Risk management

Trust Model or the Zero Trust Model – How should IT security be provided?

Trust Model or the Zero Trust Model – How should IT security be provided?

Due to the current effects of the COVID19 pandemic, many people are now thinking more about control. This partially awakened loss of control is not only in the health care system, but in many areas of society. This also includes IT systems, because especially the increasing home office creates new dangers that attackers can shamelessly exploit. In order to guarantee security we need models, and here there are two main opponents, the trust or zero trust model!

Establish security through models

Many people do not recognize the dangers that they actually encounter on a regular basis. As Security Insider reported, some studies show that people tend to be luckier than the average citizen and that dangers such as a cyber attack do not exactly affect their business. In the past, this relaxed approach to actually lurking dangers led to the consideration of a zero trust model, in contrast to the prevailing trust models.

With a trust model, as the name suggests, the user is trusted. This means that during authentication no rights or privileges are distributed, but only the given rights are confirmed. The system generally assumes that every person is trustworthy and has all rights. If the user now verifies himself with a password or another authentication option, the system practically changes nothing except that he knows that he has rightly trusted the person.

Such a model is very user-friendly, since all users are trusted in principle, thus avoiding lengthy authentications etc. The disadvantage, however, is that such a system is much more vulnerable than a system with the zero trust model. If an attacker manages to crack or circumvent the authentication by stealing the password with Social Engineering, he has all rights on the system and can use it for criminal activities. This is different with the Zero Trust model!

Trust or Zero Trust Model?

The Zero Trust model, on the other hand, does not trust the user. This means that all data traffic, system changes, inputs, etc. are permanently recorded and analyzed. Even if an attacker gains access to another user account, he can hardly cause any damage in a zero trust model, because all activities are recorded and analyzed.

The advantage of this Zero Trust model is obvious, because the system is more secure due to the strict controls. In addition to the strict recording of activities, a Zero Trust model also means that the thought process of being able to be attacked at any time plays an essential role. Encryption and isolation in addition to strict authentication and authorization are built into this model.

The disadvantage is also obvious, because the cost of enforcing such a model consistently and having all employees visit schools on a regular basis is very time-consuming and therefore costly. For the employees themselves it is also a disadvantage, because now all rights must be requested by entering a code or password again.

As so often in IT security, it is a struggle between security and convenience. Which model is the right one for you cannot be answered in a generalized way, but it is important to keep the scales in balance, because both security and comfort must not be neglected.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.