How to stop worrying and love zero confidence
Countless articles have been published in recent years on zero trust, most of them explorations and expositions for security professionals.
But I want to write for the remote workers on the other side of the so-called "trust" equation: the people who will face change and pitfalls as zero-trust strategies are implemented and refined over the next few years.
Welcome to this jargon-free explanation of zero trust.
If you're an IT or security professional, save this newsletter to share with employees, especially remote employees, who need to understand what's happening and why.
First of all, Zero Trust is not a product or a service, it is an idea, an approach, a strategy.
We need zero trust to secure the future of the workplace. And the reason is that the old strategy, perimeter security, no longer works.
Along with perimeter security, a corporate firewall was in place. Everyone, devices, and applications inside the firewall were supposed to be safe – they were trusted because they were inside. Remote employees can access the firewall using a virtual private network (VPN), which is software that encrypts data and allows an authorized person to access the firewall, even from a home office or hotel in another country.
Perimeter security used to work pretty well, but the world has changed. And now it doesn’t work anymore. Connectivity is too complex, and cyber attackers have become too sophisticated. These days we have all kinds of antiquated networks, complex cloud computing arrangements, and a host of tiny, connected, often sensor-based units all brought together under the umbrella of the Internet of Things (IoT).
And we have you. Yes, you.
The main reason perimeter security is no longer working is that people are working remotely not just from their home office but over any connection, anywhere, anywhere.
Think about the home office. With a perimeter security device, you would connect through your home Wi-Fi network using a VPN, allowing your main work laptop to be inside the firewall. Now, a number of things can happen:
These scenarios involve a single WFH employee. Now imagine 5000 remote employees at a single company working from home and from all over the world, all with an untold variety of vulnerabilities.
Do you see why remote work is the enemy of perimeter security?
This is how zero trust works. Instead of relying on a secure “perimeter” that can’t be protected, your company will require each user, device, and application to authenticate individually.
This means that: Even if you and your laptop are authorized to access company resources, if someone plugs a USB drive into your system, neither that drive nor the software on it will have access to these same resources. The hacker kid next door can’t access it. Malware downloaded onto your laptop can’t access it. Random IoT devices that appear on your home Wi-Fi can’t access it.
The downside, as you can imagine, is that all this authentication will increase hassle. You'll need very good hygiene and good password practices. You'll probably need biometric authentication. There will be accidental cases where access to an authorized device or app is denied, and you'll need to work with Support to sort it all out.
But all of those drawbacks are the price we pay for the power of IoT, cloud computing, and most importantly, remote work.
The process is coming, and there will be a learning curve. But, in the end, I urge you to rely on zero trust. That's how things should work now.
Copyright © 2022 IDG Communications, Inc.
Leave your comment