Traditional security models assume that everything inside an organizations’ network should be implicitly trusted. In other words, once inside the firewall, everyone is free to move laterally and access most of an organization’s resources and assets.
When pandemic compelled organizations to quickly gear up for a mass number of remote workers, existing infrastructure, such as VPNs, were expanded/extended without the architectural and security evaluations that would normally accompany a mass technology rollout. IT departments struggled to keep up with patching systems. Simultaneously, organizations embraced digital transformation and mobile-first initiatives in the unified communications and collaboration (UCC) and contact center space.
As a result, VPNs were often overwhelmed or breached, stalling digital transformation and productivity for remote workers. IT security operations are now transforming to meet the increasingly complex threat landscape, with Zero Trust becoming the gold standard to manage this landscape.
What is Zero-trust?
Zero-trust is a strategic approach to cybersecurity that eliminates implicit trust. It’s a framework that assumes no traditional network edges and shifts access controls from the perimeter to devices and users.
The following are Zero-trust key principles:
- Never Trust, always verify
- Verify continuously
- Work securely without a traditional VPN
- Limit blast radius
- Encompasses users, applications, and infrastructure
- Automate context and collection response
- To be compliant, any zero-trust framework must include a response plan
What does a day in the life of a knowledge worker look like in a zero-trust framework?
Let’s say a worker logs in from their desktop, laptop, or mobile device, using identity management and role-based authentication through single sign-on. Desktop applications, including unified communications, collaboration, and contact center are authenticated and available along with personalized settings, and as equally important, predefined access permissions for corporate assets. Login, authentication, and permissions are the same whether on-site within a corporate firewall or a remote location. Authentication is based on the user identity and device, regardless of location. Because a zero-trust framework includes end-to-end visibility, automated threat intelligence, risk detection, and conditional access policies, noteworthy anomalies are quickly reported and investigated, and predefined responses are invoked based on the nature and severity of the incident.
While having a comprehensive zero-trust framework is imperative to the overall success of IT security, one way to start is by implementing strategies in a few critical areas while developing policies in others. Using the zero-trust principles mentioned above, what steps should an organization implement to ensure security and privacy when deploying or expanding UCC and contact center.
Single sign-on with identity management is a foundational component of any zero-trust architecture, embodying the principles of verifying explicitly and least privileged access. Defining role-based permissions for UC and contact center users through single sign-on ensures that users connecting to communications components will have access to only those parts of the solution required to do their job. Enforcing strong passwords and multi-factor authentication in parallel with single sign-on further ensures only authorized staff have access to the smallest subset of resources required to perform their job. Finally, restricting applications from accessing other applications and segmenting networks within the firewall perimeter limits the blast radius should the communications application be breached.
Another valuable tool to limit the potential exposure of unsafe communications applications, particularly on mobile devices, is mobile device management, whereby only managed devices have access to corporate resources, including UCC and contact center. As part of the device management strategy, enterprises can choose how end-users load UCC clients on their devices. For example, will the UC client be “pushed” to the device, or can a special download be available from the corporate app store rather than from a public app store? Managed devices in conjunction with identity management assure that users have rights to download the app and sign into UC applications.
By combining identity management, roles-based single sign-on, and device management, organizations not only limit access, but they also generate data required for real-time, automated threat assessment, and reporting. For example, continuously tracking analytics related to what devices, applications, and users are accessing, at what time of day, and from where creates a baseline that makes unusual behavior more obvious.
You can quickly address any breach or unusual behavior by limiting access to applications, quarantining a particular user, or wiping the device. Laptops and desktops can be quickly disconnected from networks, isolating threats from valuable assets. Because access associates with identity, a replacement device can be re-imaged. Once the user logs in, they restore full access without having to “rebuild or reload” the device, allowing the human resource to quickly move back into production.
Implementing a full integrated zero trust architecture may seem daunting. When implementing or upgrading unified communications, collaboration, and contact center, however, several basic tools can and should be deployed to ensure security. For more insight on this hot topic, don't forget to join me on March 22 in Orlando, FL., for my session, "Zero-Trust for UC in the Real World
Elizabeth is writing on behalf of the SCTC, a premier professional organization for independent consultants. SCTC consultant members are leaders in the industry, able to provide best of breed professional services in a wide array of technologies. Every consultant member commits annually to a strict Code of Ethics, ensuring they work for the client benefit only and do not receive financial compensation from vendors and service providers.