The death of the corporate network may have long been predicted, but none could have foreseen the abrupt acceleration of its demise, due to the crisis-stricken course of 2020.
The security industry has long recognised that old corporate controls — firewalls, NIDS and WAFs – are no longer sufficient to keep the increasingly creative attackers out and stop persistent threats. Forrester Research coined the “Zero Trust” concept in 2010, and it is evolving into the new standard and being increasingly adopted by IT departments in APAC. According to research in 2019, APAC’s zero trust security market is expected to register the highest growth rate to 2024.
The way in which businesses have operated have been impacted in many ways by the current pandemic. Overnight, the workforce moved out of offices, off the company network to their homes. The corporate network quickly gave way to a primarily remote process.
Security and IT leaders had to adapt quickly by building or upgrading the infrastructure needed to move their employees into a remote environment: they quickly spun up a VPN, or in some cases, they just opened applications up to the Internet. They allowed users to roam beyond their castle walls and allowed access to data in ways that would have terrified them previously.
No castle wall around your data
Most security professionals have had the realisation that their networks were not fortresses. Unless you are able to disconnect your users from the internet then you were only ever one firewall rule change, misconfigured wireless access point, or a secret operations maintenance backdoor away from having unexpected and unmonitored remote access.
If you issued Laptops, then unless you had locked in a mandatory full tunnel VPN then your users were likely taking them home to work on the weekends and you lost visibility into their activity “off-net”.
The reality of Shadow IT in Enterprise environments is not new. People expect to move quickly and if your infrastructure was static and restrictive then likely your users had silently adopted a new cloud tool. This means that your data was being moved to unknown and unmonitored locations.
Finding and curbing this has always been an ongoing risk mitigation for IT and Security teams.
Make remote your strength
In the early months of this pandemic, we thought a lot of this new infrastructure would be temporary. But we are already seeing a changing landscape for remote work.
Twitter’s announcement they would permanently move to remote model received a lot of headlines and they were quickly joined by a number of large companies, including Atlassian, that have made it clear that this will be their new normal.
There are arguably competitive advantages to a remote workforce, including the ability to identify talent anywhere in the world, offer candidates real mobility and flexibility, and attract top talent who wanted to escape expensive tech centres.
So, your security controls need to catch-up with this new reality. Remember, being nimble with your infrastructure and policy means you can now move at the speed of the business.
Remote workforce and security posture
This new environment changes your Threat Model and your risk. For example, a fundamental principle for our environment has always been that our employee laptops are never on a “safe” network. Sometimes, people are in the office but likely they are at home or traveling.
Keeping this in mind you should harden them accordingly – making sure they are resistant to a co-located attacker and that you have deep visibility into their behaviour.
The Zero Trust concept is itself maturing and globally, the security industry is rallying together for a standard approach.
And, to tie it back to our threat model, what this approach does is recognise that a lot of attacks are successful because that attacker is able to steal a credential and leverage it. So that an “outsider” immediately looks like an insider and is therefore trusted.
This puts authentication at the forefront of your security controls and further drives home that Identity is the new perimeter. And, at a minimum, this means the building blocks of:
- Strong authentication, are you using multifactor authentication everywhere in your Enterprise? Preferably using a hardware token.
- Maintaining an agile IAM solution that provides centralised SSO for all these new apps so they can be monitored and controlled.
2020 has forced some quick and reactive changes upon us. As we move forward there should also be space for some positive security wins to come out of a terrible situation. This is the new normal but we do have the building blocks to secure it, especially if you begin building with identity at the heart of your Security Architecture.
