For the last two decades, most enterprises have relied on an outward-looking approach to security with a strong corporate firewall to prevent external intruders from entering the network. However, with staff increasingly working outside the standard enterprise perimeter, security has become much more complicated: firewall-centric strategies are at risk of being overrun by attackers who can evade defences without raising the alarm and cause serious damage once they are inside.
The post-perimeter era requires a new approach in which ‘zero-trust’ is the foundation of security. It’s a model which gives workers more flexibility regarding when and where they log on, but also means that security departments can retain control by verifying everything – and everyone – that tries to connect to systems, before granting access.
Perimeter Security: Gaps in the wall
The boom in remote and more flexible working practices has been powered by increasingly accessible and affordable cloud applications and mobile devices. Even a modest IT budget can incorporate multiple cloud services that will enable workers to access vital files and applications from anywhere in the world and, indeed, it is not unusual for new businesses to be entirely cloud-based.
With staff now potentially just as productive in a coffee-shop between meetings halfway around the world as they are at their desk, the new remote working paradigm is delivering powerful business benefits. However, it has also made perimeter-based security even more untenable; an attacker using stolen login credentials, or a compromised machine, could easily slip through the net and organisations who are unable to differentiate friend from foe will be left wide open to a serious breach.
The degree to which working practices are changing was evident in the 2018 Duo Trusted Access Report, which analysed data from nearly 11m devices and a half a billion logins per month. The report found that 43 percent of requests to access protected apps and data now come from outside the office and network. Between 2017 and 2018 there was a 10 percent increase in the average number of unique networks that customers and enterprise organisations are authenticating from, representing the fact that more work is being conducted from potentially unsecured Wi-Fi networks.
The threat of a security breach is exacerbated by poor security practices for mobile devices connecting to the corporate network. In particular, our research found that a massive 90 percent of Android devices analysed were running outdated operating systems, followed closely by 85 percent of Chrome OS devices.
A device that has fallen behind on security patches and OS updates represents an easy target for a hacker, who can go on to use a compromised device to spread their attack to the enterprise network. The intruder can also raid the device itself for login credentials, a serious threat as weak and compromised credentials are one of the leading causes of serious security incidents. Any confidential data on the machine, connected corporate network and cloud-based applications can also be stolen or manipulated with impunity.
Trust no One, Verify Everything
With the old perimeter security wall crumbling, it is no longer safe to trust a user simply because they are inside the network. Instead, organisations are increasingly adopting the zero-trust approach, whereby only trusted users and devices can access sensitive and restricted files and applications. Users who cannot prove their identity or the health of their device to a sufficient degree will not be granted access, regardless of whether their request is coming from a presumably trusted location.
Verifying user identity can be achieved through measures such as two-factor authentication, which will prevent an attacker impersonating a legitimate user with stolen credentials. Alongside this, the device must be running current OS updates and security patches and must be free of any malware.
Read this: TfL: Calling all White Hats
Zero-trust security is best managed with a risk-based approach which revises access requirements based on the potential risk to the business, and external factors that point to suspicious behaviour. If a user is logging in from a well-patched, corporate managed device to a work application, they are provided full access without any additional steps. However, if the same user is logging in from an out-of-date personal device, they are required to further prove their identity or are provided limited access.
This process need not be onerous for the user. The flexibility provided by a risk-based approach means an organisation can implement a zero-trust strategy without creating unnecessary barriers for legitimate users that will prevent them from getting on with their jobs as quickly and easily as if they were in the office.
While the age of the traditional perimeter may be at an end, organisations can still protect themselves from attackers by using a zero-trust approach to ensure that only genuine, trusted users are guaranteed access to the network.