How to securely flourish in remote work with zero trust: A step-by-step guide
The idea of commuting to an office space for work increasingly feels like an outdated approach, especially as we are months into stay-at-home orders amid COVID-19. However, not long ago, some businesses were resistant to the idea of remote work, citing fears such as reduced employee output.
Fortunately, as organizations across all industries were forced to rapidly support remote work, many have been pleasantly surprised by continued, high levels of employee productivity, putting previous fears about diminished output to rest. Unfortunately, many organizations are still fumbling to put security infrastructure in place that enables remote work productivity without compromising security. In fact, 33 percent of organizations were not sufficiently prepared to support remote operations at the beginning of the pandemic, and many IT teams have been finding that they are in need of meaningful changes.
What IT teams must look for is a zero-trust security strategy. A zero-trust security strategy ensures all users are adequately authenticated before access to corporate systems and data is granted. With a zero trust approach to securing remote work, organizations can augment cybersecurity without hindering employee output or flexibility.
The fundamentals of a zero-trust approach to securing remote work
Remote workers require seamless access to public cloud applications, the web, and internal applications from their devices. However, 43 percent of organizations cite the use of employee-owned devices as a significant security challenge to remote work, resulting in demand for a solution that effectively balances remote workers’ needs with adequate protections. As such, organizations should consider a solution that provides the following capabilities to safeguard their data and remote workforce:
- Data loss prevention (DLP): DLP enables organizations to extend access to sensitive data, but in a risk appropriate manner and taking into account the context of the access depending on specific user, location, device, data sensitivity and compliance requirements. DLP dynamically applies watermarking, encryption, access control, redaction and blocking of critical content so users still get the access they need without being subject to undue risk.
- Identity and access management (IAM): Remote employees are in the crosshairs of cybercriminals looking to steal corporate data and implant malware on enterprise networks. We’ve seen an increase in phishing attacks launched against remote workers amidst the pandemic and robust IAM serves as a needed second line of defense. With strong IAM, organizations can use controls such as single sign-on (SSO) and multi-factor authentication (MFA) to ensure that access attempts to corporate data are from legitimate workers and not attackers.
- Visibility: Businesses must maintain logs of access for remote workers to satisfy compliance requirements, yet 33 percent of organizations cite lack of visibility as an obstacle for enabling remote work.
- Zero-day threat protection: Remote workers operate off the corporate network and are therefore subject to greater risks of hacking and malware. Protection from such threats is essential across all devices, networks, and applications.
When considering the aforementioned security requirements, organizations must be able to implement them across public cloud applications, web access, and internal applications to support remote work.
Challenge #1: Securing access to public cloud applications
Businesses can use dozens of public cloud applications, including Slack, Salesforce, Office 365, and more. While each cloud application provider secures their own infrastructure, organizations that use each application are responsible for securing the data within each app. This is called the shared responsibility model of cloud security. To achieve this goal, organizations often try to lean on a series of disjointed native security controls for each application, which unfortunately results in gaps across the enterprise and is highly challenging to manage.
What organizations need are for SSO and MFA to continuously be enforced across public cloud applications. Additionally, access must be controlled on a contextual basis that considers the user group, location, and device type. In this instance, DLP can control the type of data downloaded or uploaded to public cloud applications, while other sensitive data can be blocked, watermarked, or encrypted. Additionally, sessions can timeout when devices are left unattended, requiring the user to reauthenticate themselves to prove their legitimacy.
Challenge #2: Protecting web access
Accessing the internet can expose workers and their employers to many threats and data leakage risks, including malware. As such, some organizations may look to traditional VPN approaches to secure web access. Unfortunately, VPNs are not sufficient for a large number of remote users. This is due to the increased load on the VPN firewall throttling performance and creating a major bottleneck
Organizations need to utilize on-device secure web gateway (SWG) solutions which are capable of scaling up or down with the number of users with ease. Additionally, such a SWG can authenticate users via SSO and integrate with existing DLP controls to restrict web browsing to appropriate content and enforce necessary policies on all uploads; downloads can be scanned for malware.
Challenge #3: Safeguarding internal applications
To perform their duties, remote workers will need access to applications within the corporate network, a reality that poses a significant threat of unauthorized access if the proper security controls are not in place. For example, July’s Twitter hack demonstrated how a lack of authentication for remote employees allowed attackers to use stolen VPN credentials to access high-profile Twitter users’ accounts to promote a Bitcoin scam.
Instead of VPN, a zero trust network access (ZTNA) solution requires access to corporate resources to be contextually scrutinized depending on the user, group, application, location, device type, and more. Additionally, real-time protections such as data loss prevention (DLP) and advanced threat protection (ATP) help safeguard against threats that emerge as users access specific applications. For example in the Twitter hack incident, a new login from an unknown device to a highly critical resource would have been prompted with secondary authentication. With remote work being the norm in our present day and likely to continue even once the pandemic subsides, security teams must strive towards a zero-trust approach to security. By providing the appropriate level of protection needed without stifling employee productivity or enterprise scalability, zero-trust provides organizations with a secure yet simple and cost-effective solution for remote work.
Anurag Kahol is CTO and co-founder, Bitglass. Before joining the company, he was director of engineering in Juniper Networks’ Security Business Unit. He received a global education, earning an M.S. in computer science from Colorado State University and a B.S. in computer science from the Motilal Nehru National Institute of Technology.