The global pandemic has adversely affected the world of work, making resilience an absolute necessity. All the credit goes to technology for empowering workers to adapt to hybrid or remote working under unprecedented circumstances. However, some organizations compromised security, policies, and performance during the early months of the pandemic.
With hybrid work becoming the norm, the new buzzwords in the boardroom are employee flexibility, experience management , and work-life integration. Modern workplaces reflect this trend as well, as they no longer rely on IT infrastructure. Currently, several employees work from their own devices and networks, which may or may not be secure. Work can be done from home, at a café, in the mountains, on a company laptop, or on a personal MacBook.
While the new setup provides excellent flexibility and freedom, it also exposes the workplace perimeter to emerging security threats and creates new opportunities for cybercriminals. Ponemon Institute's 2020 “Cost of Data Breach Study” shows that the volume of records that were compromised by data breaches in 2020 increased by 141 percent%, reaching a massive 37 billion, the largest number since 2005.
The evolving hybrid model poses new security threats that require enterprises to reconsider traditional security approaches.
In 2020, the average cost of a data breach in the United States was $8.64 million, at an all-time high while the global average was $3.83 million.
In the erstwhile traditional model, users, devices, applications, and data were protected behind a DMZ or /firewall. Everything was inside the network perimeter and network security was all we needed at that time.
In the current hybrid model, the user population spans employees, partners, and contractors, each of them bringing their own devices. Employees are working from anywhere and storing sensitive data in public cloud servers. We have connected devices deployed in our supply chains, fields, factories, and buildings. We even share users, devices, apps, and data with our partners and vendors.
Our corporate footprint and how we protect it look a lot different than it did, with dual perimeters protecting our assets in different circumstances. Here are some eye-openers from Microsoft research:
- 94 percent of enterprises are now using cloud services
- On an average, 5.2 mobile business apps are accessed by employees every day
- 60 percent of organizations are supporting BYOD, with more adding programs every day
- 7 billion internet-connected devices are now in use and that number keeps climbing
This means that the old assumptions will not keep us secure in the new world. We can no longer assume that everything behind the corporate firewall will be safe. That is why we must change the way we think about digital workplace security, and this is where the Zero Trust approach comes to the fore. This approach consists of the below three key tenants:
- Verify explicitly. Always perform authentication and authorization based on all relevant data, such as user identification, location, device health, service or workload, classification of the data, and anomalies.
- Use least privileged access. To safeguard both data and productivity, set access restrictions using Just-In-Time and Just Enough Access (JIT/JEA).
- Assume breach. Reduce the blast radius for breaches and use a security plan to stop lateral movement. The entire digital estate should adopt a Zero Trust policy, which would act as an integrated security tenet and end-to-end plan.
- Identities. The Zero Trust control plane is defined by identities, whether those identities represent people, services, or IoT devices. We must use strong authentication to confirm an identity attempting to access a resource, make sure the access is compliant and appropriate for that identity, and adhere to the least privilege access guidelines.
- Devices. Data can flow to numerous devices once an identity has been permitted access to a resource. IoT gadgets to smartphones, BYOD to partner-managed gadgets, and on-premises workloads to cloud-hosted servers are just a few examples. Due to the large attack surface area created by this variety, we must monitor and enforce device compliance and health to provide secure access.
- Applications. APIs and applications offer the interface via which data is consumed. They may be legacy on-premises, lift and shift to cloud workloads, or modern SaaS applications. Controls and technologies should be applied to discover Shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behavior, control user actions, and validate secure configuration options.
- Data. In the end, security teams are concerned with safeguarding data. Data should, wherever possible, remain secure even when it leaves the systems, software, networks, and infrastructure that the company controls. Those attributes should be used to categorize, classify, encrypt, and restrict access to data.
- Infrastructure. Infrastructure (whether on-premises servers, cloud-based VMs, containers, or microservices) represents a critical threat vector. Use telemetry to detect threats and anomalies, assess for version, configuration, and JIT access to enhance protection, automatically block and flag unsafe behavior, and take precautionary measures.
- Networks. Ultimately, network infrastructure is used to access all data. To improve visibility and help stop attackers from traveling laterally across the network, networking controls can offer essential "in-pipe" controls. The use of segmented networks, end-to-end encryption, monitoring, and analytics, as well as real-time threat protection, is recommended.