February 20, 2020
Zero Trust

The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.

Corey Williams – Idaptive
Corey Williams Vice President, Marketing

If “verify every user” represents your leading left hand jab, then “validate every device” is the follow-up right cross of a Zero Trust strategy. Here’s how to master the Zero Trust one-two punch combo to land a devastating blow to the bad guys’ chance of breaking through your guard. 

Zero Trust 10

Date breaches most often originate from a remote endpoint or device that shouldn’t have access to the breached resources in the first place — often involving nothing more than a stolen username and password. Wouldn’t it be nice if we could reduce the attack surface from  every computer or device on earth to only the protected systems that should have access in the first place? That may sound like a pipe dream, but the reality might be closer than you think with the right setup. 

As I wrote before, security starts with protecting users. First, we must verify every  user to make sure we know who they are and that they only have access to what they need. This verification is done through adaptive multi-factor authentication and tools like single sign-on, coupled with behavior-based machine learning that can make intelligent access decisions in real-time based on user context and risk. . With that in place, we’ve already dramatically reduced the attack surface so that an attacker who has a stolen password can’t simply log in from anywhere, or reuse that same login credential over and over again. 

Verifying every user is an important first step. However, after that, the challenge remains that there are still many  ways that applications, systems or networks can be compromised. Anyone with the right credentials can still successfully log on. What happens when a bad guy has acquired both the user’s login credentials and a clone of the user’s device, as is the case with the phenomenon of SIM-swapping? MFA alone may not protect against that scenario. 

So how can you take your security posture to the next level to protect against this? The answer is simple. If “verify every user” represents your leading left hand jab, then “validate every device” is the follow-up right cross of a Zero Trust strategy. Here’s how to master the Zero Trust one-two punch combo to land a devastating blow to the bad guys’ chance of breaking through your guard. 

Come out swinging when it comes to device context and security

Everything online typically comes from accessing a device, so we should care a lot about the security posture and permissions that each device has. Organizations wouldn’t want some rogue server operating on their network, so why then a rogue mobile device or laptop? 

But understanding every computer or mobile device that might have access is becoming increasingly difficult in a world where our professional and personal lives are more intertwined than ever before. We use our personal laptops, smartphones, and tablets to access work apps or emails after hours and at home, on the road, or even 30,000 feet in the air. To suddenly cut-off that access for pre-authorized, work-issued devices would be a huge knock to users’ productivity. That’s where the Zero Trust model comes in. 

Instead, we want to make sure that every device is being used in a secure manner. It should have a screen-lock policy enforced, , and proper credentials – because we don’t want passersby or someone who steals the device to use that, get in, and establish repeatable access. Configure device access to reflect best practices – each device should only do what it needs to do. This is done through device management capabilities, which many companies have tried to buy for each system. However, a  next-gen access approach integrates these capabilities into the system so that we know good security policy is always baked into each and every device that gains access. 

Roll with the punches using next-gen access 

Once we know that a device has the right security posture and the user is the real deal, this can be used as a proxy for all sorts of context. User behavior thus becomes a powerful new technique to make smarter access decisions. 

Today, Zero Trust empowered by next-gen access technology (like Idaptive) can use location or other behaviors to determine whether to grant instant access or introduce additional hurdles to confirm their identity. In the future, we’ll be able to use even more behaviors of the user on the device for context – such as whether they’re typing at a normal pace or moving their mouse as they usually do. This is called behavioral biometrics, and is important because it could tell whether the person using the device is real, and make sure it’s not a rogue virus or trojan that has taken the machine or is pretending to be the user. 

All of these add up together to whether we can trust the device, and trust the user on the device, and therefore allow it to have the access that it’s requesting. Recently, this has been much more difficult to do because the modern business is no longer a bunch of PCs chained to a desk in a room. All workers today have laptops and their own mobile devices, and try to access things remotely. We even have people other than direct employees – such as partners, other vendors or third-party consults – that all need access to our apps and services as well. That complexity requires a system that makes sure what is let in is both 1) in good security posture, and 2) used by the right people. 

In our modern threatscape, the barriers to keep the bad guys out are no longer firewalls. Resources are increasingly located outside of physical walls in the cloud, off-site databases, or partner systems. There’s no longer the ability to put a security barrier on a remote SaaS system your organization doesn’t own, or to restrict access to only a predetermined set of devices. 

Because our apps, services, and systems are so widespread, we need to spread access control to users and their devices. That means making sure we verify every user and validate every device with every login. That’s the one-two punch of Zero Trust. 

Stay tuned. In my next blog post, I’ll spell out the ways that an organization can “intelligently limit access” within the Zero Trust framework. 


Read the Zero Trust series here:

Zero Trust Series – 1  What Is Zero Trust and Why Is it So Important?

Zero Trust Series – 2 Like the Night King, Perimeter Defense is Dead

Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”

Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle

Zero Trust Series – 5 The Future of Cybersecurity is Artificial: Intelligence Will Transform Enterprise Governance

Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.

Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust

Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security

Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.

Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.

Zero Trust Series – 11 “Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma.

Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model


Corey Williams

Corey Williams – Idaptive
Vice President, Marketing

Corey Williams is the Vice President of Marketing & Strategy and lead evangelist for Idaptive, leading all marketing functions, as well as market development and strategy. Corey served as the Senior Director of Products and Marketing for more than a decade at Centrify where he was the visionary behind, and the first product manager of, the set of products that were ultimately spun out of Centrify to become Idaptive, including leading SaaS services for Single Sign-on (SSO)Adaptive Multi-factor Authentication (MFA)endpoint and mobile context, and User Behavior and Risk Analytics (UBA).

 While at Centrify, Corey defined and brought to market seven net-new product offerings directly contributing to the growth of the existing customer base from less than 400 customers to over 5000 customers. He also led efforts with major industry analysts that directly resulted in Centrify being named as a leader in all of the major analyst reports including the Gartner Magic Quadrant and Critical Capabilities reports for Access Management, Worldwide; Forrester IDaaS Wave; KuppingerCole Cloud MFA Leadership Compass; and Network World Clear Choice Winner for Single Sign-on Solutions.

Corey is a frequent speaker and commentator on IT Security and IT Management. He has authored several publications, including “Zero Trust Security for Dummies”, a leading guide for enterprise managers.

Prior to Centrify, Corey led products and marketing for SpikeSource (acquired by Black Duck Software), Syndera (acquired by Tibco), and Journee Software (acquired by Initiate Systems). Earlier in his career, he managed pre- and post-sales consulting for Active Software (acquired by webMethods). 

Corey holds degrees in Mathematics (BS) and Computer Science (BS) from New Mexico State University, as well as an MS in Engineering and an MBA from San Jose State University. 


If Corey could have any chameleon-like superpower, it would be the chameleon's tongue, which is ridiculously fast. Some of the world's smallest chameleons have the world's fastest tongues. In automotive terms, the tongue could go from 0 to 60 miles per hour in a hundredth of a second! “I would be able to complete webinars in 4.5 seconds instead of 45 minutes!”