A Zero Trust security model for the modern workplace
The pandemic changed the modern workplace with innumerable businesses moving off-premises and adopting a hybrid work culture almost overnight.
And, since the world changed at the end of 2019, one topic that has continued to dominate the cybersecurity conversation is Zero Trust.
Possibly this is because remote and hybrid work has become the new normal and home networks and personal devices are more susceptible to cyberattacks. Or possibly because Zero Trust is being pitched as the holy grail to preventing unauthorised access.
According to Microsoft's Zero Trust Adoption Report, 96 per cent of security decision-makers state that Zero Trust is critical to their organisation’s success. Their primary motivations? To improve their overall security posture and the end-user experience, while staying true to the ‘never trust, always verify’ essence of Zero Trust.
So, what does Zero Trust look like in the modern workplace and endlessly evolving digital environment? Importantly, what are the key factors for successfully implementing the Zero Trust Model in an organisation?
The evolution of Zero Trust
While some of the conversations around Zero Trust are helpful, there is also a lot of noise and claims that can confuse the meaning.
Zero Trust is not a new concept–practitioners have been talking about and facilitating de-parameterisation for decades. This just happens to be the current market terminology for it.
The mixed messaging is sometimes the result of vendors cherry-picking elements of Zero Trust based on their own capabilities. Then there’s the changing threat landscape. Originally, Zero Trust was about keeping the bad guys out of a defined network. Then along came the cloud and the Internet of Things – quickly making that traditional network perimeter redundant.
This in turn has led to the rise of identity-based access, which is now a core component of Zero Trust.
The issue with the Zero Trust framework
The Zero Trust model operates on the principle of “trust no one, verify everything.”
This means an organisation can no longer assume traditional security strategies are sufficient. In practice, this sees all end users denied access to company networks and resources by default. And, access to such networks and data lies behind complex security systems with multi-factor authentication processes that require users to be continuously authorized and authenticated.
While this approach strengthens business security, the success of Zero Trust rides on the employees' ability to do their work productively. In other words, security cannot exist without a positive end-user experience.
A poor user experience will only see people trying to circumvent the very controls Zero Trust seeks to enforce.
According to a survey by Bromium®, 74 per cent of CISOs say employees have expressed frustration that remote-access policies are hampering productivity.
This is far from a new challenge for organisations that often struggle to strike a balance between productivity, security and employee satisfaction.
However, it is now more important than ever – in this new hybrid working world – to reconsider how both security and business requirements can be best met.
According to Gartner, 82% of organisations intend to permit remote working some of the time – even after employees start returning to the workplace.
Future State is what’s missing from the Zero Trust conversation (and it shouldn’t be)
A successful approach to Zero Trust requires a myriad of elements that have been widely written about and accepted.
While traditionally this myriad of elements may have been limited to on-premise infrastructure for protection, the pandemic forever changed the business world and how organisations protect their networks.
The solution is not to reinvent the wheel. But, something that needs more attention is how moving to the future state for device security and management can massively uplift organisations towards Zero Trust, while at the same time facilitating both business productivity and a positive end-user experience.
A critical component of any organisation’s Zero Trust journey is the ability to effectively manage its endpoint fleet. A compromised device, in effect, compromises the whole model. The identity of your user base is even more critical at the end-user point due to the ever-increasing possibility of credential theft.
Closing the gap on Zero Trust
Utilising technology and automation to improve end-user fleet security can help organisations close the gap on Zero Trust.
As a cloud-native platform, Devicie provides numerous automated capabilities that enable IT teams to deploy, control and maintain their entire device fleet securely and efficiently at scale—closing the gap and getting them to the future state.
Some of these services include:
Encryption – Devicie ensures local machine encryption is enabled and audited from the time of login
Access controls and privilege management – Devicie ensures connected devices do not have unnecessary privileges, including lateral authentication and movement; this also prevents widespread access due to poor practices
Application management – Devicie provides a workflow to authorise applications, making them available from a centralised location, including certificate chaining to prevent non-approved deployments and executions
Patching in a timely manner – This includes patching for both Operating Systems and at the application layer, to leverage rules for access to internal resources and make the most of additional Zero Trust strategies for your organisation
Remove VPN requirements for management – The Devicie platform allows for native management, over the Internet, without any requirement for additional software and/or overheads
Enforce processes for endpoint management – Devicie enforces an approval process and workflow for the management and upkeep of all areas of the endpoint, including policies, procedures, deployments and even new application pilot work
Device hardening – Devicie ensures unnecessary services and functions of the operating system are not left available for exploitation by malicious actors
Consistent deployment – Devicie extends the identity to authenticate the operating system, which means that the deployment of necessary agents required for authenticating the organisation’s apps is both transparent and configured as part of the standard operating environment (SOE).
As with any security control or approach, when working towards Zero Trust, every organisation needs to consider all prerequisites and prioritise them based on the level of risk they are willing to accept. Devicie is certainly not claiming to be the holy grail, but it is a tool that can close significant gaps in your Zero Trust journey.
Martin McGregor
Implementing Essential Eight controls with Devicie
Discover how Devicie assists organisations meet maturity levels 1, 2 and 3 across each of the Essential Eight security controls on end-user devices.
Martin McGregor
Microsoft Intune helps Devicie reinvent end-user device security
Discover how Devicie leveraged Microsoft Intune to deliver a mix of security and productivity in a way that has not been possible before.
Jason Fairburn
Removing admin privileges without compromising productivity
Removing local admin privileges is a critical step in achieving cyber resilience. Discover how to effectively implement least privilege.