Zero Trust SMS Explained

Before I explain what it means to enable a "Zero Trust" strategy for SMS, I need to explain what "Zero Trust" is. Zero trust was created in 2010 by John Kindervag, who at the time was a principal analyst at Forrester Research. So, let's use John's own words:

"Rooted in the principle of “never trust, always verify, Zero Trust is a strategic initiative that helps prevent successful cyberattacks by eliminating the concept of trust from an organization’s network architecture."

What Zero Trust SMS IS

By the very definition of "Zero Trust", any solution that enables a zero trust strategy for SMS to combat phishing, would need to assume every URL inside every SMS message is dangerous, unless verified. This is only made possible if many billions of URLs have been verified in advance.

What Zero Trust SMS is NOT

Anything that doesn't assume every URL in every message is dangerous unless verified.

Any vendor who does not block every URL on the Internet, except for URLs that are verified in advance, is NOT enabling Zero Trust of any kind. It's either "ZERO" trust or it's not.

• Any solution that uses AI, ML, regex or anything else to make a determination on the fly is called "cybersecurity" - i.e. what everyone in the security industry has been doing for years.
• Any solution that uses blocklists and allowlists is also called "cybersecurity".

Anti-malware solutions offered by companies like Blackberry are built after new malware has been detected, reverse-engineered and investigated. This is very important work that must be done to help protect corporate networks from the spread of known malware. These solutions are not designed to detect and prevent mobile users from deceptive URLs, login pages and downloads - so they're out of scope for mobile operators and subscribers.

Trying to block FluBot itself is reactionary, while blocking the URLs that lead to it, is preventative and much more reliable.

How to evaluate a vendor that offers "Zero Trust SMS"

Ask them if their new solution is built by, or powered by MetaCert. If it's not, it's not Zero Trust SMS.

If a vendor is positioning their solution as "Zero Trust" and it's not powered by MetaCert, it's misrepresenting what it does. This is true because no other company in the world has built the technology or global registry of URLs that's needed to enable "URL & Web Access Authentication" for SMS.

"Allowlist" ≠ Zero Trust

Creating a small "allowlist" (formally known as a "whitelist") with say, a million domains isn't a zero trust strategy - that's the old way of doing security. Unless a solution can authenticate tens of billions of URLs, it will annoy operators, brands, banks and subscribers.

Watch out for imposter vendors

Some vendors are literally stealing our IP right now, while misrepresenting their services as "Zero Trust SMS". So we need to make sure mobile operators aren't duped in the same way subscribers are being duped.

MetaCert pioneered Zero Trust URL Authentication and Zero Trust SMS

MetaCert didn't just pioneer the concept of Zero Trust SMS, we pioneered the entire concept of Zero Trust URL & Web Access Authentication. SMS is just one implementation of that concept. Browser-based security for desktop protection is another. More will follow.

If you work for an operator, please avoid counterfeit services from vendors you don't know, and I'll help your subscribers avoid links from people they don't know. Zero Trust URL authentication is the only way to kill FluBot, so I'd hate to have the concept's reputation ruined by rogue vendors who now position themselves as security vendors.

Why I wrote this article

My mother told me this week that she was unable to get a blood test because Ireland's national health service (HSE) was hit with a phishing-led ransomware attack. I'm now taking it personally whenever I see a security vendor tell blatant lies about the capabilities of its security products and services. It's not the HSE's fault as I'm sure they were being "protected" by massive multi-billion dollar security vendors like Proofpoint. It's our fault as an industry for not trying something different - like... zero trust.

If you enjoyed this article, you will probably find An Open Letter to mobile operators helpful.

Please feel free to get in touch by way of a LinkedIn connection request, or email me directly?[email protected]?Learn more about the journey that took me?here.

I look forward to hearing from you soon

Paul

MetaCert CEO