In less than a week, the world changed. At the end of March, amid the throes of the coronavirus pandemic, the vast majority of states in the US issued stay-at-home orders, resulting in the largest migration to remote working the nation has ever seen.
Before this happened, just 4% of workers spent the majority of their working hours outside the office, and only 43% worked remotely with "some frequency."
For security teams, the move caused chaos. Sensitive business resources that had, up to that point, only been accessed by workers at the office now had to be available to employees working from home. While many security experts had talked about the decline of the perimeter for more than a decade, the mass migration to remote working has forced every business to consider how to operate security with a distributed workforce.
Many still are struggling to adjust, said Chase Cunningham, vice president and principal analyst for security and risk at Forrester Research.
"We've seen five years of innovation in three months. Companies are going to move toward this model, and it is up to them whether they work towards it now or continue to skate uphill by keeping everything inside the network."
—Chase Cunningham
"Zero trust," the concept of operating securely with a distributed workforce and without a perimeter, has become a necessity for most companies. Not long ago, it was an aspirational model instead of a requirement.
Here's why zero trust is so important now, and how you can implement the model.
Why zero trust is needed
Surveys have found that anywhere from 70% to 85% of companies with remote workers intend to encourage them to continue to work from home even after stay-at-home orders expire. For instance, business research firm Gartner found that 74% of companies expect at least 5% of their workforce who previously worked in an office to work from home in the future.
Still, the zero-trust model is not just about accommodating those workers. It is a foundational move in the digital transformation of the business—efforts that were already underway before the pandemic, said Robert MacDonald, director of solutions at Micro Focus.
"The situation has accelerated the need to digitally transform the business to remove the traditional perimeter to be much more fluid, because people are working from everywhere, and they need access to that data regardless."
—Robert MacDonald
For companies struggling with moving to the zero-trust model, here are five recommendations from experts.
1. Zero trust is no longer optional
Moving the focus of security away from the perimeter is no longer an option. Aside from the realities imposed by the coronavirus pandemic and the uncertainty of whether in-office work will be possible on a consistent basis, many companies are looking at moving employees out of the office as a way to cut costs, reduce downtime due to commuting, and improve employees' work-life balance.
"I've been having lots of conversations about companies reducing how many people are coming to an office in a building," Forrester's Cunningham said. If they can cut their on-premises workforce by 25%, they can reduce costs significantly.
"This is one of the few times in history where something that is really terrible can have a massive upside if we leverage carefully."
—Chase Cunningham
2. Much of the technology is new
Even just a few years ago, mature technology for implementing zero trust did not exist. While single sign-on vendors existed, the ability to manage corporate resources and access to those resources on a granular level had not advanced enough to scale to large deployments.
The US Department of Defense and other federal agencies have pursued zero-trust principles for more than a decade, with a variety of programs aimed at limiting access to data to only authorized parties, according to a draft zero-trust architecture specification from the US National Institute of Standards and Technology (NIST).
When these programs were started, "they were limited by the technical capabilities of information systems," NIST said in the draft. Security policies were largely static and, to get the largest effect for the effort, were enforced at large "choke points" that an enterprise could control.
As technology matures, it is becoming possible to continually analyze and evaluate access requests, dynamically and granularly, "to mitigate data exposure due to compromised accounts, attackers monitoring a network, and other threats," the NIST document said.
3. Don't expect a single service or product to solve the problem
Zero trust requires a large number of components to work together in an auditable and verifiable way. The seven basic tenets, according to the NIST specification, include:
- Designating all data sources and computing services as resources
- Encrypting all communication end-to-end, no matter the location
- Authorizing access to resources on a per-session basis
- Allowing security and access policies to dynamically change based on context, state of the client, and current perceived risk
- Monitoring all assets to be in the most secure state possible
- Enforcing the temporary and dynamic nature of authentication and authorization
- Maintaining visibility into the security of the entire network and business's resources
The interaction among all these requirements means that a single product or service is not going to be able to deliver a zero-trust architecture to a company, said Micro Focus's MacDonald.
"If a single company is saying that they will get you to zero trust, that's nonsense."
—Robert MacDonald
4. Identity and access management are crucial starting points
The root cause of many breaches is the use of stolen credentials; it's the second-most common threat action, according to Verizon's 2020 Data Breach Investigations Report. The most common threat action is phishing, which often also leads to credential compromise.
Almost every company that has suffered a breach has had antivirus software, a firewall, and maybe even an intrusion-prevention system in place, said Forrester's Cunningham.
"Where they fell down was with privilege and access control. If your identity or access store is compromised, that is when a breach can go on for days."
—Chase Cunningham
The lesson is that managing identity and access is possibly the most important part of security, especially in a world of distributed employees, he said.
5. Verify identity and authorization continuously
Managing the initial authentication is not enough. Companies also need to re-authenticate users every time they access a different resource. With technologies including adaptive authentication, such checks do not have to be intrusive, but should be based on context, said Micro Focus' MacDonald.
"If you only rely on the point of access, there is no check afterward. You want to constantly verify that the user assigned that identity is doing what you think they should be doing. If we just let them in and let them go, then we lose visibility into what actions they are taking on the network."
—Robert MacDonald
As companies adjust to "the new reality," security remains a tough balance. However, pursuing a zero-trust architecture can give companies flexibility in work arrangements, the security of continuous monitoring, and the ability to adapt to whatever the future holds.
Keep learning
Get up to speed on Zero Trust security with TechBeacon's Guide.
Understand why API security needs access management with this Webinar.
Learn how how privilege and policy management improves your cyber resiliency in this Webinar.
Find out why Zero Trust means rethinking your security approach.
Answer this question: Is your environment adaptive enough for Zero Trust? Get this free white paper.
