Zero Trust: Guilty Until Proven Innocent

Zero Trust powered by isolation is the only way to secure work.

I had a great opportunity to chat with Tom Field of Information Security Media Group (ISMG) last month about Zero Trust. He wanted to know how Menlo enables this new way of thinking about cybersecurity and how our isolation approach can be applied in the mature financial services sector.

But first, what is Zero Trust?

More than just a marketing slogan, Zero Trust allows you to assume that all web content is harmful and prevent any website from running code on your users’ devices. This absolutely makes sense. I’ve worked as a CISO and have advised CISOs all over Silicon Valley for years. I understand that the majority of attacks occur when users access a website that we can’t completely trust. Yet, despite this lack of trust, we give these websites access to our end points through a local browser and allow them to run code on our machines. From a security perspective, it’s insanity. But from a business perspective, free, unfettered access across the internet can be mission critical.

Menlo defines Zero Trust as a way to protect users from untrusted actors without inhibiting their ability to do work.

During our conversation, Tom quipped that Zero Trust is like ‘Guilty until proven innocent’ and, in a way, he’s absolutely right. Why would you allow an outside, untrusted entity run code on your users’ devices? So why doesn’t everyone embrace Zero Trust and banish malware and other web-based threats to the dustbin of history?

The answer is that it’s hard—both from a technology and cultural standpoint. We are human, and we’ve been hardwired since birth to trust other people. Asking people to suddenly switch to an untrusted as default mindset is asking a lot. Secondly, ensuring people are who they say they are is difficult. Malicious actors lie, cheat and steal to get access to systems they have no business getting into. They masquerade as colleagues, friends and family members. They trick users into giving them the keys they need to walk through the front door. The bad guys have us out-gunned and the tools we have in our toolbox are insufficient.

Many organizations use user education to make up for technological shortfalls. But we can’t train our way out of this predicament. Yes, we need to use education to change people’s mindset to embrace Zero Trust, but we also need a set of tools to stop malware from getting access to our devices.

The answer, of course, is internet isolation. We know that users have to go to websites to do their jobs, but there’s no reason the website needs to access users’ computers. Instead, we can spin up a virtual browser in the cloud that interacts with the website for the user and renders only good, safe content to the device. We don’t know if a website is good or bad, and frankly, it doesn’t matter. As a CISO, I can be darned sure that no outside entity has the right to run code on my network.

Take a listen to the interview with Tom and check out more information about Menlo’s Zero Trust solution. In the meantime, feel free to reach out at any time to discuss how Menlo can secure work for users wherever business takes them.