Flexible work models require a different security philosophy
Just a few years ago, many cybersecurity teams operated using a philosophy of “trust but verify.” If you were on the corporate network, either directly or via VPN, you were trusted and given full access. But workplaces and work devices have changed. We’ve moved from a small portion of workforce travelers—working from airplanes, hotels, and cafés—to a much larger number of remote or hybrid workers.
Accenture reported that 83% of workers surveyed prefer a hybrid work model.1 And of workers with remote-capable jobs, over half plan to work hybrid in 2022, while the remainder are split between fully remote and fully on-site.2
The number of remote and hybrid workers is expected to increase through 20233, which means an even greater number of networks and devices complicating security controls. Historical data shows that breaches involving remote workers were also $1.07M more expensive than those that did not.4 “Trust but verify” no longer works with so many variables.
Hybrid work may require a change in security strategy
Traditionally, secure employee access to a corporate network was like a moat around a castle. Meet the requirements and the drawbridge lowered—once you were inside you could go just about anywhere with no further checks. Of course if a malicious actor got in with stolen credentials or pole-vaulted their way over the moat, it could be hard to stop them.
Zero trust involves securing each and every room, not just with a simple lock, but with a guard to check who and what is trying to get in, along with when and where the request originated. Just having valid credentials isn’t enough, and access can be revoked at any time.
Shifting to a zero trust philosophy for security makes sense for the hybrid workforce. It requires all users, regardless of location or device, to be authenticated, authorized, and continuously validated. It removes the distinctions between on-premises and off, company-issued device and BYOD. Zero trust treats all users and devices trying to access systems with skepticism. That can generate concern about the end-user experience, but when done well, all those checks and validations should be virtually transparent the user.
Components of a zero trust architecture
There are many ways you can choose to implement zero trust, and NIST has created a basic high-level architecture that can help you get started. It includes functional security components (data security, endpoint security, identity and access management, and analytics) and core components (policy engines, administrators, and enforcement).5
Source: NIST and NCCoE
Data from the functional components is evaluated against policies to determine if access is allowed and is continually reassessed with further requests. It takes into account the user’s identity, their location, the security posture of their device, and context surrounding the access request (such as time of day, day of the week, or type of device). When something about an access request violates policy, access can be immediately revoked, even if the user was allowed in moments earlier. This prevents users from circumventing security policies, whether the action is malicious or accidental.
As workplaces continue to get more flexible about worker locations and devices, zero trust becomes more valuable. Not only does it increase security with continual validation, but it can also limit the scope of a potential data breach and reduce the cost (if one happens) by $1.76M.6 Hybrid work is here to stay, and zero trust architecture can help you adopt a more flexible security philosophy to keep it secure.
- 1. Accenture, The future of work: A hybrid work model, April 2021
- 2. Gallup, The Future of Hybrid Work: 5 Key Questions Answered With Data, March 2022
- 3. Forbes, Remote Work Is Here To Stay And Will Increase Into 2023, Experts Say, February 2022
- 4,6. IBM, Cost of a Data Breach Report 2021
- 5. NCCoE, Implementing a Zero Trust Architecture, October 2020