Sarah Polan, field CTO EMEA at HashiCorp, discusses how a high-trust workplace can work effectively with a no-trust network security approach
It’s a paradox. Employers are overcoming initial concerns and placing greater trust in their staff to work remotely just as the IT infrastructure required comes under increased cyber attack.
According to analyst Gartner, 51 percent of knowledge workers finished last year working remotely — up from 27 percent the year before. Looking ahead, the US will account for the largest percentage of remote workers (53 percent) in 2022, with Europe one percentage point behind.
Despite these figures, the remote workplace lacks maturity. Deloitte found 37 percent of under 35s working from home had felt “overwhelmed” by technology, and 29 percent didn’t feel confident using technology within their roles. New hires also had fewer opportunities to collaborate with colleagues than those recruited before the pandemic, according to Microsoft’s extensive The New Future of Work report here.
Remote work during the first lockdowns was about provisioning — roll-out of VPN access, devices, Office 365 accounts and video-based meetings. Remote work in the future needs more polished tools and experiences that require an IT infrastructure that’s more integrated, serves more devices and that — as a result — carries a greater number of transactions. As IDC puts it: “All regions are experiencing common challenges around… building a culture of trust that is foundational for all employees to have equal access to the resources they need.”
Remote work estates are prime targets for hackers. Organisations reported a 51 percent rise in attacks on cloud services, applications, devices and remote access tools in 2021. More than 80 percent of security and business leaders said remote work made their organisations more exposed to attack.
Securing IT infrastructure in the centralised workplace used a clearly defined model: the unit of control was the IP address and a network perimeter ran through firewalls, HSM, SIEMs and other access restrictions. This, however, does not scale for remote work environments.
These are built using ephemeral and dynamic cloud-based and software-defined infrastructures that are scaled up and down, making them difficult to secure due to a constantly changing IP addresses. Services cross boundaries, while the number of transactions expands, meaning IP addresses get reused. Remote staff log in to services from different devices — so, more IP addresses.
IP-based security systems also come with major practical challenges. They are complex for IT teams to create, implement and operate and require lots of experience, particularly at scale. But the real kicker? If a user’s credentials are stolen or a device compromised, the IP address can no longer be trusted.
Clearly, the traditional model for IT security is no longer fit for this newly-dispersed world of work and a fresh model is needed — one where the unit of control is identity and where identity is the basis of a system of authorisation and authentication for every device, service and user on your network. Welcome to zero trust, a system which works on the assumption that identity needs to be authenticated and authorised.
>See also: Zero trust: the five reasons CIOs should care
Given the shift to high-trust digital working environments and the surge in attacks, interest in zero trust is growing. According to Gartner, 40 percent of remote access will be conducted using a zero trust model by 2024 — up from five percent in 2020. Remote work is driving uptake, with zero trust seen as a fast way to achieve security and compliance, according to a Microsoft report on its adoption.
Zero trust is implemented through consistent tools, workflows and processes delivered as a set of shared, centrally-managed and automated services. What does this look like? It means codifying policies and procedures for authorisation and access across the technology stacks, domains and service providers that comprise the IT infrastructure.
It’s important for policies and procedures to be managed centrally — as must the assets used to control access such as tokens, usernames, passwords, certificates and encryption keys.
Centralised control and management offers several benefits.
First, greater protection. These assets are often scattered across IT environments — for example, database passwords coded in plain text or configuration files stored in a Dropbox account. They cannot be operationalised, and are easy prey for hackers. Centralisation provides a means to protect assets and incorporate them into a system of authorisation and access controls.
The second is a platform to manage the lifecycle of authorisation and access. As the IT infrastructure changes with new, modified or retired services, dependencies can be easily changed across gateways, middleware and devices. Security and compliance become agile.
Finally, automation. Manually operated processes cannot keep pace with the dynamic nature or complexity of modern IT infrastructure. Automation, however, lets you apply and enforce policies at scale. Combined with a catalog of applications, it’s possible to implement a service-discovery mesh that defines central routing rules for access and authorisation. It becomes possible to distribute cryptographically-signed certificates to an application, so when the proxies in your network communicate, the first thing they do is authenticate.
We’re moving to an environment where employees are trusted to work remotely using a generation of more integrated workplace applications. Securing that workplace means abandoning a high-trust model of protection and going in the opposite direction — towards zero trust.
Written by Sarah Polan, field CTO EMEA at HashiCorp
Related:
Mitigating common network management security issues — While technology is key to securing networks, it’s integral that businesses have the right network management policies and procedures in place to avoid falling victim to cyber-attacks.
How COVID-19 made zero trust the right approach to modernise networks — Theresa Lanowitz, director of cybersecurity evangelism at AT&T Business, discusses how zero trust models for network modernisation has risen in prominence since COVID-19 took hold.