Securing a suddenly all-remote contingent of knowledge workers was an ongoing effort over the past couple of years, and the job of tightening up that security posture will continue post-pandemic, according to two enterprise security experts who took part in a session I moderated in the recent Interop virtual event,
Future Proofing IT for the Hybrid Workforce.
“A lot of people relaxed a lot of security standards as they pushed the employees out,” said John Cavanaugh, VP and CTO at NetCraftsmen consultancy. Now that much of this workforce may be staying remote, enterprises face the challenge, “How do I deal with the plethora of equipment that’s deployed in people’s homes, and the risks associated with that?”
In particular, Cavanaugh and the session’s other panelist, Peter Newton, senior director at Fortinet, highlighted the home broadband router as a point of concern. Both suggested enterprises should take more active steps in securing this device.
Fortinet’s answer is a joint venture with Linksys that has created a
router that can segment the home network into two virtual networks, one for the employee’s personal systems and one managed and secured by their employer’s IT organization. “The personal home network remains private and confidential, the employee manages that network, and everything they want to do is up to them,” Newton explained. The device not only provides security; it also lets the user manage bandwidth allocation to the two virtual networks to optimize application performance.
Kavanaugh endorsed the idea of enterprises taking greater control over the home router. Without spelling out the specifics of a preferred approach, he said companies should hearken back to the earliest days of work-from-home when some enterprises insisted that remote workers use a company-owned and -controlled edge device. While he wouldn’t say organizations should revert all the way to this position, “I think we need to go back a little bit to that, just to have a little bit more control over it.”
Both speakers agreed that the broader answer to the challenge of security for remote workers comes in two words: Zero Trust. “The shutdown was the problem that Zero Trust was created to address,” Newton said (though of course no one knew this at the time Zero Trust was conceived.) “The principles that created the idea of Zero Trust are in full force now,” he added.
So, what exactly is Zero Trust in the context of remote access and communications? At Enterprise Connect 2022, Beth English, founder and lead consultant at
EE and Associates, led a session in which she spelled out some of the key attributes of Zero Trust:
- A framework that assumes no traditional network edges
- It shifts access controls from the perimeter to devices and users
- Allows for work securely without the need for a traditional VPN
- A strategic approach to cybersecurity that eliminates implicit trust
- The principle of never trust, always verify
- Encompasses users, applications, and infrastructure
- Comprehensive vision and plan
- Continuously validate at every stage of interaction
- Includes response plan
As Cavanaugh and Newton explained, Zero Trust relies on features that extend security from the enterprise perimeter out to the individual user, regardless of that user’s location. At the same time, it seeks to unburden the user of some of the traditional efforts that made security inconvenient and thus less likely to be used consistently or at all by the end user. For example, the introduction of automatic encrypted tunnels eliminates the need for end users to sign into a VPN each time they log onto the network, while multi-factor authentication (MFA) can help eliminate passwords — both of which legacy measures can create friction for the end user.
However, as these two examples and English’s list indicate, Zero Trust isn’t a single technology or product suite. “Zero Trust is not a product that you go out and buy and say: Hey, now I’ve got Zero Trust,” Newton said. “It really requires a shift in the thinking and your approach overall to cybersecurity.”
“It’s a marathon, it’s a journey, it’s a process, it takes a while,” he added. “The payback is definitely higher security, but we can also enable an excellent user experience.”