How Zero Trust could have prevented the colonial pipeline attack.

Let’s step through an example. Paul is a malicious actor. He is sitting in a coffee shop and notices someone head to the restroom, and leave their work laptop sitting unlocked on the table. He grabs the laptop and runs across the street and hides. He notices that the laptop is unlocked, and as he looks around he finds a file called MyPasswords.

The file has a list of all of the owner’s userids and passwords for all their web sites and also for their work servers. Paul uses the information to try to connect to the work HR server that has been setup in the enterprise’s Zero Trust architecture. Will Paul be granted access?

Yes, because the user credentials are good, and the device is a known device with low risk (since it is work owned).

Paul closes the laptop and heads home. Once home he cannot use the laptop because it is locked, but he remembers the server’s IP address and the userid and password. Paul uses that information to try to connect to the work HR server again, but from his own laptop. Will Paul be granted access?

No, because the device is unknown, and therefore has a very high risk score.

This shows how the Zero Trust architecture could have prevented the Colonial pipeline attack, because the attacker used a single set of credentials from a non-corporate managed device to gain access.