How to stop worrying and love zero trust
Credit to Author: Mike Elgan| Date: Thu, 31 Mar 2022 03:00:00 -0700
Countless articles have been published in the past few years about zero trust, most of them explorations and expositions for security professionals.
But I want to write for remote workers on the other side of the so-called “trust” equation — the people who will deal with the changes and inconveniences as zero-trust strategies are implemented and refined over the next few years.
Welcome to this jargon-free explanation of zero trust.
If you’re a security professional or IT pro of any kind, please keep this newsletter to share with employees — especially remote employees — who need to understand what’s happening and why.
First and foremost, zero trust is not a product or a service — it’s an idea, an approach, a strategy.
We need zero trust to secure the future of the workplace. And the reason is that the old strategy — perimeter security — doesn’t work anymore.
With perimeter security, a company firewall was established. Any person, device, and application inside the firewall was assumed to be safe — they were trusted because they were inside. Remote employees could get inside the firewall by using a virtual private network (VPN), which is software that encrypts data and enables an authorized person to get inside the firewall, even from a home office or a hotel in another country.
Perimeter security worked well enough in the old days, but the world has changed. And now it doesn’t work. Connectivity is far too complex, and cyberattackers have become far too sophisticated. Nowadays we have all kinds of old-fashioned networking, complicated cloud computing arrangements, and huge numbers of tiny, connected, often sensor-based units all lumped together under the Internet of Things (IoT) umbrella.
And we have you. Yes, you.
The biggest reason perimeter security no longer works is because people work remotely not only from home offices, but over any connection in any place from anywhere.
Consider the home office. With a perimeter security arrangement, you would connect via your home Wi-Fi using a VPN, enabling your main work laptop to be inside the firewall. Now, any number of things could happen:
These scenarios involve just one WFH employee. Now imagine 5,000 remote employees at a single company working from home and from around the world, all with untold varieties of vulnerabilities.
You see why remote work is the enemy of perimeter security?
Here’s how zero trust works. Instead of relying on a secure “perimeter” that cannot be secured, your company will require that every user, device, and application is authenticated individually.
That means: Even if your laptop and you are authorized to gain access to company resources, if someone plugs in a thumb drive into your system, neither that drive nor the software thereon will be authorized to access those same resources. The hacker kid next door can’t gain access. The malware downloaded to your laptop can’t gain access. The random IoT devices that show up on your home Wi-Fi can’t gain access.
The downside, as you can imagine, is that all that authentication will increase inconvenience. You’ll need very good password hygiene and practices. You’ll probably need biometric authentication. There will be accidental occurrences where an authorized device or application will be denied access, and you’ll have to work with the support desk to sort it all out.
But all this inconvenience is the price we pay for the power of IoT, cloud computing and, above all, remote work.
The process is coming, and there will be a learning curve. But, in the end, I urge you to trust zero trust. It’s just the way things have to work now.