Skip navigation

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

Industry News

Zen, Punk Rock, and Zero Trust

There’s a marvelous book called Hardcore Zen” by Brad Warner, a former punk rocker and now ordained Zen Buddhist minister, in which he talks about how the punk ethos is very similar to Buddhism: you must question everything, especially what you believe is reality. This questioning attitude is especially important when you’re planning your zero trust implementation.

‘Zero trust' isn’t about never trusting — you can’t grant access to users, devices and applications without some degree of trust. And as Chase Cunningham of Forrester says, “Don’t take the term so literally.” 

What we’re talking about is questioning the assumptions your trust is based on, (is it warranted?), and replacing those assumptions with factors of verification.

Assumption: The user logging in is the correct person if they present the right credentials.

Counter: Verify that the user is more likely to be the correct person by having them present not just something they know (that could be discovered), but also something they have (such as a mobile app instance, a U2F token, or a biometric).

Assumption: The user logging in is the correct person if they are using any corporate device.

Counter: Verify that the user is more likely to be the correct person by having them use their own registered device, and by taking a physical action to prove they are present (such as answering a push notification or tapping a U2F token).

Assumption: The user logging in is legitimate if they are coming from an IP address that is assigned to a known location (such as an office building). They were already verified through physical security measures when entering the building.

Counter: Verify that the user is still legitimate at the time of access by requiring other proof of authenticity (such as something they know and something they have), rather than relying on a network address that can be spoofed, a corporate security process that could have been bypassed, or a connection that could have been hijacked in mid-session.

Assumption: Once the user is verified, they stay verified.

Counter: Re-verify the user.  

Our founder Dug Song, likes to ask big questions. Similar to the punk and Buddhist ethos of questioning what is or what appears to be. He made Duo Security after questioning why security had to be complicated. It doesn't have to be. Start your free trial today, and learn how easy security can be for everyone.

Download the free white paperZero Trust: Going Beyond the Perimeter, now and learn about each pillar, the risks they address, options for implementation and proposed maturity levels.