Zero-Trust for the Post-Pandemic World

More than a year after the start of the COVID-19 pandemic, we’re seeing most companies either maintaining their remote work policies or slowly moving to a hybrid work model. In fact, an estimated 36.2 million Americans will be working remotely by 2025, which is nearly double pre-pandemic levels.

Alongside this shift, 2020 brought a sharp increase in cyberattacks due, in part, to a near-exclusive reliance on the internet for work, school, entertainment, shopping, connection and more. This sudden switch to remote life meant employees increasingly used work equipment and devices for personal pursuits, while companies provided remote network access so employees could do their jobs from home. 

With the melding of personal and work-related internet use, the risk of a security compromise of company information or systems became significantly higher. If ever there was a time for companies to move away from providing network access to employees, whether working remotely or in an office, it’s now. The tradeoffs between security and ease of accessibility to applications for employees no longer exist in a zero-trust security model, making it the right approach for almost any kind of business.

Zero-Trust: Not as Scary as it Sounds

If the term ‘zero-trust‘ has popped up in your news feed with astonishing frequency, you may be tempted to think that zero-trust must be a brand new technology cooked up in a research lab at MIT and powered by the latest artificial intelligence, machine learning, quantum computing, and a 1.21 gigawatt flux capacitor. However, it’s not as scary as it sounds; zero-trust is all about simplicity—and at its core, it’s a strong form of the age-old principle of least privilege.

Zero-trust is gathering momentum, and recently, in the wake of some high-profile cyberattacks, we have seen numerous articles that point out how a zero-trust approach could have thwarted those attacks. In some attacks, malware was introduced via phishing or by exploiting a vulnerability in an exposed server. Once in, the malware then moved laterally within the enterprise to find high-value targets and sensitive data. 

This pattern is exactly how ransomware finds a target that it can encrypt and then demand ransom for the decryption. As we see with alarming regularity, there is no lack of vulnerable and exposed servers and no lack of ransomware victims. Most people could probably cite several examples off the top of your head. Fortunately, zero-trust really can make a difference in this area. 

Zero-Trust Network Access is an Oxymoron

Zero-trust is based on application access, not network access. I was surprised, then, when Gartner’s new secure access service edge (SASE) model included something called zero-trust network access (ZTNA). This term is an oxymoron; I make this point deliberately, because it matters. The distinction between network access and application access is important.

Traditionally, access to corporate applications has been based on network access. You have to be on the corporate network to access corporate applications. If you are in one of your company’s office buildings, then you connect to the corporate Wi-Fi network or corporate Ethernet, possibly with the extra step of network access control (NAC). If you are somewhere other than the corporate campus and not inside the perimeter, then you use a virtual private network (VPN). 

What we see here is a clear violation of the principle of least privilege. You need access to certain applications, but you do not need to be able to see any other applications, let alone scan the network for vulnerabilities. 

Zero-trust fixes this problem by using an application-based access model.

There is no direct routability between users and applications, and instead, all access is routed through proxies. Generally, zero-trust access is provided as a service with the proxies in multiple internet locations. Users, therefore, only need an internet connection; a corporate network and/or a VPN is never needed.

Zero-Trust Needs the Edge

Backhauling traffic destroys performance, and backhauling attack traffic can destroy even more. We know all traffic must route through a robust security stack, so how do we accomplish this goal without backhauling? 

The answer is rather than backhauling traffic to the security stack, we can deploy the security stack where the traffic is, at the edge. In this model, a full zero-trust security stack is provided as a service running on edge infrastructure—and all traffic flows can be secured without backhauling.

With the security stack at the edge, it is nearer to users, employees—everyone, wherever they may be working, whether that is in an office, at home or on the road. Likewise, at the edge, the security stack is closer to any attackers, whether they be hackers, compromised corporate devices or bots, so attack traffic can be blocked near its source before it has a chance to do any harm.      

The New Normal: All Access Is (Or Should Be) Remote Access

While there’s lots of discussion about remote work being the ‘new normal,’ I encourage you to move away from thinking about ‘remote’ as meaning outside of the office, and ‘remote access’ as meaning remote ‘network’ access. At the same time, companies must remove the burden on employees to determine if something is suspicious or not. Even with training, employees don’t always recognize suspicious activity, especially when it comes from sophisticated cybercriminals. 

Focusing on application access over network access and shifting to a zero-trust model based on least privilege should be the new normal for our internet-centric lives. We are much better off if we treat all access as remote access and use a zero-trust access architecture. In this architecture, whether employees are working remotely or are physically in the office, all access is managed and secured via the zero-trust access system. Doing so eliminates risk by exposure, and benefits employees, IT and the organization alike.