zero trust belong with people, and how do we add it for the benefit of serving them? Topic for another post, likely. Thoughts?
Knock knock. (Who’s there?)
People in a Peephole…