Hybrid working is likely to be the dominant model at UK organisations for the foreseeable future. This will place even greater pressure on conventional, perimeter-based models of IT security, as the majority of workers – and the data they use – will be outside the corporate network.
Zero trust security, in which requests to access systems are assessed individually and on multiple contextual factors, is seen as a potential solution. Indeed, the principles of zero trust were developed in part to address the security risks posed by remote workers and bring-your-own-device, two components of hybrid working.
At a recent roundtable discussion, hosted by Tech Monitor and sponsored by cloud security provider Zscaler, participants expressed interest in the model and agreement with the theory. But there were also concerns that zero trust may prove challenging for organisations that have struggled to address the basics of cybersecurity, and warnings that it will require a degree of organisational coordination that is difficult to pull off.
The security challenges of hybrid working
More than eight out of ten UK organisations have adopted hybrid working, combining remote and office-based work, according to a recent survey by the Chartered Institute of Management (CIM), with the majority having done so as a result of the pandemic.
The majority of senior leaders are now trying to coax workers back into the office, the survey also showed, but the CIM warns against fighting the prevailing trend. “The best practice is to have a blend, so when you come into the office you can do those things that are very difficult to do remotely,” CIM chief executive Ann Francke told the BBC.
For many UK organisations, investments in cloud-based applications and collaboration tools made the initial switch to home-working relatively straightforward. “We’ve always placed a lot of emphasis on people being able to access our systems [remotely],” explained a security manager from a large financial institution (the roundtable took place under the Chatham House rule). “People have always made use of being away from the office to really maintain a good work-life balance.”
Nevertheless, they added, the organisation’s legacy systems and processes have made securing high-value data amid this shift challenging. “We’re fighting with a lot of legacy systems,” they said. Access is determined by a complex set of “very granular controls,” and their implementation is not always automated.
Hybrid working will add to the complexity of securing access to enterprise systems. Users may or may not be on the corporate network; they may or may not be using a company-issued device; they may legitimately require access late at night or early in the morning, but their devices might also be more vulnerable to loss or theft.
“Now that we’re moving out of the pandemic, [and] people go to work in [office], they go to visit clients and they take their devices with them – it all gets a bit muddled up in terms of usability and security,” said the security manager.
Zero trust security and hybrid working
The ‘zero trust’ model of IT security has developed in response to the erosion of the perimeter of the corporate network. The complexity of a modern enterprise’s IT estate “has outstripped legacy methods of perimeter-based network security as there is no single, easily identified perimeter for the enterprise,” according to US security agency NIST, in its definition of zero trust.
In a zero trust security model, “an enterprise must assume no implicit trust and continually analyse and evaluate the risks to its assets and business functions and then enact protections to mitigate these risks,” NIST explains.
The approach seems well-suited to the hybrid-working era. Traditional, perimeter-based approaches to security assumed that anyone who had access to the corporate network must be a legitimate user. “The fallacy was that somehow we could trust the network,” said Marc Lueck, CISO EMEA at Zscaler. This is no longer tenable in an era when employees are accessing systems through a mix of wired and wireless networks in the office, home WiFi, mobile connections and more.
The fallacy was that somehow we could trust the network.
Marc Lueck, Zscaler
With zero trust “you say to yourself ‘I’m no longer going to pretend I have any control over the network, or the [wireless networking] airspace, or any physical cabling,” Lueck argued. “By relinquishing control over networks, you’re going to focus your efforts on protecting that what you can.”
Not everyone likes the term ‘zero trust’, however, although they may agree with the underlying principles. “I feel the hype around ‘zero trust’ should move towards a more stable platform of ‘verified trust’,” said a security researcher. “Rather than saying ‘We don’t trust anything’, we [should be] verifying trust .. using the right technologies and controls and people.”
The phrase ‘zero trust’ is not “something that we’ll go out to the larger organisation [with] because it can be quite misleading,” added another participant. “To the average user, it’s almost a negative.”
Another argued that the degree of control over data, and where and when it is accessed, that a zero trust model requires is not possible with the currently available tools. “The level of control [zero trust] implies doesn’t actually exist because there are a lot of technologies out there that we cannot control,” they said. “The abuse of those technologies is further ahead than the controls. Data loss prevention tools [for example] – there are ways to bypass them.”
They added that zero trust may prevent employees from trying innovative, cloud-based tools that could help them do their job better. “If we’d have had what is supposedly true zero trust, we wouldn’t have had DropBox coming into our corporations, we may not have had BYOB, we may not have had social networks,” they said. “We wouldn’t have had the opportunity to try out these types of services that consumers thought were good.”
The challenges of implementing zero trust
The security researcher argued that the challenge of achieving zero trust is not a lack of tools, but a lack of discipline required to apply them appropriately. “We have the tools,” they said. “The question is, do we use them? We have some very basic nuts and bolts concepts, such as [email authentication technique] Sender Policy Framework, which every organisation can use. But they don’t.”
For Lueck, the greatest challenge of applying a zero trust architecture is organisational, not technical. It requires coordination of IT management capabilities, including for identity and access, devices, applications, data and networks, that are typically managed by different teams. For zero trust to work, “all of those teams have to pull towards a common goal,” Lueck said. “So the challenge for me is not the technology. The key is how to draw those disparate groups together towards a common goal.”
Although its meaning will continue to be debated, one potential benefit of the concept of zero trust may be to provide a shared vision for these teams to pursue. “This is turning into a selling point,” said one participant.