Location, location, location may be everything when you’re buying a home, but it’s not the best path to enterprise security.
That’s because the workplace isn’t just one place anymore. With the new hybrid workforce model, employees work from anywhere, and that doesn’t jive with a traditional cybersecurity approach.
“The ordinary, standard, default infrastructure assumes that people are in an office connecting to resources that are on-prem and (in) a data center. Well, that (assumption) is completely false now with the hybrid workforce,” Nemertes Research CEO Johna Till Johnson told me in a recent interview.
“The old security model was that a remote user connects to internal resources by going through a firewall. The firewall was the perimeter,” she said.
With hybrid work, however, defining that secure perimeter as ‘inside the office’ doesn’t make sense. Cybersec that leans heavily on the physical location of workers and enterprise assets doesn’t cut it anymore.
So how do you secure a hybrid workforce?
“I would argue,” said Till Johnson, “that zero trust and hybrid workforce are inextricable.”
Yep, zero trust. It’s not a brand new concept in cybersecurity. (Thank you, John Kindervag.) But zero trust is gaining new popularity as freshly enabled hybrid workplaces search for alternatives to location-based cybersecurity.
In its guidelines for zero trust architecture, the National Institute of Standards and Technology (NIST) states that “zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location … or based on asset ownership (enterprise or personally owned).”
Enterprises are duly taking notice of how the zero trust posture seems well suited to hybrid workforces. According to a new survey of enterprise organizations, their top security priorities for 2022 are:
- securing the hybrid workplace (42%)
- embracing zero trust frameworks (38%)
Zero trust isn’t just gaining steam within the private sector. In January, the U.S. government issued a directive requiring all federal agencies “to achieve specific zero trust security goals by the end of fiscal year 2024.”
What do you need for a zero trust security strategy? Well, you might not need all those VPNs anymore.
The VPN is ‘dead’
In a zero trust strategy, “the whole concept of a VPN is dead,” Till Johnson said.
“The whole point of a VPN is that you tunnel through the dangerous ‘outside’ into the safe ‘inside’ where your (enterprise) resources are. With zero trust, the idea that you can tunnel past the danger into someplace safe makes no sense.”
That’s because (as its name implies), zero trust assumes there is no safe place. Here’s how the White House described this in its January memorandum to federal agencies:
“The foundational tenet of the zero trust model is that no actor, system, network or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access.”
Constant and contextual
Another key element of zero trust is that security isn’t just evaluated at login.
“It is a dramatic paradigm shift,” the aforementioned White House memo states, “from verify once at the perimeter to continual verification of each user, device, application and transaction.”
Till Johnson gave me a simple example of how zero trust constantly re-evaluates security throughout each user session, as well as with each new request made by the user.
“In a traditional model, once you’ve already logged in, you’ve already been authorized: it’s Johna’s machine,” said Till Johnson.
With zero trust, however, “if I suddenly plug my thumb drive into my machine in the middle of my session—and that’s no longer acceptable—I will get cut off,” she explained.
This process of continual, real-time security re-assessment takes into account various elements such as authentication of the user’s identity, their location, the security posture of their device and the context surrounding the access request (such as time of day, day of the week, type of device).
Zero trust ingredients
So how do you implement zero trust?
In a piece she wrote for Tech Target, Till Johnson singled out some tech specs that could be part of a zero trust strategy:
- software-defined perimeter (SDP)
- identity-centric vs location-centric architecture
- endpoint security for diverse device formats and operating systems
- endpoint data loss prevention (DLP) software
As for NIST, here are some of the technology components mentioned in its zero trust architecture document:
- continuous diagnostics and mitigation (CDM)
- threat intelligence feed
- network and system activity logs
- enterprise public key infrastructure (KPI)
- ID management system
- security information and event management (SIEM)
In that same document, NIST defines zero trust as “not a single architecture but a set of guiding principles for workflow, system design and operations.” While Till Johnson acknowledges “any technology change also requires a process and cultural change,” she believes zero trust deployment really hinges on two things: automation and IT architecture.
“It really is just IT tools,” she said. “It has to be happening in an automated fashion, not by your security team.”
As a starting point, she highly recommends checking the list of 18 vendors (it’s since been widened to 24) that are collaborating with NIST to develop and test security solutions that meet its criteria for zero trust architecture.
“There is a zero trust architecture which was confirmed by NIST. (Those vendors) are included in the list for their zero trust capabilities,” said Till Johnson. “It’s worth looking through that list, seeing what they do, seeing where they fit in your environment.”