The COVID-19 pandemic has brought about a seismic shift in how the world goes to work. Apart from essential services, remote work is the new normal, mandated everywhere — even in organizations that never previously offered remote work options.
Lack of VPN infrastructure or its ability to scale, legacy systems that were never designed for remote work, previous reluctance to implement work from home, poor cybersecurity hygiene — all of these pose challenges for organizations trying to adjust to this new normal.
Remote work opens a new can of worms for cybersecurity teams
IT teams have been under siege from management to set up remote work ASAP, but this may have expanded the threat landscape exponentially. With personal devices and previously untested software or tools connecting to the corporate network, organizations are at greater risk for security incidents. There is also a heightened data security responsibility for cybersecurity teams.
Since COVID-19 hit the scene, more than 70% of security professionals have seen a rise in related attacks. A security model that promises to offer a robust approach to security and is rapidly becoming the hot topic of cybersecurity discussions is zero trust — or what we used to call “least privileged.”
The zero trust security architecture approach
Traditional perimeter-based security controls are based on the concept that employees and applications are operating within a trusted zone (i.e., behind the corporate firewall and inside the corporate network). But with over 40% of the workforce slated to work from home in some capacity even after the pandemic, a perimeter-based approach is no longer viable. Zero trust architecture (ZTA), on the other hand, is based on the premise that every request, whether it comes from inside the network or from outside, is hostile and should not be trusted.
In a nutshell, a ZTA broadly delivers the following capabilities:
- Provides access to business applications based on a principle of least privilege (PoLP) and microsegmentation of users by their job roles.
- Allows for the creation of granular access control policies that define who may access what and from which device.
- Gathers security telemetry based on risk profile and user behavior with a goal to develop a trust profile for each access request.
- Grants or denies access to resources in real time (dynamically) using granular security controls and intelligent authorization.
There’s a lot to keep in mind while deploying a zero trust architecture. Here are five key considerations that can help you get started:
1. Zero trust is philosophy, strategy, architecture and technology all rolled into one
It’s not only technology that is required for a successful zero trust implementation. The important portion is understanding the philosophy behind the end-state goal and designing the architecture around it. Technology-first implementations may not always complement business goals. Business users may get frustrated, and things can rapidly escalate to the CIO or the leadership team, who may end up questioning why the technology was implemented in the first place. Another aspect is maintenance. Security changes. Adversaries change. Business models change. New third parties may be added — your architecture needs to keep up and adapt to those changes.
2. Zero trust requires cultural change
Human nature often resists change. We have been freely granting our users a broad spectrum of network access to resources and capabilities without hindrance. Now that you’re taking something (liberal access) away from them, their first reaction will probably be negative because it’s disabling. IT staff must learn to promote the benefit, not the burden. Leadership teams need to explain the business goals behind this change so that employees understand it is for the better. It might be a good idea to appoint champions who promote zero trust as a business-as-usual conversation. Peers will trust peers more often than they trust IT security teams.
3. Visibility is a key tenet of a zero trust architecture
You cannot protect what you can’t see or don’t know about. This means having knowledge of all possible network entry points. Just like the Equifax data breach, it only takes one vulnerable entry point to cause a problem.
Business process mapping becomes critical in zero trust. Identify all connection points — both physical and virtual. What are the characteristics? What is the data that is trying to flow? What is the metadata? What applications are these flowing through (mobile apps, enterprise apps, etc.)? While most organizations are getting good at taking stock of what’s inside, as soon as you connect a third party to the equation, that’s where many of the blind spots enter. Maybe they are not following best practices like applying encryption, or we may not have governance or visibility on these connections. This needs to change with zero trust.
4. Zero trust versus verified trust
To business users, zero trust means the security guy is telling you no once again. Verified trust, on the other hand, is a journey to zero trust — a more pragmatic approach for the organization where employees can slowly transition to zero trust. Verified trust helps to provide middle-road capabilities (i.e., some access granted versus no access granted). Verify what employees are doing, and do not allow access blindly. Work in oversight mode instead of working in block-all mode. Monitor traffic, and dynamically fine-tune as you understand more about it.
5. Zero trust must be a combination of endpoint and network capabilities
Some organizations say it’s only about the endpoint, while others say it’s only about the network. But it’s not either-or; rather, it must be a combination of both. A layered approach is the best way to do security (i.e., combining layers of endpoint security, network security, policies and business process mapping). Finally, take the advice of a cybersecurity expert who has experience, or hire a virtual CISO to help with your zero trust implementation.