October 15, 2020
A Better Way Forward: Zero Trust
Shadow IT Reminders:
In one of our previous blogs, “Shadow IT: Get The Low Down Before You Download” we discussed how Shadow IT has become even more prevalent as people move to remote work. We discussed how Shadow IT use is often like a cry for help from people trying to be more efficient at their job.
Many times when people turn to using Shadow IT they use cloud applications that make company security people shudder and shake. For many companies these cloud applications strike fear into the hearts of the IT team, because of the loss of control that the company has over its data on these applications. These applications operate outside the established bounds of perimeter based security controls, and the IT team hasn’t vetted the data handling and security practices of those applications. People often turn to Shadow IT cloud applications because they are easy to use and don’t require a person to connect to a corporate VPN just to get their work done.
Traditional Security Practices:
Traditionally organizations have focused on securing their IT assets at the perimeter of their network using a myriad of tools:
- Firewalls,
- Proxies,
- Intrusion prevention/detection,
- The list goes on.
Once these tools are in place organizations can control and monitor network traffic entering and leaving their network. This control of the network allows the organization to monitor Shadow IT and enforce company policy for authentication and authorization.
This works for those companies who have people in their physical offices. The IT and security teams can keep the bad guys out and watch for suspicious behavior, but what about those who are working remotely?
In order to use those on-premises security tools their people need to connect to a VPN. Connecting to a VPN brings all of the internet traffic from a remote device back over the internet to the company network to be run through all those tools that the company has set up to protect its perimeter, effectively bringing the remote device behind the company walls. Sounds fine, right?
Scrambling Security Practices:
What companies that went fully remote in the COVID-19 pandemic realized was the infrastructure that supported this remote work was under considerably more load than before and IT teams scrambled to make sure their VPN servers and internet bandwidth at their office could support all of those remote workers.
Beyond just an IT fire drill, it also led to decreased employee satisfaction with company provided technology, and in many cases a big loss of productivity as employees struggled with using a VPN to work remotely.
A Better Way Forward: Zero Trust
What if there was a better way to secure remote workers and increase overall security in the organizations IT environment? This is where the concept of Zero Trust comes in.
What Is Zero Trust?
Zero Trust is a philosophy that, simply put, ensures that the right people have the appropriate access to the right data or applications from an appropriate device.
Zero Trust treats the internal corporate network as an unsecure location that requires authentication and authorization to resources. It also operates without requiring a VPN from remote users. Doing this means that all devices, no matter if they are on the company network, operating from home, or in a coffee shop, are treated the same. They are not trusted until they can authenticate and are authorized to access resources.
This is a dramatic shift in how most organizations operate today!
The traditional perimeter focused defence model means that once a device is authenticated and authorized to be inside the corporate network those devices have considerable freedom to access systems and resources.
Zero Trust changes that by requiring devices and people to authenticate and be authorized for resources no matter if they are in the corporate network or working from home.
Proven Examples of Zero Trust:
Google’s BeyondCorp model is perhaps the most well known implementation of Zero Trust methodology. Google published their reference architecture for Zero Trust as the BeyondCorp framework back in 2014. Google describes their implementation of Zero Trust as:
“Google’s BeyondCorp initiative is moving to a new model that dispenses with a privileged corporate network. Instead, access depends solely on device and user credentials, regardless of a user’s network location—be it an enterprise location, a home network, or a hotel or coffee shop. All access to enterprise resources is fully authenticated, fully authorized, and fully encrypted based upon device state and user credentials. We can enforce fine-grained access to different parts of enterprise resources. As a result, all Google employees can work successfully from any network, and without the need for a traditional VPN connection into the privileged network. The user experience between local and remote access to enterprise resources is effectively identical, apart from potential differences in latency.”
Realistic Next Steps:
Unfortunately Zero Trust isn’t something you can just flip a switch and turn on. It takes a measured approach to implement elements over a longer timeline. This journey often starts with centralizing identity and access management into one platform available outside the corporate firewall and enforcing two factor authentication across the organization.
As more and more organizations embrace long term work from home many will be looking to restructure their IT to securely deliver their applications and controls outside of the perimeter. It’s worth considering implementing Zero Trust elements as part of that restructuring. In doing so many organizations will begin to realize that they can deliver their applications securely and create a great experience for their people no matter where they are located. And hopefully this will also reduce the urge for their people to use Shadow IT at the same time.
If you’re looking for more information on BeyondCorp and Zero Trust, checkout BeyondCorp.com. If you’d like to discuss Johnson Lambert’s methodology you can contact us here.