Highly Trusted Workplace and Trustless Network Security



A zero-trust approach can be compatible with a highly trusted workplace and is essential for effective network security

Sarah Polan, field CTO EMEA at HashiCorp, explains how a highly trusted workplace can run efficiently with a trustless network security approach

It is a paradox. Employers are overcoming their initial concerns and placing greater trust in their staff to work remotely, just as the required IT infrastructure comes under increased cyberattacks.

According to analyst Gartner, 51% of knowledge workers ended up working from home last year, compared to 27% the previous year. Looking ahead, the United States will account for the highest percentage of remote workers (53%) in 2022, with Europe a full percentage point behind.

Despite these figures, telework lacks maturity. Deloitte found that 37% of under 35s working from home felt “overwhelmed” by technology, and 29% did not feel comfortable using technology in their job. New hires also had fewer opportunities to collaborate with colleagues than those hired before the pandemic, according to Microsoft’s detailed The New Future of Work report here.

Remote work during early lockdowns was all about provisioning – deploying VPN access, devices, Office 365 accounts and video meetings. Remote work in the future needs more refined tools and experiences that require a more integrated IT infrastructure that serves more devices and therefore performs more transactions. As IDC puts it: “All regions face common challenges around…creating a culture of trust that is fundamental to ensuring that all employees have equal access to the resources they need. »

Remote work domains are prime targets for hackers. Organizations reported a 51% increase in attacks against cloud services, applications, devices and remote access tools in 2021. More than 80% of security and enterprise leaders said the working remotely made their organizations more vulnerable to attack.

Securing the IT infrastructure in the centralized workplace used a clearly defined model: the unit of control was the IP address, and a network perimeter ran through firewalls, HSMs, SIEMs, and others. access restrictions. This, however, does not scale to remote work environments.

These are built using ephemeral and dynamic cloud-based, software-defined infrastructures that scale top-down, making them difficult to secure due to constantly changing IP addresses. evolution. Services cross borders, while the number of transactions increases, which means that IP addresses are reused. Remote staff connect to services from different devices — so no more IP addresses.

IP-based security systems also present major practical challenges. They are complex for IT teams to create, implement, and operate and require a lot of experience, especially at scale. But the real kicker? If a user’s credentials are stolen or a device is compromised, the IP address is no longer trusted.

Clearly, the traditional model of IT security is no longer suited to this newly dispersed world of work and a new model is needed – one where the unit of control is identity and where identity is the basis of security. an authorization and authentication system for every device, service and user on your network. Welcome to Zero Trust, a system that assumes that identity must be authenticated and authorized.

>See also: Zero trust: five reasons CIOs should care

With the shift to highly trusted digital workplaces and the rise in attacks, interest in zero trust is growing. According to Gartner, 40% of remote access will be done using a zero trust model by 2024, up from 5% in 2020. Remote working is driving adoption, with zero trust seen as a fast to ensure security and compliance, according to a Microsoft report on its adoption.

Zero trust is implemented through consistent tools, workflows and processes delivered as a set of shared, centrally managed and automated services. What does it look like? This means codifying authorization and access policies and procedures across the technology stacks, domains, and service providers that make up the IT infrastructure.

It is important that policies and procedures are centrally managed, as are the assets used to control access such as tokens, usernames, passwords, certificates, and encryption keys.

Centralized control and management offers several advantages.

First, greater protection. These resources are often scattered across computing environments, for example, plain-text encoded database passwords or configuration files stored in a Dropbox account. They cannot be operationalized and are easy prey for hackers. Centralization provides a way to protect assets and integrate them into an authorization and access control system.

The second is a platform for managing the permissions and access lifecycle. As the IT infrastructure evolves with new, changed, or retired services, dependencies can be easily changed between gateways, middleware, and devices. Security and compliance become agile.

Finally, automation. Manual processes cannot keep pace with the dynamic nature or complexity of modern IT infrastructure. Automation, however, allows you to apply and enforce policies at scale. Combined with an application catalog, it is possible to implement a service discovery mesh that defines central routing rules for access and authorization. It becomes possible to distribute crypto-signed certificates to an application, so that when proxies on your network communicate, the first thing they do is authenticate.

We are moving to an environment where employees are trusted to work remotely using a generation of more integrated work apps. Securing this workplace means abandoning a high-trust protection model and moving in the opposite direction – towards zero trust.

Written by Sarah Polan, Field CTO EMEA at Hashi Corp.

Related:

Mitigation of Common Network Management Security Issues — While technology is critical to securing networks, it is critical that companies have the right network management policies and procedures in place to avoid falling victim of cyberattacks.

How COVID-19 Made Zero Trust the Right Approach to Modernizing Networks – Theresa Lanowitz, Director of Cybersecurity Evangelism at AT&T Business, explains how zero trust models for network modernization have risen to prominence since COVID-19 took hold.