With hybrid working looking set to continue long term across the tech industry, Kevin Peterson, senior cyber security strategist at Xalient, explores the security implications that could come with this mega-trend
Remote and hybrid working patterns have extended the corporate world into every home and user device, and as the global pandemic recedes, this is a trend that is here for the long term. In fact, it is hard to overstate the pace and extent of digital transformation undergone by the enterprise environment in the past two years. As 2022 rolls on, the daily working experience for employees looks very different to the way it looked before the pandemic.
Why “the network” has become irrelevant
Now that the hybrid environment has evolved, employees can be anywhere; in the office, at home, on a train or in a coffee shop. From a security point of view, locking down the enterprise perimeter and securing network access is no longer what matters; to some extent the network has become almost irrelevant. Instead, the focus is now around securing applications. At the same time, organisations need to harness the power of applications, and need to be highly productive with fast and easy access to the applications they need to do their job. This is not only essential, it is foundational to becoming a modern digitised business. To enable this environment, businesses need reliable network access from the edge to the core and security based on a zero trust model to ensure robust, efficient and secure access to essential business applications from wherever employees are located.
As enterprises have accelerated their digital transformation initiatives, the number of possible attack vectors has grown, as digital systems need to have multiple access points for customers, partners, and employees, and this has created a vastly expanded attack surface. As a result, cyber crime has escalated, and a record-breaking number of data breaches of increasing sophistication and severity are taking place year-on-year.
Operating on a zero trust basis
The stark reality is that this new hybrid workforce brings an increasing level of risk. With work happening at home, the office, and almost anywhere, and cyber attacks surging, security must be the same, no matter who, what, when, where and how business applications are being accessed. Now that the security control organisations once had has quite literally left the building, this makes it critical that each and every connection operates on a zero trust basis. Cyber security leaders have historically called this “default deny”, which it still is. Only now, thanks to cloud platforms that tie user and device identity into the equation, the controls to make it a reality are both scalable and elegant.
What we mean by zero trust is that organisations effectively eliminate implicit trust from their IT systems, and this is replaced or embodied by the maxim ‘never trust, always verify’. In practice this means only trust those who have appropriate authority to access. Zero trust recognises that internal and external threats are pervasive, and the de facto elimination of the traditional network perimeter requires a different security approach. Every device, user, network, and application flow should be checked to remove excessive access privileges and any other potential threat vectors.
Nevertheless, working with a remote workforce isn’t a new concept. There are plenty of visionary enterprise organisations that have been thinking about this issue for a long time, but sophisticated solutions haven’t always been available. In the past, enterprises relied on Virtual Private Networks (VPNs) to help, albeit minimally, solve user trust issues. But now, the time is right to re-think enterprise security models in light of the modern security solutions that are available which can be implemented easily and cost-effectively.
Rewind to the security backstory
Ultimately, any high-level security model really breaks down into a trust issue: Who and what can I trust? – the employee, the devices, and the applications the employee is trying to connect to. In the middle is the network, but today, more often than not, the network is the internet. Think about it. Employees sit in coffee shops and log onto public browsers to access their email.
So now what organisations are looking for is a secure solution for their applications, devices, and users.
Every trusted or ‘would-be trusted’ end-user computing device has security software installed on it by the enterprise IT department. That software makes sure the device and the user who is on the device is validated, so the device becomes the proxy to talk to the applications on the corporate network. So now the challenge lies in securing the application itself.
Today’s cloud infrastructure connects the user directly to the application, so there is no need to have the user connect via an enterprise server or network. The client is always treated as an outsider, even while sitting in a corporate office. The servers never even see the client’s real IP address (because they don’t need to), and even data centre firewalls are of far less value as the zero trust model, and expertly applied policies and controls are now exponentially better.
Death to the VPN
In this new construct the VPN dies, thanks to Zero Trust Network Access (ZTNA), and networks become simplified with lower operational running costs, thanks to SD-WAN.
So, does the old client VPN truly die? Yes, it does! The reason is that we are now only concerned with what we trust: the user, their device, and the destination. Notice that “the network” isn’t part of that. Why? Because we don’t trust users or their devices any more on the corporate network than we do on public networks. So even when connected to a LAN port on the desk, they have the same seamless security posture and always-on application access that they would if there were on public Wi-Fi.
Just as film is no longer used for taking pictures, VPNs are no longer the future for application access. Everyone now sees that the real need is not for users to access networks, but rather just to access the applications as though they are all cloud accessible. That’s the zero trust-based future for us all.
Most enterprises realise that it is time to enhance remote access strategies and eliminate sole reliance on perimeter-based protection, with employees instead connecting from a zero trust standpoint. However, most organisations will find that their zero trust journey is not an overnight accomplishment – particularly if they have legacy systems or mindsets that don’t transition well to this model. That said, many companies are moving all or part of their workloads to cloud and, thus, greenfield environments. Those are the perfect places to start that journey and larger organisations, with complex IT environments and legacy systems, might see the road to zero trust as a multi-phase, multi-year initiative.
This is where organisations can work with partners, to assist with implementing security controls and zero trust models in the cloud by utilising a framework. This framework would provide a firm security foundation to underpin digital transformation initiatives, helping organisations take their first steps towards becoming a zero trust connected enterprise. It would do this by addressing common areas of compromise between a user or device and the application or data source being accessed or consumed. And this is achieved wherever the users, devices, data and applications are located.
In today’s hybrid environment, implementing a zero trust approach enables organisations to start to really drive down the risk factors, while ensuring the enterprise is future-proofed for 21st century business. With cyber threats only set to escalate, this peace of mind is essential.
How businesses can combat data security and GDPR issues when working remotely — Oliver Rowe, managing director of Fusion Communications, discusses how businesses can combat data security and GDPR issues when working remotely
Zero trust: the five reasons CIOs should care — Tony Scott, board member at ColorTokens and former federal CIO of the US Government, identifies five reasons why chief information officers (CIOs) should care about zero trust.