The events of 2020 left a lasting impression on the way people work. A third of Americans polled in September 2020 were always working remotely — down from more than half (51%) just a few months earlier. These changes continue to echo across many aspects of our lives. In the digital security space, the shift to remote work helped to produce a surge in the number of digital attacks experienced by 91% of global organizations. One way to defend against this is zero trust security.
What drove this increase in attacks? Three factors come to mind, all of which can be limited in one way or another by a zero trust framework.
A Lack of IoT Insight
In the midst of remote work, many businesses are turning to the Internet of things (IoT). More than half (54%) of IT professionals had deployed IoT devices, with another 24% planning to do so in the next 12 months. Those devices adopted in the context of remote work offer a range of benefits. For instance, they help manufacturing organizations monitor the performance of their industrial processes without requiring staff on location, and give health care workers a means by which they can remotely track patients’ vital signs in the hospital or at home. These IoT devices can remotely train people, track assets through the supply chain or enhance physical security.
Even so, many organizations don’t have zero trust set up, so don’t have insight into those IoT devices. Just 57% of respondents to the survey mentioned above had a mechanism in place at their organizations to monitor those new IoT devices. Part of the issue might be the fact that there’s no one on site to effectively manage them. With more people working remotely, many employers are paying less attention to their IoT devices. Therefore, they don’t monitor them for potential openings, malware infections and other issues.
Implement a zero trust strategy
The Growing Problem of Bring Your Own Device Security
Remote employees are also adding new IoT devices to the enterprise network without IT experts’ permission. They might connect digital home assistants, TV set-up boxes, smart TVs or automotive multimedia systems to the enterprise network. Employees might justify the use of these and other IoT products to make their home office more efficient. But these products sneak in and become shadow IT. Without knowledge of these devices, the security team can’t protect them well, keep them up to date or harden them against digital attack attempts. Network World found that 76% of enterprises had seen an increase in the number of personal devices connecting to the network during 2020.
Without a zero trust framework, businesses can’t ensure that their employees are following office common sense rules in the process of connecting these new devices to the corporate network. As an example of this, Cybersecurity Dive reported a 100% increase in workers accessing inappropriate content online during the work day. Those instances often consisted of remote Android users using vulnerable apps to view content, which can introduce risks into the corporate network. That doesn’t even include the risks that could be lurking on remote employees’ home Wi-Fi networks.
In the end, the challenge of employees bringing their own devices boils down to a matter of complexity.
Lastly, many employers are turning to video meeting tools. Two-thirds of organizations deemed video calls to be the most effective tool in their initial work-from-home response, relayed Help Net Security. That was followed by cloud storage (59%), device management (49%) and collaboration (47%).
The issue is that video conferencing apps and other types of tools for teamwork come with their fair share of risks. Many of these solutions store users’ files and chats by default, leaving that information open to attack. This data could include passwords and other sensitive details that employees shared out of convenience on those cloud-based tools. If those fall into the wrong hands, malicious actors can leverage that information to establish a foothold on the network and move through it to critical assets.
The Zero Trust Model as a Way Forward
These challenges highlight the need for businesses to approach digital defense a new way in the age of extensive remote work. This fact could explain why seven in 10 organizations are considering moving to a zero trust model after the events of 2020 and the growth of remote work.
As a whole, zero trust puts you in a position to confront all of the challenges discussed above. This type of network presumes that all connections — including those from IoT devices, BYOD devices and collaboration tools — can be dangerous. With this mindset, your team can then approve every device and product before they allow network access.
Under the umbrella of a zero trust framework, you can secure IoT, employees’ personal devices and the tools they use. Let’s examine how to do this below.
Zero Trust for IoT
You can’t secure employees’ IoT devices unless you know exactly what’s connected to the network. To do that, invest in an ongoing asset inventory process. Having security teams search for connections one by one won’t provide enough network insight, however. Employees are adding different kinds of IoT devices to the enterprise network while working from home, after all. You need a way to automatically detect those new connections — including those that might take place outside of the official purview of IT. Towards that end, they can leverage IT asset management software that leverages passive discovery, among other features, to create and maintain a dynamic inventory of all connected hardware and software, including any IoT devices. This lays the groundwork for zero trust.
At that point, it’s up to you to map the data transaction flow. The idea here is to understand how IoT devices are talking to one another and with other network assets. Using that information, you can then segment the network into distinct zones that support those mapped data flows while still upholding all applicable security policies. You might consider segmenting all IoT devices in their own network zone, for instance.
All that remains in your journey to zero trust is to monitor for suspicious behavior. In each network segment, deploy network monitoring tools that watch for potential signs of a compromise or other incident. Integrate those solutions with SIEM and vulnerability management processes, among other capabilities. This will help generate alerts of suspicious events and triage issues. That makes it easier to repair them before they balloon into full-blown incidents.
BYOD: Keep Your Employees in the Loop
All of the above also applies to employees and personal, or BYOD, devices. To handle them all, you need a good idea of what’s connected to the network. You can then trust, segment and monitor what’s approved while cutting off disallowed connections within your zero trust framework.
Don’t keep employees in the dark about this process. That would create extra work for the security team and frustrate employees. Instead, use this as a chance to make sure that your security policies clearly discuss what types of devices are allowed to connect to the corporate network. Explain the formal process through which employees can receive trust from IT for a new device. Those security policies are always changing, of course, so include education modules surrounding their security policies and device approval guidelines in your ongoing security awareness training programs.
With that in place, move onto supportive technical controls. Use Identity and Access Management (IAM) to monitor approved users and devices as well as to verify identity and authorization on a continuous basis. In addition, consider submitting to penetration tests that show where a malicious actor could move within the network if they did compromise a trusted user or device.
Collaboration Tools: Simplify Features and Authenticate
Finally, secure the collaboration tools used by your employees. Begin this process by defining information sensitivity across the organization. From there, use those definitions to create rules for handling different types of data. Next, apply access controls, encryption needs and other rules to your tools. This process might require you to cut down on the types of features employees are allowed to use. For example, you might not want to record a meeting unless it’s critical for work. Or, you might want to consider disabling the ability to share files.
You also need to protect against phishing emails and other social engineering attacks. Threat actors can use these to steal access to their tools. Towards that end, consider adding multi-factor authentication as a means of protecting trusted users’ accounts.
Moving Forward with Zero Trust
Remote work changed the way in which many employees do their jobs. As with so much in 2020, remote work merely hurried us toward that which was already happening. (Consider the retail sector’s shift to e-commerce, for instance.) Zero trust is where the security community was already heading. It’s only natural that it’s good for remote work, too.
Looking to get started today? Download the Forrester report, “A Practical Guide To A Zero Trust Implementation.”