Establishing Trust in a World without Boundaries

Written by

According to a 2017 Gallup survey, 43% of employed Americans spent at least some time working outside of their offices last year, while it has also been predicted that half of the UK workforce will work remotely by 2020.

Remote working can allow a business to become more flexible and dynamic, a necessity to stay competitive in recent years. You can also be sure that many businesses in the UK recovered a great deal of lost hours during February snow storms by allowing workers to login from home rather than wasting hours stuck in traffic.

The widespread use of bring your own device (BYOD) policies has also helped usher in the age of the remote worker. The ability for employees to access cloud-based apps with their own laptops and smartphones means companies no longer have to invest a fortune in new devices to enable a mobile workforce.

However, this brave new world has also created new security challenges, necessitating a new strategy based on a perimeter-less, “zero-trust” approach. This model moves on from the old school of thought that only devices or users within the corporate network should be trusted, ending the very idea of a defined corporate perimeter.

How cyber-criminals are exploiting the new open working world
Most enterprises enable their remote workforce to access work applications through Virtual Private Networks (VPNs). Once they are inside the corporate network through the VPN they are deemed as “trusted.”

Many severe data breaches involve attackers taking advantage of this VPN-dependent approach to access. Attackers gain access to the corporate network by either stealing login information through tactics such as phishing or by compromising the end user’s device through malware.

Once an attacker logs into a VPN, they are able to laterally move inside the network and eventually gain access to critical data and cause a data breach. As you can see, this approach of trusting a user or a device just because they are coming from a corporate network is becoming outdated. 

Leading the shift away from VPN and towards a perimeter-less era is Google’s BeyondCorp framework, which, when put into practice, grants access to every work application based on verifying the trust of the device and user.

This approach moves access security verifications and controls from the network to an application. The model was developed in response to Operation Aurora, a Chinese attack campaign that gained access to corporate data at more than 30 companies in 2009.

BeyondCorp is based on the premise that an access request for a work application from within an enterprise network is as dangerous as an access request coming from say a public Wifi spot or Starbucks.

From policy to risk-based security
A central tenet of this new perimeter-less approach is the concept of trusted access, which establishes that only trusted users and devices can access sensitive and restricted files and applications irrespective of where the access request is coming from.

Identity verification measures such as two-factor authentication should be used as standard to ensure a user is genuine and not an imposter with stolen credentials. Likewise, the device itself must be proven healthy and not unsafe.

For example, allowing a PC with an unpatched, out-of-date operating system to access mission critical work applications is unsafe and should be blocked. Popular applications such as Adobe Flash and Oracle Java have hundreds of vulnerabilities between them if they are not patched.

Several organizations are moving to this new model where the trust of the user and the device are verified every time they are trying to access an application. Modern adaptive or risk-based solutions have made this easy for the end user by reducing friction and asking for additional steps of verification only when necessary.

For example, if a user is logging in from a well-patched, corporate managed device to a work application, they are provided full access without any additional steps. However, if the same user is logging in from an out-of-date personal device, they are required to further prove their identity or are provided limited access.

Another popular policy enforced by several organizations is around country or IP address. If an access request is coming from a country where you don’t have business operations or from an known malicious IP address, the request can be denied.

The capability to enforce these risk-based policies for every work application irrespective to how the application is hosted - locally in the data center or in public cloud or a software-as-a-service (SaaS) app - is key.

With a zero-trust approach, it’s becoming easier for organizations to balance between security and ease of use for the end user. While the tug of war between these two concepts will continue, enabling users to have a friction-less access to every work application and asking for additional verification only when needed provides a happy medium. In the perimeter-less world, network is no longer the control point. Every work application is.  

For further resource/reference also visit here.

What’s hot on Infosecurity Magazine?