New Work, but with good security!

The Cloud and Remote Work are both a blessing and a curse. While the Digital Workplace increases productivity, promotes work-life balance and reduces costs in the era of COVID-19, it also has an enormous impact on the IT organization (especially with regard to security), and the resulting risks to the company are still unknown in many cases. The introduction of Zero Trust as a security concept makes it possible to actively address and minimize these risks. At the same time, it is important to be mindful of several challenges and traps that can arise during this process. 

Virtually everyone and every company is afraid of break-ins. Closing windows, locking doors and building a wall around the business premises. This tactic has also been used in IT for a long time - in the form of perimeter protection for networks, which secures the company's resources. But these walls now have to become more porous so the company can utilize the advantages and opportunities offered by the Cloud and the workplace of the future. That is why companies must be in a position where access can be assessed and classified at all times. For example, how should one handle a situation where someone accesses sensitive company data in the ERP system from a public WiFi in a café? Is it a legitimate access by an employee or a clever cyber attack involving identity theft, with the potential of millions in damages? 

In such situations, there is only way to guarantee a high degree of security: Trust no one! This applies to users and devices equally. Because the laptop or smartphone of an innocent employee may contain malware. Similarly, IoT devices often lack security or cannot easily be protected with conventional means. The solution - consistent application of the Zero Trust concept. 

This applies regardless of where the accessing person is located, or whether the target system is located in the company's data center or in the Cloud. In this context, the principle “never trust, always verify” is applied in combination with a Least Privilege Access approach. The latter provides each user and device with only those access rights that are required for the respective role and task. 

Take, for example, someone accessing the ERP system from a café at night: 

Zero Trust is a concept that companies use to continuously optimize their security. There are a variety of approach that can be used for this purpose; their application will depend on the company context (see Figure 3). The approaches differ in terms of complexity and cost, whereby optimized identity governance is the simplest approach for most companies, relatively speaking. 

But what is the best way to introduce Zero Trust? The implementation of many remote work and Cloud initiatives is accelerated due to the COVID-19 crisis, but the necessary security aspects are neglected. To achieve success quickly and reduce the accumulated security aspects, the first step focuses on the Digital Workplace and the identity-based approach. Here, Zero Trust ensures the integrity of the identities and devices, and follows the Least Privilege Access approach. This includes integrating the devices into the IAM (Identity and Access Management) system, and the introduction of multi-factor authentication, at minimum for the Admin accounts. This does not require complex rebuilds in the network. 

An integrated Zero Trust approach should be introduced at the same time. The following six steps are recommended: 

Cloud, remote work, IoT and other trends turn the moat around the company's network into the equivalent of Swiss cheese. Comprehensive protection against ever more sophisticated IT attacks in an increasingly connected world requires immediate action. New and cost-effective products mean that such measures are now affordable for all companies. At the same time, the Zero Trust concept must be anchored in the IT strategy as a sort of IT Security concept, it must be promoted from the top down, and it must be accompanied by change management.