Why Zero Trust is Needed in the Real World Too

A real-word example of why Zero Trust matters

But the need for Zero Trust doesn’t stop at the cyber edge. With so many processes in our daily lives becoming digitized, how that information is controlled has direct, real-world impact.

Fortunately, an hour on the phone with the insurance company got things straightened out. But how it happened illustrated the very issues that Zero Trust is intended to counter.

I was driving to the pharmacy to pick up a prescription that a doctor had just sent in. Within minutes, I got a text message from the pharmacy telling me it was “too soon” and they wouldn’t be filling the prescription for another two months. So, I called the pharmacist to check. She looked up my records and said “your insurance company says the prescription was filled on December 25th at [a different chain of pharmacies]” so you’ll have to wait. Umm, nope. “I just got the prescription; before this I hadn’t seen a doctor in two years; and I certainly didn’t go on Christmas Day to any pharmacy, let alone a different chain.”

In the US, most pharmacies now use your date of birth as the primary identifier when looking you up. They then ask your name and use that select from the list of people with that birthday. Sometimes, they’ll ask if you still have whatever insurance carrier is listed in their records. But in this case, it was Christmas, the person was probably in a rush, and the clerk didn’t listen closely to the name or take note that there were multiple people with similar names. Oops.

A month before (on Christmas Day), somebody with the same birthday as me needed to fill or refill a prescription for the same relatively common medicine. So, he went to a pharmacy that coincidentally was about 30 miles from my house. It turns out that he had the same health insurance carrier as me and had a name that was similar to mine (it’s a common set of sounds).

From a security perspective, several things went wrong. The primary identifier (date of birth) the pharmacy used is not unique. They didn’t do an exact match on the secondary identifier (given and family names) which also is not unique. Nor is the name of the insurance carrier. They don’t usually check the one thing that is unique: your insurance id number; This is probably because it would slow down processing—something that would be an extra annoyance for customers.  But, skipping that step also means anybody who has been authenticated using the non-unique attributes is implicitly ‘trusted’ to have access to resources (medicine in this case) they shouldn’t have.

Looking at the situation from a security perspective

For those who want to dig a bit deeper, here’s a video where Petko Stoyanov, our CTO, Global Governments, Forcepoint explains how identity controls fit into an adaptive ZeroTrust architecture. 

That’s what Zero Trust helps fix: making sure that people have explicit permission at every step in the process. People used to think the convenience (to the user and to the security teams) outweighed the potential risk. But, as we’re all so keenly aware, we live in a different world now, and old assumptions no longer apply. Neither do old security approaches. Fortunately, new ways of doing security, such as Secure Access Service Edge (SASE), are rapidly gaining traction and provide a way to deliver Zero Trust as a service (ZTaaS). But that’s a topic for another day.

This post was first first published on Forcepoint website by Jim Fulton. You can view it by clicking here