Using the 'Zero Trust' Model for Remote Workforce SecurityPractitioners Discuss the Essential Elements of This Approach
The massive shift to remote working as a result of the COVID-19 pandemic is escalating the use of mobile devices, cloud-based applications and edge computing. As a result, more organizations are adopting the "zero trust" model, which emphasizes advanced authentication of those accessing systems and data.
Essential elements of a zero trust approach are implementing proper access controls, monitoring user behavior and creating appropriate data governance policies.
Unfortunately, however, most access controls were not designed for a remote workforce, says Bharat Panchal, chief risk officer-India, Middle East and Africa at FIS Global, a U.S.-based financial services organization. "Two months back, no one was ready for a huge workforce working remotely. To be honest, we in the security community never thought of aspects like design of access controls," he says. "This is where the zero trust model assumes significance for the security community."
Christopher Frenz, CISO at Interfaith Medical Center in New York, says the hospital began investigating the zero trust model back in 2015, when there was a spike in ransomware attacks on the healthcare industry. "At that time we tried multiple controls, and one control that stood the test of time is the network segmentation," Frenz says. "So that is what led us to the thought process as to how we can scale it up to the next level.
In the current environment, the zero trust approach has helped the hospital efficiently manage remote workers, he adds.
Expanded use of the cloud to support system access by remote workers has fuelled interest in the zero trust approach, says Dave Lewis, CISO of Duo Security, a unit of Cisco. "Companies are moving to the cloud as employees are no longer available to monitor onsite data centers," he says. "SOCs are now physically isolated and are no longer viable options to protect networks and corporate data."
How the Model Works
In the zero trust model, access is not given to everyone at all times, says Ashish Khanna, CISO at The Oberoi Group of Hotels & Resorts, based in India. "Users are given access to a particular system or applications, with the purpose well-defined and for a defined period only, after ensuring that the user's device has met all the baseline security principals," the CISO says.
While security practitioners have frequently deployed VPNs to manage their remote workforce, this has led to security problems because the VPNs provide system access to too many workers, Khanna says. "But if we align VPNs with a zero trust strategy, then a user will only get access to a particular application and not all," he adds.
An essential component of the zero trust model is verifying devices from where data is getting accessed using technologies such as CASB and Web DLP.
"If an employee is accessing my database through a personal device, the zero trust approach helps me check the device security posture," Khanna says. "Only after these verifications is the device allowed to access the database."
Gary Hayslip, director of information security at SoftBank Investment Advisers in California, says the zero trust approach fits his company's 100% cloud approach.
"For us it was all about having a proper control over access. We wanted to have a control and know about who is accessing what kind of data," Hayslip says. "Now, whether workers are travelling or at home, we know the device, we know the user, we know the geo location and we know what data the user accessed."
When building a zero trust framework, Panchal says, it's critical to "capture every physical and digital footprint of the users' access to the enterprise applications and services using AI on top of every log to understand the user behavior in the system and grant access accordingly.
Building Policy Framework
Once access controls are defined, it is important to build policies to implement them.
Ritesh Mishra, global head IT infrastructure and security at Dr. Reddy's Laboratories, a Hyderabad, India-based global pharmaceutical company, is leveraging the zero trust model to help manage remote working for 7,900 employees in several countries.
"In order to define policies one needs to begin the process by assessing users - the kind of devices they are using, what data they are accessing and from what location," Mishra says. "After this, we need to decide on the policies that need to be applied. For instance, we created a framework, and then decided on how we need to build zero trust," explains Mishra.
Some security practitioners suggest companies need to move away from the practice of granting access based primarily on job titles. "We need to have very strong policies on who is accessing what data. People need to be given access based on their need - and not based on their designation," Khanna says.
For instance, those who are department heads are often give the highest level of access, even if that's not necessary or appropriate.
"I have seen multiple instances where a senior person has been marked on emails containing very sensitive data, without giving a thought on whether or not that data is required by the person," Khanna says.
Another important aspect for a successful implementation of zero trust is to know where data resides. Frenz says a lack of good data governance is one of the biggest roadblocks for a successful zero trust plan.
"Since data resides everywhere these days, it is a big task to identify where data is, who is using it then accordingly define policies around it," he says.
Mishra suggests software-defined networks, combined with the zero trust model, will help enterprises to reduce risks.
Understanding User Behavior
Another key aspect of zero trust is monitoring user behavior.
"One cannot afford to relax monitoring user behavior when people are working from home. In fact, monitoring user behavior becomes all the more significant now," says Bharat Anand, chief of technology at NATGRID, a national integrated intelligence master database in India.
"I won't know if a user is downloading data if I do not have tools to monitor user behavior. This needs to be augmented by a proper policy framework," Anand says. "Moreover, we need to make sure that these tools are not jeopardizing the privacy of people. I feel UEBA [user identity and behavior analytics] goes a long way in controlling users against downloading unrequired data."
Challenges of Zero Trust
To make the zero trust model work effectively, "user and application privileges need to be planned," says U.S.-based Anuj Tewari, CISO at HCL Technologies, an Indian IT consultancy.
Tewari says that multiple device where some are unmanaged add to the complexity of zero trust. Adding to that complexity now is remote working. "VPNs can make things tough. Unified collaboration should be considered as a key element for maintaining productivity and keeping the workforce engaged," he says.