When the pandemic hit in 2020, many companies had to suddenly switch their workforce from in-person to remote work, and it required a critical evaluation of their security platforms to accommodate workers based in numerous different locations. Three years into the pandemic, the shift back to in-office work varies across industry, company, location, and individual preference, which inevitably leads to greater risk of vulnerabilities. Now’s the time to assess the company’s security needs, be honest about weak spots and implement solutions for a zero-trust model that benefits the team’s current work environment.
The shift to zero-trust offered an operationally-valuable way for us at Adobe to improve the user experience for employees working from anywhere – eliminating the need for VPNs and password authentication, while improving security overall as the perimeter shifted to the device and users rather than the network.
While there are vendors available that offer comprehensive zero-trust models, they are often expensive and complicated if the team starts from scratch. Employing such a large program may sound daunting, but if it’s broken down into its smaller components, the task becomes much simpler. It’s also likely that most companies already have some of those components in place as existing security investments – like identity providers, PKI and firewalls – so with a few simple adjustments, they can easily shift to zero-trust and deliver more value.
Breaking down the parts
At its core, zero-trust separates out devices and users as the new perimeter of a security landscape grows. Zero-trust shifts the perimeter from the network to the user and their devices, with verifying user identity and defining their access playing a key part in the process. There are a few important parts to take account of when starting to build:
- Invest in a centralized identity provider. Moving different service teams and applications into a centralized service creates a better user experience and better return-on-investment. Employees can log-in less throughout the day and security teams gain visibility into the applications and needs users rely on to get the job done every day.
- Prioritize endpoint security. Enabling endpoint detection and response will deliver high confidence that users are who they say they are along with the additional device posture insights to verify identity.
- Have a device management solution in place. It’s critical that IT curates the fleet of hardware, the applications installed and understand the device life cycles. If endpoint detection and response (EDR) is already in place, it’s possible to take advantage of this system and build on the endpoints already being managed.
- Enable internal application proxy on trusted devices. With these three components together, the security team has a good idea of the device’s security posture and user information. Then take advantage of existing investments and firewall protections to create authentication protections for on-premise applications – essentially turning those applications into cloud-based ones that improve user experience without the need of VPN log-ins.
- Add certificate authentication to the platform. At Adobe, we were already using certificates for authentications into corporate Wi-Fi networks and even some VPNs, but the addition of a managed certificate program became our magic sauce. This addition can make the user experience far more seamless with passwordless authentication. Authentication certificates were the best solution for us, but other companies have moved to passwordless using other options, like the FIDO2 Authentication Standard.
Build efficiencies for a robust security platform
These five components build on each other to create an effective zero-trust model and depending on how expansive the company’s current programs are, the shift to zero-trust could be even more seamless and minimal of an investment.
Embracing a zero-trust approach can also support long-term security goals for most companies, such as improved visibility into endpoint security and posture or access based on least privilege. When it comes to communicating the ROI of zero-trust, consider the reduced network dependencies on VPN solutions, visibility of devices accessing your applications and services while enforcing the least privilege.
This process provides additional visibility into current programs, allowing IT teams to identify redundancies and find more ways to be efficient. More cost efficiencies provide more opportunities to further build on security measures to make it more robust in scale.
So as the company considers how it can update its security model to meet the needs of a remote or hybrid workforce, decide on the perimeter the company needs to protect and understand current security investments and how the team can adapt or build up to create a comprehensive zero-trust model. It’s often an easier transition than most people think.
Eric Anderson, director, enterprise security, Adobe