Heather Hinton, Chief Information Security Officer at RingCentral looks at how the role of zero trust has been accelerated by hybrid work, and how organizations can ensure that employees can remain protected.
Unfortunately, when it comes to hybrid working, for organizations that are embracing this new ‘normal’, their security challenges are inevitably increasing. Devices, as well as data, and even people will become widely varied and more widely distributed across hybrid working environments, which makes it increasingly difficult to ensure proper management of them when it comes to security. There are numerous collaboration assets, as well as incalculable swathes of data, moving up and down from the cloud. This is happening between off-site locations and offices across a variety of formats; including mobile, laptop, tablet and conference room systems. In order to secure this data and company assets from the many elements of their hybrid places of work and people, organizations will be best served by keeping the following key zero trust practices top-of-mind.
Establishing an understanding of zero trust
The rapid acceleration of the Covid-19 pandemic forced swift lockdowns which closed offices and forced a movement en masse to working on home networks. This dramatic shift redefined security and turned zero trust into a “must have solution”. Now, with the shift to hybrid working becoming more permanent, it is crucial that businesses and employees understand what “zero trust” is and how it protects them.
Also known as “perimeterless” cybersecurity, the overall premise of zero trust is “Trust No One (without repeated verification),” including the users and the devices connecting to your organization’s network. This doesn’t mean that you don’t trust your employees; it does mean that you help them stay secure and keep the business secure by adding seamless checks and balances to their overall network access, resulting in what is called a “zero trust” environment. Sadly, trust as we knew it is relegated to a pre-covid behavior that we look back on with nostalgia. Before, access to a corporate network was assumed to be possible only for trusted devices, and it was assumed that those trusted devices were properly configured and managed. Now, devices must be verified for “ownership” (is this device approved to be on the network) and compliance with security policies (Does it have a valid certificate? Is it patched? Does it have required anti-virus/EDR solutions? And so on) every time they access the corporate network. Before, users could typically use any resources that they could access on the network. Now, users must authenticate (explicitly or under-the-covers, with single-sign-on) when they access the corporate assets they have been authorized to use. Combining device integrity, health checks, user authentication and authorization in this way offers enhanced protection for your organization in the new hybrid normal. And it makes it easier for your users to stay compliant because much of the work is done for them.
Implementing zero trust policies
Irrespective of the thoroughness of access, employees’ devices (including laptops and mobile devices) provide an attractive target to introduce malware and attackers to your corporate network. Businesses must assume that there have been attempts to compromise employees’ laptops throughout remote (and hybrid) working. Additionally, it’s important to assume that malware has been installed (unintentionally) on these devices. Applying patches in a timely manner to avoid downloading harmful code is an example of things that can be taught, there are unfortunately other lessons that will be learned the hard way. There will be, regretfully, some employees who click on unfamiliar links or download strange files (such as games for example) that are potential points of exposure for businesses – this is especially true if employees use their work laptops as personal ones. Businesses can and will help drive the integrity of their environment through zero trust solutions: if an employee can’t get on the network because their device is not patched, or doesn’t have anti-virus software, or the device itself is not authorized for network access, employees will quickly learn how to manage their devices and support a zero trust policy.
After accessing the network, zero trust solutions ensure that employees are only given access to those protected applications that they have been authorized to use. With this approach, you do not have to trust the user to not access unauthorized resources or applications; you have provided the lockdown to limit their access (you have reduced the need to trust their behavior). It is no longer enough to just be on the network to yield access to the corporate directory, to corporate wiki or web pages, or to anything else important, such as customer relationship management applications for example. Employees now have to prove that they are who they say they are AND that they have the privileges required to access a given application.
So much for your network: what happens when your users must use third-party SaaS applications, such as a CRM or a travel booking tool, in order to do their job? In this case, is authenticating to those third-party applications safe enough for businesses? Before the pandemic, this would of course be a more straightforward answer (yes). Just as we trusted our networks to be secure, we trusted our partners’ networks to be secure. However, we now need to ask if third party applications also have a robust zero trust environment that will actively prevent their users from gaining (unauthorized) access to whatever data your business may need to transmit or exchange, or can their environment somehow introduce malware or attackers into your environment. Ultimately, employees should know how their zero Trust environment expands into their partner’s (possibly not zero trust) environment. Undoubtedly, this is a time in which tech companies, in particular, need to demand more from each other – to demand that everyone in this environment operates under a (zero) trusted umbrella both in-and out-of-organizations.
- The zero trust blindspot
- How can organizations adopt zero trust security principles?
- Securing the supply chain: why it’s time for a zero trust approach
- Why every company needs to implement zero trust
A secure and unified approach to collaboration
While employees may end up being more laid back about their personal cybersecurity when accessing their devices for purposes of living their not-at-work lives, the only sure way to ensure that the more-lenient decisions do not come back to haunt an organization is through the provision of tools that help to account for such human errors in both work and personal contexts. We’ve all heard examples of employees who have disrupted networks for days on end by accidentally introducing malware, or exposing customer data to their social network, due to simple, human errors and the use of insecure and not-fit-for-purpose applications such as Whatsapp or iMessage. This is why providing a truly secure UCaaS application, with convenient features such as chat built-in, is a must-have for cyber-secure organizations.