- May 18, 2021
- Catagory Security
The Zero Trust model for security isn’t new, but it’s getting more attention due to the massive shift to remote work.
Also known as the Zero Trust Network or Zero Trust Architecture, it’s a model that was first created more than 10 years ago by then Forrester Research analyst John Kindervag. It has since become more mainstream thanks in part due to the evolution of security technologies, but also because remote work has made it more challenging to secure enterprise networks.
The ABCs of Zero Trust
Zero Trust isn’t just a suite of technologies you buy. It’s a security model based on the foundational belief that organizations shouldn’t automatically trust anything inside or outside its perimeter—every connection must be verified, whether it’s an endpoint, switch or IP address if the organization is to prevent breaches.
Even before the massive uptick in remote work last year, the Zero Trust model recognized that organizations already have an increasingly porous network perimeter—it was no longer a castle surrounded by a moat. The old model assumed everything already inside was cleared for access. The Zero Trust model is a paradigm shift in that it assumes everything is a threat it until it’s certified safe. It also recognizes that once a hacker gains access via a single vulnerable spot, they can easily move around the enterprise network and attain increasing levels of access.
Zero Trust combines technologies with governance policies as to segment access at a granular level, taking into account the user, their location, and other information to decide whether to authorize any user, device or application. It’s not enough to authenticate the user, even if it is the CEO or CFO, but also the device they are using to gain access to the enterprise network, and where they are physically. Even if the user can be authenticated, policy may decide that the location—a coffee shop Wi-Fi hotspot, for example—isn’t secure enough. Or, it may decide that the user can’t access the network with a personal device, only one that was issued by the organization.
While technologies such as multifactor authentication, analytics, encryption, and file system permissions all play a role in a Zero Trust architecture, governance policies and good habits are just as critical to realizing its benefits, and that includes remote work environments.
Applying Zero Trust to Remote Work
For organizations to truly benefit from a Zero Trust model in the era of remote work, the same mindset must be brought into the home.
Whether they’re accessing the Internet for work or personal reasons, users need to apply a Zero Trust approach that keeps the wrong people out. And it’s more than just security awareness training or a strong password policy. Users at home should always be questioning every interaction online, including emails and texts with links, and communications that seem out of character by the sender, even if it appears to come from an official source. Phishing attempts and other attacks rely heavily on complacency, so a Zero Trust requires vigilance out of habit.
A common threat to enterprise network security in the remote work era is sharing passwords across work and personal devices and granting access to corporate devices to family members for personal use. The average person may think this is harmless, but a Zero Trust model requires that every employee think about their behaviour from a security perspective. Careless uses of a corporate device by a family member could compromise the enterprise network and lead to a data breach.
Zero Trust means password and device sharing a no-no. Every home user should have their own separate passwords and device as much as possible, and devices should either be for personal use or corporate use, not both.
These habits and overall mindset are essential to successfully applying a Zero Trust approach to security in the organization, regardless of where employees are doing their work. Having the right technology is a critical enabler, but you need the right governance policies and employee engagement if you’re to fully secure your business.