The Truth About Zero Trust
Every industry has a term that is overused and often misused. In the security space, Zero Trust is the term that wears that crown. Since the inception of zero trust in 2010, everyone has been talking about it, but the more you listen, the more you realize no one really understands zero trust, how it works or how it is implemented. This holds especially true for BPOs and contact centers, which is why we are going to break down what exactly zero trust is, but more importantly, how implementing it will impact call centers’ identity security.
The term "Zero Trust" was coined by a Forrester Research analyst in 2010 when the model for the concept was first presented. A few years later, Google announced that they had implemented zero trust security in their network, which led to the rapid growth of interest in its adoption within the tech community. However, like most things that experienced a quick increase in popularity, the fundamental meaning of zero trust began to shift due to the generalized misuse of the term.
Zero Trust involves the idea that no individual or device should be inherently trusted, and every user and device should be authenticated before being granted access to any data on the network. However, zero trust is now primarily used as a buzzword, but even in practice has become more of a distorted interpretation of zero trust principles and is often confused with “Castle-and-moat”.
Pre-Zero Trust: Castle & Moat
First, let us break down exactly how the “castle-and-moat” structure works. "Castle-and-moat" is a network security model in which no one outside the network is able to access data on the inside, but everyone inside the network can. Imagine an organization's network as a castle and the network perimeter as a moat. This is how most BPOs and Call Centers operate today.
To get inside, the user must know their “castle’s” unique access code, and should they get it correct the drawbridge is lowered. From that point on, once across the drawbridge, they have free rein inside the castle grounds.
Similarly, once a user connects to a network in this particular model, they are able to access all the applications and data within that network. The "Castle-and-moat" posture is not necessarily an intentionally chosen security strategy. The phrase actually came about to distinguish the differences between traditional network architecture with zero trust architecture.
But, there is a fundamental flaw with the “Castle-and-moat” posture. True zero trust would argue that you have to account for potential risk, both within, and outside of the castle.
Threats Inside the Castle
Before we discuss the threats outside the castle, that perhaps a moat simply cannot prevent, it is important to remember that there may be threats within your own castle. Human error is a significant factor that must be taken into account when developing an organization's security posture. This is where the “Castle-and-moat” situational security posture begins to deteriorate.
Let’s assume for a moment that your current organization's office is a castle. What if someone inside the castle knocks over a lantern, quickly engulfing the castle, all of its subjects, and its resources in the fire?
The same thing could happen should someone within your network enter their credentials on a phishing site, approve a one-off MFA challenge, accidentally download a virus, or visit an unsafe website on their work device. When an attacker gains access to a target’s network, their first priority is making that access permanent.
This is where the castle and moat metaphor truly fails security professionals - when a hacker gains long-term access to a network, any security policies that assume safety within the “castle walls” are insufficient.
What This Means for Call Centers
As we previously mentioned, more often than not the “castle-and-moat” security posture is not an intentional decision, but the result of policies and practices that accidentally lead to overtrusting on-network access. This is particularly true for call centers. Traditionally, call centers use brick and mortar secure facilities with video cameras and other physical security.
BPOs built these physical controls in order to keep PII and cardholder data safe while maintaining compliance, but with the recent adoption of remote work and an increase in work-at-home agents, commonly referred to as WAHAs, a “castle-and-moat” approach simply does not provide the sufficient protection.
The “castle-and-moat” approach in the call center environment would dictate that multi-factor authentication is required for network or VPN access but nothing beyond that, which we know comes with an inherent risk of not detecting threats inside the castle. This is something the PCI SSC has caught on to and the release of PCI DSS 4.0 in April revealed significant requirement upgrades to security forces around the castle.
With PCI DSS 4.0 doubling down on MFA requirements, MFA challenge responses become mandatory in several instances. In order to gain access to the network, there will be an authentication event just like before, but new requirements mandate an additional MFA challenge to access any data or application in the CDE.
The newly released guidance is significantly more aligned with true zero trust architecture and requires that all access be treated as if it is coming from an outside source or via the internet.
Implementing Zero Trust Can Be Easy
As we mentioned in the beginning, Zero Trust involves the idea that no individual or device should be inherently trusted, and every user and device should be authenticated before being granted access to any data on the network. This means implementing MFA everywhere, for every user. However, history has shown that implementing more rigorous MFA requirements subsequently leads to interruptions, which leads to decreased efficiency.
Twosense has developed a multifactor solution that allows for continuous identity verification without requiring a phone or any additional hardware. This means that call center administrators can adhere to zero trust principles and meet PCI DSS compliance by deploying behavioral biometric MFA everywhere to every user without an increase in user friction or loss of efficiency.