The modern workplace would look unrecognizable
to the eyes of an office worker in the 90s. A huge number of companies now offer
remote work, and we have more opportunities to work from home than ever before.
We can attend meetings from anywhere with an internet connection.
This distributed workforce comes with many
obvious advantages, but also some pretty big cybersecurity challenges. Whereas
in the past, people only had to secure their offices, now managers are having
to figure out how to keep laptops using different WiFi connections safe from
security threats. Network-based security is not enough to keep things
protected.
What is a zero trust security
model?
‘Zero trust' is a security model that helps to
keep users, assets, and resources secure rather than focus on network access.
This model assumes that hackers have already found access into the network, so
no connection can be trusted - not even the office perimeter network.
Zero trust relies on continuous and dynamic
authentication and authorization. Never trust, always verify, is the idea. With
this model, you work with the assumption that a breach has already occurred,
and you want to mitigate the damage as much as possible, and put as many
obstacles as possible in the way of hackers. This means that even if they
manage to get past the first hurdle, they can get obstructed at the second or
third obstacle.
Image
created by writer, statistic sourced from betanews.com
How does zero trust work? Some
examples
There are a number of ways to apply the zero
trust model, and these include the following:
Multi-factor authentication
A good way to start implementing a zero trust
model is by establishing robust authentication processes. You can have the
longest, most complicated password for your devices, but that isn't enough to
protect you from a lot of cyberattacks.
Many people use the same password for multiple
purposes, or make a small change to existing passwords, which means that they
aren't very secure. If someone uses the same password on an insecure site, and
perhaps registers with their work email, they can easily get hacked. Many
people also get sucked into phishing scams and can end up giving away
passwords. One moment they're googling "VoIP
number meaning", and the next they're giving up privileged
information.
With multi-factor authentication, you can keep
an eye on who is logging in and from where, as well as restricting and blocking
access to users who cannot provide extra proof of identity. This can improve
your security considerably.
It is particularly important to be aware of
cybersecurity threats if you are involved with email marketing as the vast majority of
attacks come via email, such as phishing emails.
Multi-factor authentication allows you to
protect your devices even in the case of theft or hacking. Without a second
form of authentication, such as biometrics, or one-time codes sent to a different
device or email address, the hackers would not be able to gain access.
So even if your colleagues get their passwords
stolen or accidentally share their details, the second authentication process
can prevent successful hacking.
Least privileged access
With people increasingly using their personal
laptops and mobile phones for work, as well as downloading mainframe modernization or other apps to their
work devices that may not always be very secure, offering the minimum level of
access to data to employees can help protect against a breach.
By doing this, you can ensure that your
colleagues will only be able to see what is absolutely necessary to be shared
and accessed. This means that if someone does hack into their account, they
won't have access to high-level information, and you mitigate the damage.
This is also referred to as just-in-time (JIT)
and just-enough-access (JEA) - policies adapted to managing risk and protecting
data by limiting what employees themselves have access to. The fewer
opportunities you allow for human error, the greater your chance at
successfully securing your systems.
Geo-fencing, network-fencing, and time-limits
Geo-fencing is the method by which you can
restrict access to a system on the basis of the employees' physical location.
So, access to your AuditBoard solution, for example, could be limited
to use within a particular country, state, or city. Network-fencing refers to
the method of allowing access only from a specific internet network.
Time limits are useful as they limit the hours
during which a login can occur. So, if a login attempt is made outside the
working hours of an employee, this can send a message to the system to prompt a
multi-factor authentication request, or even deny access. You might see this
when you try to log onto social media from a different device.
These can all help mitigate risks by
minimizing access points and times that hackers can use to access data.
Final remarks
Zero trust security ultimately means minimizing cyberattack risk by assuming that
hackers are always trying to access your systems, and treating every system,
device, and member of staff as potential entry points for cyberattacks. With
this model, you can get the upper hand, and outsmart or simply exhaust the
hacker until they decide to just give up.
##
ABOUT THE AUTHOR
Alwayne Powell - Director of
International Digital Marketing, 8x8
Alwayne Powell is an experienced performance
marketing leader with an extensive background in the digital space, working
client and agency side to provide paid search, SEO and CRO solutions in the B2B
and B2C sectors. They are the current Senior Digital Marketing Manager at 8x8, CCaaS
and leading communication platform provider. You can find them on LinkedIn.