Trust Model or the Zero Trust Model – How should IT security be provided?

M.Sc. Jan Hörnemann

Trust Model or the Zero Trust Model – How should IT security be provided?

Due to the current effects of the COVID19 pandemic, many people are now thinking more about control. This partially awakened loss of control is not only in the health care system, but in many areas of society. This also includes IT systems, because especially the increasing home office creates new dangers that attackers can shamelessly exploit. In order to guarantee security we need models, and here there are two main opponents, the trust or zero trust model!

Establish security through models

Many people do not recognize the dangers that they actually encounter on a regular basis. As Security Insider reported, some studies show that people tend to be luckier than the average citizen and that dangers such as a cyber attack do not exactly affect their business. In the past, this relaxed approach to actually lurking dangers led to the consideration of a zero trust model, in contrast to the prevailing trust models.

With a trust model, as the name suggests, the user is trusted. This means that during authentication no rights or privileges are distributed, but only the given rights are confirmed. The system generally assumes that every person is trustworthy and has all rights. If the user now verifies himself with a password or another authentication option, the system practically changes nothing except that he knows that he has rightly trusted the person.

Such a model is very user-friendly, since all users are trusted in principle, thus avoiding lengthy authentications etc. The disadvantage, however, is that such a system is much more vulnerable than a system with the zero trust model. If an attacker manages to crack or circumvent the authentication by stealing the password with Social Engineering, he has all rights on the system and can use it for criminal activities. This is different with the Zero Trust model!

Trust or Zero Trust Model?

The Zero Trust model, on the other hand, does not trust the user. This means that all data traffic, system changes, inputs, etc. are permanently recorded and analyzed. Even if an attacker gains access to another user account, he can hardly cause any damage in a zero trust model, because all activities are recorded and analyzed.

The advantage of this Zero Trust model is obvious, because the system is more secure due to the strict controls. In addition to the strict recording of activities, a Zero Trust model also means that the thought process of being able to be attacked at any time plays an essential role. Encryption and isolation in addition to strict authentication and authorization are built into this model.

The disadvantage is also obvious, because the cost of enforcing such a model consistently and having all employees visit schools on a regular basis is very time-consuming and therefore costly. For the employees themselves it is also a disadvantage, because now all rights must be requested by entering a code or password again.

As so often in IT security, it is a struggle between security and convenience. Which model is the right one for you cannot be answered in a generalized way, but it is important to keep the scales in balance, because both security and comfort must not be neglected.

Photo of author

M.Sc. Jan Hörnemann

Hello dear reader, my name is Jan Hörnemann. I am a TeleTrust Information Security Professional (T.I.S.P.) and have been dealing with information security topics on an almost daily basis since 2016. CeHv10 was my first hands-on certification in the field. With a Master of Science degree in Internet Security, I have learned about many different aspects and try to share them in live hacking shows as well as on our blog. In addition, I am active as an information security officer and have been qualified by TÜV for this activity (ISB according to ISO 27001)