As remote work, hybrid work, and cloud computing become the norm, traditional security models are no longer effective. Also, with traditional security arrangements, any attackers that breach the perimeter can roam freely within the network.
As a result, many organizations are now adopting a zero trust security model under which each access request is individually evaluated on a case-by-case basis. Zero trust network access (ZTNA) solutions provide an end-to-end authenticated connection for all systems and users, regardless of their location. Further, strict access controls and segmentation policies means that users are granted access only to the information they need to perform their specific tasks.
Implementing zero trust can enable an organization to securely support a remote workforce without the risk of allowing a compromised system free access to the entire corporate network. Read on to learn more about best practices for implementing remote support and security with zero trust.
Summary of Key Zero Trust Remote Support Concepts
A zero trust security model can help an organization manage the risk posed by a remote workforce. To ensure that zero trust is implemented effectively, and to minimize the potential impacts it may have on the organization, consider implementing the following best practices.
Assess Your Zero Trust Maturity
The zero trust security model differs significantly from traditional approaches to security. Instead of defending a network at its perimeter and extending implicit trust to anyone inside it, zero trust contracts the perimeter to cover individual applications and individually authenticates and authorizes each access request.
It can be helpful for organizations making the switch to assess their existing processes and tools against a zero trust maturity model. This assessment can enable the organization to assess its maturity against each of the seven pillars of zero trust shown below. Based on this assessment, the organization can then develop strategies to further mature its zero trust policy, focusing on areas that may be lagging behind.
Adopt an Incremental ZTNA Approach
Zero trust network access (ZTNA) provides a more secure alternative to traditional methods of remote access such as VPNs. Instead of granting authenticated users unfettered access to corporate applications and systems, ZTNA evaluates each individual access request on a case-by-case basis.
Making the switch from one remote access system to another can cause performance and productivity impacts if something goes wrong with the process. Instead of performing the transition all at once, it is advisable to roll out ZTNA in phases. This allows each phase to be fully tested and any issues to be ironed out with minimal impact on the organization and its employees.
For example, an organization may have existing network segmentation or micro-segmentation in place with VPNs that manage remote access to the segments. Rather than a full-scale deployment of ZTNA, the company can use zero trust access controls to replace and enhance the protections of one segment at a time, enabling remote access only to the required applications on specific machines by authorized users before disabling the VPN. The existing segmentation remains in place as part of a defense-in-depth strategy. This enables an organization to tune and test the protections for individual users, services, and segments without impacting the rest of the network or its security.
Leverage SSO
Software as a service (SaaS) solutions are a logical fit for supporting a distributed workforce. However, the growing number of corporate applications and user accounts that employees need to manage can create usability and security challenges.
Single sign-on (SSO) offers benefits for both employees and an organization’s zero trust initiative. From a user perspective, having a single set of credentials that unlocks access to all of an organization’s applications—including both on-site and SaaS applications—eliminates the complexity of password management and authentication-related friction. On the corporate side, SSO can be integrated with existing directory services and simplifies a zero trust implementation. It also eliminates the security problems of credential reuse.
With all authentication performed through a single service, an organization can more easily deploy and enforce zero trust security policies across all of its applications and IT assets.
Define User Roles
A zero trust security model is intended to reduce risk by enforcing least-privilege access controls. Instead of taking a one-size-fits-all approach to authentication or implicitly trusting insiders, zero trust assigns users and devices only the permissions that they need to do their jobs.
Least privilege is especially important for remote work, where corporate IT assets can be remotely accessed from potentially untrusted devices. To implement a zero trust policy, companies must carefully determine the roles of employees, contractors, vendors, etc., and define their permissions accordingly to manage the risk that they pose to the organization.
Perform Risk Scoring
Not all access attempts pose equal risk to the organization. For example, an employee request for read/write access to the customer database is riskier than read-only access or read/write access to a less-critical system within an organization’s IT infrastructure. Similarly, access requests from remote devices, new addresses, or unexpected times of the day have a higher probability that the device is compromised and the request is malicious.
As mentioned above, when defining least-privilege access policies and authentication requirements, it is not necessary to use a one-size-fits-all approach. An organization can block access requests to or from certain systems, such as disallowing remote access to critical systems. Alternatively, it can implement step-up authentication, where additional authentication factors are required for requests deemed to be high-risk. Many single sign-on services provide support for risk-based authentication based on administrator-defined priorities.
However, to define access control and authentication policies based on risk, an organization needs to understand the risks involved with various requests. For this reason, a risk-scoring exercise can be valuable when planning and implementing zero trust access controls.
For example, an organization may evaluate its devices and determine the impact to the company if an attacker can access each device and breach the data that it contains. A breach of customer database servers may have a high impact, while an employee workstation may hold relatively little sensitive data. Based on this analysis, access attempts to database servers would be considered higher risk and might mandate more stringent authentication for access.
Use Security Groups
A zero trust security model manages access to corporate assets using role-based access controls. This can lead to the misconception that zero trust is difficult to deploy due to the need to tailor least privilege access controls to an employee’s role and level of access.
However, most employees within an organization are not unique, which means neither is their required level of access. For example, most developers will have identical access needs, as will workers in the finance, HR, and other departments. These identical needs may even span most of the workforce, especially if employees primarily use apps installed on their computers and just a few corporate collaboration apps.
An organization can dramatically decrease the complexity and overhead of managing authentication by using security groups to define the common rights and access for a role. From there, any deviations from the norm can be managed via exceptions instead of developing a custom profile for each individual user.
Implement Data Encryption
As described above, access to data, applications, and other resources is managed on a case-by-case basis determined by least-privilege access controls. However, defining access control policies is useless if they are not enforced.
Encryption is a highly effective mechanism for ensuring access is controlled even in the event that a system becomes compromised. Without access to the decryption key used to protect data, it is infeasible for an attacker or unauthorized user to gain access to the encrypted data.
However, encryption is often not performed granularly enough: An entire device or database may be encrypted with the same key, allowing a user who needs access to some of that data to gain access to all of it. Instead, data should be encrypted based on the principle of least privilege as well, in small chunks, with access to the decryption keys limited to those entities that need access to each specific set of data.
Most modern operating systems enable file encryption on a per-user-ID basis. If a remote user is actually logging onto that system (via a remote desktop or secure shell), file encryption will be applied based on that user’s ID. Note, however, that network services do not run with the privileges of the user accessing the services. As such, the contents they manage will be encrypted for the ID of that service.
Limit Remote Users’ Devices
Every device that has access to an organization’s network, systems, and applications increases its risk and attack surface. Remote users’ devices may be compromised with malware that can be used to steal sensitive data or piggyback on their access to corporate assets.
When designing a zero trust strategy, it may be wise to limit the number and types of devices that remote workers are permitted to use to access corporate resources. Banning riskier types of devices helps minimize the organization’s digital attack surface. For instance, an organization may dictate that only corporate-managed devices, where users are not allowed to install arbitrary software, may be allowed to access corporate resources.
Monitor and Test
Implementing a zero trust security program can be a complex undertaking. It involves a shift from legacy access management technologies to ZTNA as well as defining and enforcing least-privilege access controls for various corporate assets and systems.
Like anything else, with a zero trust implementation, adjustments and tweaks may be needed periodically to conform to the organization’s ever-changing requirements. For example, as an employee’s role within the organization evolves or the company introduces new devices and IT infrastructure, role-based access controls may need to change.
For this reason, it’s always a good idea to periodically review and test an organization’s zero trust implementation. This includes ensuring that security controls are working as intended and that the least-privilege access controls governing various roles are neither too permissive nor too restrictive. Ideally, a zero trust implementation will be invisible to legitimate users while preventing unauthorized access or potential attacks.
Conclusion
ZTNA and a zero trust security strategy are ideal for enterprises with remote or hybrid workforces. Allowing remote access to company systems and applications introduces security risks, and zero trust can help manage these risks by restricting the possible damage that can be done by a compromised device or account.
However, a zero trust security policy must be designed carefully and enforced fully to provide any real protection. The best practices above describe how companies can smoothly and effectively implement a zero trust program to support their remote workers.
