Blog

Implicit Trust

Written by Q2 | 6 Oct, 2020

By Bob Michaud, Q2 Chief Security Officer

Welcome to week two of National Cybersecurity Awareness Month. Whereas Q2 is a Cybersecurity Awareness Champion, we are sharing a blog series about Q2’s implementation of a zero-trust framework.

As we mentioned last week, zero trust isn’t about a single specific technology; instead, it is a holistic approach to security that incorporates several different principles and technologies – critical to any digital transformation strategy. This approach, in essence, allows each level of security to fail without compromising your overall protection.

This week, I’ll discuss the concept of implicit trust and what it means to our zero-trust strategy. Implicit trust means that every access request and every session is separately authenticated so that no authorization can, by default, carry forward with that user or session to the next request. In other words, you’re treated the same whether you’re outside the network or already inside it.

Implicit trust reminds me a lot of the current craze of Escape Rooms. If you’re unfamiliar, Wikipedia describes these as, “A game in which a team of players cooperatively discovers clues, solves puzzles, and accomplishes tasks in one or more rooms in order to progress and accomplish a specific goal in a limited amount of time. The goal is often to escape from the site of the game.”

To run with that metaphor, paying to get into the initial escape room, i.e., authentication, doesn’t give you access to the next room. Every room has to be separately authenticated as you unlock the means to escape from the previous room.

To flesh this out a little more, I’ll bring our CIO, Lou Senko, into the discussion. In a recent conversation about implicit trust, I asked Lou, “How do you implement an implicit-trust design?” Lou noted that, “You start with access. This includes role identification, authentication, and the application of minimal security. Identifying the user and applying their role-based security does not actually grant them access to anything other than the opportunity to authenticate against something they want.”

Lou further explained that “Standard Access” includes corporate domain network login (Active Directory) access, single sign-on (SSO) access to email, personal and shared storage, email distribution lists, collaboration suites, and then the default application access for the role. This is not to be confused with the actual application role. For example, when I need access to my Business Continuity Management (BCM) application, I get access to the solution through SSO that allows me to log in to my BCM account.

The multiple layers of implicit-trust security give Q2 a balance between security and convenience. By implementing this design, you can significantly reduce data loss threats and insider threat risks while still providing easy and convenient access for your employees. It’s important to remember that these security layers don’t exist in a vacuum; security should be one piece of a comprehensive and strategic approach to all things digital, all built around user experience and data-driven insights.

But we aren’t done with Cybersecurity Awareness Month or zero-trust architecture yet. Join me next week to learn about the next piece of Q2’s strategy—endpoint security.