In the first article in this series, we discussed what zero trust security is and why it matters. In the second article in this series, we talked about the benefits of zero trust network access. In this third article installment, we will dive into using zero trust models within container security. In this fourth article, we will discuss the future of zero trust in a world that is increasingly remote.
While remote work originally appeared en masse as a Band-Aid fix for organizations to keep working during the COVID-19 pandemic, it is now decidedly here to stay.
According to research from TANIUM, 65% of companies expect at least some of their employees to continue working remotely indefinitely, while research from McKinsey shows that most executives no longer plan to have non-essential staff working on-site five days a week.
And employees are happily abiding. Accenture says 83% of employees consider the hybrid work model optimal for the future.
But while the hybrid model has been a boon for both workplace productivity and employee satisfaction alike, it has also introduced new cybersecurity challenges.
In 2020, companies scrambled to put new systems in place to enable their teams to continue working remotely — but these rushed infrastructures were never intended to be permanent, long-term solutions, and now they’re posing real security problems.
New Security Challenges in a Hybrid World
A primary challenge is the ever-popular BYOD policy: bring your own device.
While it can be convenient for employees to use common devices for both their work and personal activities, this policy opens the door to a plethora of security vulnerabilities. This threat is further compounded as employees are not only conducting work tasks on personal devices, but they’re doing so on networks that they share with roommates and/or relatives.
With employees scattered around the country working on common devices and shared networks, businesses are tasked with new cybersecurity responsibilities that go beyond their own doors.
For example, they are now responsible for securing multiple endpoints remotely; protecting IP and customer data from threats, and protecting business-critical systems from service interruption. And they have to do it all while keeping friction to a minimum for employees.
Securing a hybrid workforce is challenging because organizations can’t just transfer their legacy security tactics to the new hybrid perimeter.
Everything has changed.
For one, it’s harder for companies to regulate employee activity when they’re working remotely. Employees who work from home are also more likely to be distracted throughout the day, putting them more at risk to click on phishing email links, leak confidential data, or use unsanctioned apps.
Together, all of these challenges make the hybrid workforce an attractive target for cybercriminals.
It’s simple. With large numbers of distributed devices, the attack surface has expanded. And businesses that haven’t adapted their security postures to support the new hybrid model are leaving themselves vulnerable.
In order to future-proof their hybrid workforces for the long term, organizations need a security model that is adaptable.
What Is Zero Trust Security?
Developed in 2009 by Forrester, the zero trust model is experiencing revived interest as the hybrid workforce swells. It’s so powerful because it completely changes the security mindset.
The old security adage said, “Trust, but verify.”
This meant that users and devices could connect to a network and then be verified afterward. Before the advent of hybrid teams, this largely worked just fine. Because most employees were already physically working on-site, organizations could reasonably trust that their users and devices were verified.
Now, with company perimeters fluid and employees dispersed around the country, all users and devices must be continually authenticated.
Enter the new motto of zero trust security: “Never trust; always verify.”
Whether inside or outside the perimeter, all users and devices must indiscriminately go through verification processes before they can gain access to the network.
Security is no longer about securing the perimeter and then trusting users and devices once they’ve been granted access inside. Instead, the zero trust model assumes that all users and devices have already been compromised and so must undergo continuous authorization, authentication, and attestation in order to be connected to the network.
Principles of Zero Trust Security
The zero trust model is founded on three pillars:
- All networks should be untrusted: It can never be guaranteed that an account hasn’t been hacked.
- Least privilege: Limit user access by granting employees just enough authorization to perform necessary tasks.
- Assume breach: Breaches are inevitable, so an organization’s focus should be not on preventing them but on reducing their impact.
Endpoint security is another key component of a successful zero trust architecture.
By requiring that all endpoints are authenticated, security teams can minimize the chance of attackers gaining access to company networks. If any devices are compromised, then IT teams can immediately identify and isolate them before they can infect the rest of the network.
How Zero Trust Fulfills Organizations’ Security Needs
Zero trust helps organizations by allowing IT teams to maintain visibility across all endpoints within their network. Teams can then verify each endpoint for threats before granting employees access to the network — and they can do this no matter where the employee is working.
With this increased level of visibility, zero trust security empowers teams to take preventative measures against cyberattacks — something other security postures can’t do.
When companies began transitioning to remote work, many first thought that VPNs could sufficiently fulfill their security needs. But during the pandemic, it became clear that many VPN solutions struggle to accommodate and sustain large numbers of employees working remotely on the same network at the same time.
Remote work is no longer a patchwork solution for making it through the pandemic. The hybrid work model is the future — and zero trust security is the only sustainable option for long-term security success.
Getting Started with Zero Trust Security
For organizations ready to adopt a zero trust security framework, making the transition need not be intimidating.
There are three main components to getting started with the zero trust model:
- Multifactor authorization (MFA): MFA is all about ensuring users really are who they say they are by going above and beyond standard password protocol. In order to gain access to a network, users must confirm their identity by providing at least two of the following: a password, a token, or a face ID/fingerprint.
- Least privilege access: This is key to limiting the risk of insider threats. By granting employees access to only the networks and applications they need to complete a task, organizations can mitigate the risk of compromised data.
- Endpoint security: Every device is a potential entry point for bad actors looking to deploy malware or ransomware attacks. But by setting baseline controls and constantly reviewing endpoints, a zero trust approach can help companies ensure that no devices connected to their network have been compromised.
People were quick to adapt to the hybrid workforce — now it’s time for security to catch up with zero trust.