Rethinking trust and the security perimeter

The modern workplace has undergone a massive transformation over the last few decades. In a time of boundless connectivity, security management now extends beyond on-premises infrastructure and individual devices. Employees are also increasingly accessing corporate resources, not only on their organisation’s network, but also in the cloud and from other public and private networks, from multiple devices.

In an analysis by the Australian Bureau of Statistics, it was revealed that almost a third of all employed Australians regularly work from home in their main job or business. Work – and all the sensitive information tied up with it – is no longer bound to the office.

This new flexibility around where and when a person works brings in fresh challenges controlling and managing access to corporate resources. Organisations that enable bring-your-own-device (BYOD) and flexible working policies have no option but to rethink their network perimeter and security policies. In short: the days of building a moat around your castle are long gone.

Organisations can no longer assume that trusted users will access the corporate network onsite and within the protections of the firewall. When work is increasingly done outside the safety of a corporate network, managing and enforcing trust based on the physical perimeter is not only extremely difficult - it’s insecure.

In this new world, the only commonality is the user accessing some resource, so security architects now build new trust networks based on identity and authentication to mitigate risks.

The concept of Zero Trust has emerged as a reaction to the modern digital landscape. A core component of Zero Trust assumes all people and devices accessing or processing the data are untrusted by default. All access to corporate resources is restricted until the user has successfully proven they are who they say they are, which can be based on a number of factors – from a password, to a hard token like a YubiKey – as well as context on their typical sign-on habits. Contextual and continuous authentication are also recommended to monitor any changes to that information .

To build a successful Zero Trust strategy founded on identity, there are three important stages to consider:

1. Unify identity

The first and most essential stage is to consolidate fragmented user identities under one Identity and Access Management (IAM) platform across the cloud and all devices, in order to manage both authorised and unauthorised access. This entails single sign-on (SSO) for all users, from customers to the full extended enterprise of employees, contractors and partners. On top of this, using a second factor of authentication with SSO adds another layer of protection to mitigate attacks targeting credentials.

2. Grant access contextually

The second step in the implementation of Zero Trust is the application of context-based access policies. This involves identifying the user’s context, application context, device context, location and network, and applying policies based on that information.

In a cloud and mobile world, where people access resources and data from multiple devices at any given time and location, this step is critical in managing access based on contextual insights. For example, if a known user attempts to authenticate from their usual, trusted work laptop, but they are in a foreign country on a public Wi-Fi network, the Zero Trust policy could automatically increase the level of authentication required – such as requiring both a password and a second factor.

A contextual access policy is useful when security teams must account for the risks associated with lost and stolen devices, as one example. By enabling authentication based on varied signal inputs, organisations can mitigate the possibility of lost phones giving away company data when landing in the hands of outsiders.

3. Authenticate continuously

In the final stage of Zero Trust implementation, identity is continuously measured with adaptive, risk-based assessments to identify potential threats throughout the user’s experience. This involves the application of intelligent, risk-based mechanisms to create a risk-score and tolerance measure based on the contextual information received. This adaptive and continuous identity assessment means trust is no longer absolute – it is assessed against all variables at all times.

Implementing a Zero Trust strategy that establishes identity as the new perimeter will not only secure corporate resources by ensuring only verified users are granted access, it will also help companies maintain the mobility and flexibility that today’s workers expect. With the right authentication protocols in place, users will be able to use any device and work from anywhere they choose.