With coronavirus infections continuing to rise in many countries across the globe, there’s no doubt employees are likely to spend most of their time, if not all, working remotely for the foreseeable future. And with Gartner stating that 82% of leaders are planning to implement this change for good, it’s clear this culture shift is here to stay.
But because of the previous reluctance towards flexible workplaces, lots of businesses have been thoroughly underprepared to cope with that change. The inadequate security measures in place have led, for many, to a significant jump in both external and internal threats.
A recent study from VMWare Carbon Black reveals that 92% of UK businesses have seen an uptick in attacks since the crisis began and employees started working from home. Furthermore, a report from Interpol highlights an increase in the usage of disruptive malware and ransomware against critical infrastructure and even predicts an explosion of Covid-related scam campaigns to exploit the fear which the virus is bringing.
The fear of vulnerabilities has forced companies to invest more in technologies that boost the security of their now-distributed workforce, while IT and security teams have had to quickly adapt to a rapidly evolving threat landscape.
And they all seem to be doing it in the same way. One trend emerging from this situation is the mass adoption of the Zero-Trust model. Take a look at whichever security or tech publications you like, but this approach is grabbing the headlines. So, what is it all about? And most importantly, is it the answer to our new way of working?
What is Zero-Trust security?
Zero-Trust is a security framework that eliminates the concept of trust – “a human emotion that we have applied to digital systems for no reason” says its creator John Kindervag. Put simply, everybody and everything – users, devices, services, and data – are considered a threat until proven otherwise.
Depending on who you ask, the framework is based on three to seven pillars including:
- Identifying all assets (people, services and IoT components) and communication patterns
- Devices – monitoring and enforcing device health and compliance
- Apps and APIs – ensuring they have appropriate permissions and secure configurations
- Data – giving it the necessary attributes and encryption to safeguard it out in the open
- Infrastructure – hardening against attacks on premises or in the cloud
- Networks – establishing controls to segment, monitor, analyse and encrypt end-to-end traffic
A 21st century model
Given its restrictions, is Zero-Trust really better than the traditional castle-and-moat approach —also known as “perimeter security”? Yes, say most experts. Today’s enterprise IT departments require a new way of thinking because, for the majority, the castle itself no longer exists in isolation as it once did. The shift towards cloud and mobile platforms and users demand for instant access to applications and data from a range of devices and multiple locations means companies are dealing with a distributed information infrastructure. This is impossible to secure with a perimeter-based approach.
By adopting the Zero-Trust model, you can granularly identify users, devices, and applications on the network, making it easier to apply companywide policy rules using role-based access. You can also grant the appropriate level of network access to specific users, devices or applications and segment the data according to type, sensitivity, and use. This way, critical or sensitive data is protected, and potential attack surfaces are reduced. Finally, another benefit of the Zero-Trust model is that it enables a good security orchestration. No holes are left uncovered and the combined security elements complement one another.
It’s no wonder that cybersecurity experts are singing its praises. During one of the sessions of the Infosecurity Europe Virtual Conference I attended in June, James Packer, Head of Cyber Security at EF Education First, told the audience: “move to zero-trust architecture as much as you can. Treat every device as an untrusted device. Work as much as you can to modernise and use browser-based architecture so there is no such thing as BYOD or remote working, and you remain in full control.”
No silver bullet
However, if you think Zero-Trust is a quick win, think again. Deploying a Zero-Trust architecture is not easy – it even took Google six years to do it! Here’s why:
- It takes time and efforts to set it all up – you will need to update all your policies within your existing network while making sure it still works. Worst-case scenario, you might even need to start from scratch if your legacy systems are not compatible with the new framework.
- It’s not just about your employees anymore – you also need to monitor other users of your company’s website or that have access to your data such as customers or third-party vendors and have a dedicated policy for each group. On top of that, as data is likely stored in different locations these days, there are more sites to protect.
- Remote work means more devices – we all likely have a laptop, a mobile (or three like me…) and potentially a tablet too. These devices may have different properties and communication protocols that must be monitored, managed and secured.
- It makes apps management more complicated – like devices, applications are often varied and used across multiple platforms. To comply with the framework, app usage should be planned, monitored, and tailored to user need.
The challenges with using the Zero-Trust model are mainly related to the time and resources required to implement it. It is a robust security framework, for sure, but should not be considered the silver bullet. It’s not an off-the-shelf solution that can be bought to retrofit over your existing systems, but an approach used for architecting good cybersecurity hygiene from the ground up. This is best practice at its best.
For Zero-Trust to be effective, some key things need to be considered.Subscribe to our blog to find out more!