Securing Remote Work through Zero Trust Principles

With the shift to remote work, getting distributed workforces to follow best security practices isn’t a goal: It’s a necessity

Verizon’s 2020 Data Breach Investigations Report (2020 DBIR) found that cloud-based data is ripe for attack. Credentials stolen through phishing attacks, poor security routines, or human error account for nearly 80% of hacking breaches in North America, with attacks on web applications doubling to account for 43 percent of breaches. A remote workforce may add flexibility and convenience for the worker, but it can add significant complexity for IT teams tasked not only with making remote work happen but also making it as secure as possible. IBM’s “Cost of a Data Breach” underscores the risks. The average total cost of a data breach is $3.86 million dollars, and it requires an average 280 days to identify and contain. COVID-19 has made the situation worse, with 76% of organizations reporting the pandemic would increase the time to identify and contain a breach and add $137,000 to the cost of the breach.

With devices and users distributed across homes worldwide, there’s no question that the attack surface has broadened. As IT infrastructure has moved away from physical domains and become decentralized, it is now more crucial than ever for businesses to develop a security posture based on Zero Trust principles. These four principles help guard against the most common security risks wrought by employees.

#1. Trust Not; Just Verify

Previously, trust-but-verify was a foundational precept for network security. With the evolution of security threats, and the reshaping of the workplace beyond physical buildings, all businesses require a different approach: one that maps to the reality of modern IT infrastructure. And that approach is one of Zero Trust.

Zero Trust can mean different things to different people, but the key is taking the phrase at its most literal meaning. Trust no person, no device, no application. How? Robust identity, access, and device management that is governed by policy-based, adaptive authentication built on device trust. IT admins can enable secure access for remote workers, but it requires implementing multi-factor authentication (MFA) and guaranteed policy delivery to each user’s device. Least-privileged access is another powerful verification tool, one that grants only the lowest level of possible access to each user or device.

#2. Require Adaptive Authentication

Zero Trust means requiring not only that the right credentials are presented but also that the right person presents them. This approach means that user application provisioning should be based on devices and groups, and protected by risk-based adaptive authentication policies. MFA is an essential component. Passwords are still the weakest link of the security chain. The DBIR found 37% of breaches were the result of stolen or used credentials, and another 22% were linked to phishing attacks. Shifting away from security strategies based only on “what you know” — and including the second factor of “something you have,” like a card, token, or mobile push authenticator, or “something you are” like biometrics — creates a solid cybersecurity foundation that can mitigate against user mistakes and poor password practices.

#3 Monitor Everything

A Zero Trust model requires near instantaneous visibility into network activity and access attempts. By enabling real-time monitoring, malicious activity can be identified quickly, decreasing the containment period and limiting an attack’s reach. Systems can alert IT admins to anomalous user behavior, while simultaneously isolating the behavior and preventing the attack from moving laterally to other network systems. Security teams are best equipped to detect, investigate, and remediate threats and intrusions through real-time monitoring.

#4 The Device Is Crucial

Zero Trust is device trust. Even if users log in from their kitchen table half a world away, security teams can establish a single enterprise identity and protect applications and resources by ensuring device trust. How? Through policy-driven access control for conditional authentication, which means they allow or deny devices access to organizational resources based on their individual conditions. Adding this level of security doesn’t have to be onerous. Solutions today allow new employees to open a factory-sealed laptop and be onboarded within minutes of turning it on. They simply have to type in basic information, enroll using a second factor from their known mobile device or token key, and their new devices are secured and able to connect to the resources they need with no friction.

Beyond onboarding, IT admins manage each device remotely, push updates for up-to-date security, wipe data, and remotely lock. They can also deprovision users to mitigate the risk if devices are lost or stolen.

Security threats will continue to evolve as attackers seek to exploit remote workforces and look for vulnerabilities in a company’s IT infrastructure. By adopting Zero Trust principles, enterprises can add an extra layer of control and ensure a security posture that is prepared for the sophisticated attacks against it.

About the Author

Neil Riva is a Principal Product Manager at JumpCloud, focusing on identity & authentication. Award-winning product leader with extensive experience creating a diverse portfolio of identity & access management, authentication, & cybersecurity products.

Featured image: ©Green Butterfly