How to stop worrying and love zero confidence

How to stop worrying and love zero confidence

Countless articles have been published in recent years on zero trust, most of them explorations and expositions for security professionals.

But I want to write for the remote workers on the other side of the so-called "trust" equation: the people who will face change and pitfalls as zero-trust strategies are implemented and refined over the next few years.

Welcome to this jargon-free explanation of zero trust.

If you're an IT or security professional, save this newsletter to share with employees, especially remote employees, who need to understand what's happening and why.

First of all, Zero Trust is not a product or a service, it is an idea, an approach, a strategy.

We need zero trust to secure the future of the workplace. And the reason is that the old strategy, perimeter security, doesn't work anymore.

Along with perimeter security, a corporate firewall has been established. Everyone, devices and applications inside the firewall were supposed to be safe: they were trusted because they were inside. Remote employees can access the firewall through a virtual private network (VPN), which is software that encrypts data and allows an authorized person to access the firewall, even from a home office or hotel in another country.

Perimeter security used to work pretty well, but the world has changed. And now it doesn't work anymore. Connectivity is too complex and cyber attackers have become too sophisticated. These days we have all kinds of antiquated networks, complex cloud computing arrays, and a plethora of tiny, connected, often sensor-based units all brought together under the umbrella of the Internet of Things (IoT).

And we have you. If you.

The main reason perimeter security is no longer working is that people are working remotely not just from their home office but over any connection, anywhere, anywhere.

Think of the home office. With a perimeter security device, you would connect through your home Wi-Fi network using a VPN, allowing your main work laptop to be inside the firewall. Now, several things can happen:

  • The neighbour's hacker kid, who can access your Wi-Fi from his room, is using that access to hack into your laptop, compromise your VPN software, and therefore compromise the entire business, because now she's on the inside too. perimeter. from her workplace.
  • He walks away from his laptop for a few minutes, and while he's still online, his son's friend comes over to his home office to take a look at some porn. While he's at it, he visits a suspicious site that automatically downloads all sorts of malware onto his laptop. After this event, his laptop connects to servers in Eastern Europe XNUMX/XNUMX, allowing gangs of professional malicious hackers to take advantage of VPN access to their corporate networks.
  • Their parents buy their children a toy for Christmas, which is connected via Wi-Fi. You now have an IoT device on your home network from a company that has no plans to release a security update. This device is another gateway to your Wi-Fi, your laptop, and your business by skilled hackers operating from a car on the front lines.
  • These scenarios involve a single WFH employee. Now imagine 5000 remote employees in a single company working from home and from all over the world, all with an untold variety of vulnerabilities.

    Do you see why remote work is the enemy of perimeter security?

    This is how zero trust works. Instead of relying on a secure "perimeter" that cannot be secured, your business will require each user, device, and application to authenticate individually.

    This means: Even though you and your laptop are authorized to access company resources, if someone plugs a USB drive into your system, neither that drive nor the software on it will have access to these same resources. The hacker boy next door can't get in. Malware downloaded onto your laptop cannot access it. Random IoT devices that show up on your home Wi-Fi can't access it.

    The downside, as you can imagine, is that all this authentication will add to the hassle. You will need very good hygiene and good password practices. You will probably need biometric authentication. There will be accidental cases where access to an authorized device or app is denied, and you'll need to work with Support to figure it all out.

    But all of those drawbacks are the price we pay for the power of IoT, cloud computing, and most importantly, remote work.

    The process is coming and there will be a learning curve. But, in the end, I urge you to trust zero trust. This is how things should work now.

    Copyright © 2022 IDG Communications, Inc.