Hybrid working demands a frictionless Zero Trust approach, says Joseph Carson, Chief Security Scientist, at the cyber firm ThycoticCentrify.
After the events of the last year, more enterprises are embracing a flexible approach that blends office and remote working. The ONS found that 85 percent of adults currently homeworking would prefer a hybrid approach. The key to a successful hybrid working environment is to make it frictionless. Workers need to be able to come and go and login from their preferred location while still being able to access all the network assets they need for their job role. If the process is full of friction, everything slows down and productivity drops.
The balancing act
Security is one of the biggest sources of friction as firms must ensure that threat actors cannot exploit the situation. Strong security controls are paramount as criminals can hide their activity more easily in a flexible working environment that sees users login from a variety of locations, often mixing in personal devices.
To visualise those controls, let’s imagine the network infrastructure as something like a bank’s safe deposit box service, with security guards on the door.
The strictest form of controlling who can enter would be to have the guards check the ID of each and every patron. This demands the right kind of reliable, government-sanctioned ID – passports and driver’s licenses, not library cards. This approach has the highest chance of keeping out known undesirables and ensuring that only genuine patrons access the service – but it causes the most friction and can be frustrating for legitimate visitors.
A frictionless version would be to have the guards assess all the visitors by sight only. Anyone who seems legitimate is nodded through, anyone who appears suspicious needs to present their ID. This creates a much better experience for visitors, but creates risk if the bouncers cannot accurately eyeball the age of everyone coming in.
A third option that also presents a frictionless experience is to continuously monitor how visitors use their access once they are in the safe deposit area, with individuals being challenged if they try to visit other areas or tamper with other boxes.
These last two are of course quite impractical in a physical setting, but increasingly achievable in a digital environment. Back to the hybrid workplace, organisations don’t want their employees to feel like they are being accosted by burly bouncers every time they try to access company assets. At the same time, if they adopt a frictionless approach, they need to be sure it will accurately and reliably identify legitimate users without letting in threat actors.
The solution to hitting this balance is to adopt a Zero Trust strategy that uses a risk-based approach to implement verification measures that vary based on factors such as the machine being used, and the assets being accessed. Zero Trust effectively presents a digital polygraph test that adapts to the potential risk of each interaction – and when done correctly, provides authentication with a minimum of friction.
A mindset, not a solution
Zero Trust has been building momentum for some years now but has come into the spotlight over the last year as more businesses seek out solutions to keep their increasingly diffused infrastructure secure. Visibility was also greatly increased by the US Government mandating that governmental organisations will need to begin adopting Zero Trust strategies.
One thing that is frequently overlooked by newcomers to the concept is that Zero Trust is not a typical security solution, but a mindset. There is no standard list of boxes that can be ticked off, it is instead a journey that is unique for each organisation based on their distinct infrastructure and business objectives. Zero Trust is an approach to operate and adapt security measures that continuously verifies authorisation.
There are multiple different actions businesses can take to contribute and progress that journey. A single sign-on (SSO) approach is for example very useful in reducing friction, as it ensures that users only need to be verified once per session in order to access anything they are authorised for.
Strong privilege controls are one of the most important elements, and organisations will need to follow the principle of least privilege, with users only being able to access data and applications they need for their job role.
Endpoint privilege management (EPM) is also useful here, as it combines application control and privilege management to ensure that only trusted applications can be run and removes the common issue of arbitrary local admin access. This creates an approach to security that is far more dynamic than the old static approach of usernames and passwords. Security must become adaptive and evolve based on current threats.
Multi-factor authentication (MFA) is one of the most effective tools for enforcing adaptive authentication. Users who are acting suspiciously, such as trying to access assets outside of their remit, or logging in from previously unknown devices or locations, can be challenged to verify themselves with MFA. This should only occur when a user has reached the threshold based on a continuously monitored risk score, with no extra steps needed for users who are acting within acceptable bounds.
The technology has also become much more user-friendly in recent years thanks to biometrics, which means the process can be completed with minimal disruption.
Zero Trust is a journey, and one that is never truly finished as no company can ever claim to be 100 percent secure. This may seem like a daunting prospect, so the best approach for firms that are just starting out is to have a clear set of objectives and move towards them one step at a time.
This starts with developing a strong understanding of what the enterprise’s most valuable assets are, along with a risk impact assessment to determine potential impacts. Businesses should look to take on a more dynamic approach to risk assessment, rather than relying on annual audits. This has become more important over the last year as so many businesses have undergone radical changes.
Enterprises should then determine what kinds of controls will have the biggest impact on reducing these risks. From here, it is possible to break the Zero Trust strategy into a number of smaller projects and steps. Start with particular sets of controls in smaller use cases to get some quick wins, and then build on these successes to gradually cover more of the business. A higher level of maturity and implementation amplifies the results, spreading from endpoints to cloud environments and SaaS to the supply chain and beyond.
Zero Trust is all about reducing risk without increasing friction for users. At the same time, it should be creating as much friction as possible for threat actors. The more difficult it is for them to gain access, the more noise they are likely to make, and the easier it will be to identify and stop them before they can achieve their goals.
