I trust nothing until I have been able to verify that it is good
The opposite of how I was raised, where I was taught to always believe in the goodness of people. To always give someone the benefit of the doubt and only adjust your idea or judgement afterwards, if necessary. Unfortunately, this does not work this way in ICT.
With a constant threat from cybercriminals, you have to think differently and actually not trust anything until you know who or what you are dealing with. Seems a bit like a quote from the famous Dutch top footballer and soccer legend Johan Cruyff; “I am against everything. Until I make a decision, then I’m okay with it. Seems logical to me”.
In IT Security we could say something similar, I don’t trust anything until I’ve been able to verify that it’s good, that seems logical. It’s just not that easy to be able to identify how to trust something.
Trusted authority
After all, from a selection of servers, PCs, websites, networks, applications, emails and individuals, what can you trust? This all starts with establishing a trusted authority. In ICT, this is usually a certificate authority, or CA. This CA is responsible for issuing digital certificates. We recognize certificates from the lock symbol that is displayed when you visit a website that uses a certificate. The identity can then be determined. Most people are familiar with the secure banking website. These certificates don’t only provide verification methods but are also used to secure data through encryption.
For organizations it is important to have their own CA. In Microsoft”s world this is often a role that is associated with Active Directory. Then it is possible to provide employees with an ID together with a certificate that gives access to (Cloud) services. This certificate can be stored in, for example, a Smartcard, which in addition to the password is a 2nd layer of authentication. The identity of employees is centrally managed with this Company ID or Work Account and provides secure access not only to Microsoft Cloud Services such as Exchange, SharePoint and Teams, but also to third party Cloud services.
Secure chain of ICT systems
To even go one step further; all devices in the chain, such as smartphones, laptops and WiFi access points, should be provided with a digital certificate. Accurate management of these certificates is then essential. The impact of an expired certificate on the availability of services is tremendous. An expired certificate is marked invalid and can therefore no longer be trusted, which means you no longer trust the entire chain.
At Universal we make sure that our engineers renew and reinstall the hundreds of certificates that we manage for our customers. These can be certificates for servers, Docker containers, websites, firewalls, smartcards, and mobile device management services such as InTune.
The moment you implement this with an integrated approach, it is okay for end users to return to their old habits. Since they trust their computer and if that same computer has been able to verify that it is used by the authorized employee, for example through biometric identification, a mutual trust is created. You may then assume that services you use within your organization indeed belong to your organization, otherwise it would be marked as not trustworthy by displaying a broken key.
My team at Universal helps organisations to set up a secure chain of ICT systems. This starts with setting up an infrastructure to facilitate a Company Account, but also includes the entire chain from equipment to Cloud services. In doing so, event logging is essential to be able to constantly monitor what is happening. In a later blog I will share my thoughts about the importance of a proper detection and response mechanism to secure the ICT infrastructure.