It’s no secret that hybrid work models are here to stay. Some of our recent research shows that 57% of knowledge workers prefer hybrid work. And the freedom and flexibility it offers drive improvements in their engagement, productivity and wellbeing. It’s a win-win for employees and employers alike. But it’s causing IT some pain.
With employees working from anywhere – in some cases using personal devices to access cloud apps and corporate resources - the attack surface has become larger. And many IT organizations are struggling to defend it. According to a global survey conducted by Pulse, three-quarters of IT pros say they’re fighting to keep up with the increased volume of security threats that hybrid work models create. They face ransomware attacks, insider threats, software breaches and vulnerabilities, and phishing attacks. And about the same number say that their procedures and controls have become more complex as their organizations transition to hybrid work.
Out with the old
Network-centric security worked well when employees still came to the office. But today’s users are working from many different locations. On networks IT can’t secure. With devices the organization doesn’t manage. It all adds up to some serious security vulnerabilities—just one session from an unmanaged device infected with malware can put an entire network at risk. And once an unauthorized user gets through, the door to lateral movement becomes wide open.
To combat these new threats, IT needs to rethink its security approach. When it comes to protecting a workforce that cycles in and out of the office, IT must continuously evaluate risk factors in a contextual way and when suspicious activity gets detected, automatically apply granular security controls to keep the organization safe.
In with the new
Traditional solutions such as VPNs and SSO can’t deliver this level of visibility or control. Zero Trust Network Access (ZTNA) can. What exactly is ZTNA? And how companies leverage it to enhance the organization’s security posture?
Though zero-trust architectures vary, they consist of three main principles based on the tenets of the NIST Cybersecurity Framework:
- Explicit and continuous verification: Authentication and authorization should be enforced before access, and driven by dynamic policy before and during a session, based on behavioral and environmental properties.
- Least privileged access: Grant access to IT resources on a per-session basis, limited by just-enough-access policies to minimize risk, but not impede productivity. Access micro-segmentation becomes an integral part of the architectural approach to mitigate lateral movement threats and justifies the rise of privileged access management (PAM). With such an approach, security teams can prevent unauthorized access, remove privileges as needed, and manage remote access appropriately.
- Minimize blast radius: Segmentation zones that extend the rule of least privilege to the network and hosts by defining security zones can minimize unwanted access to sensitive apps and data, reducing lateral movement and shrinking the attack surface to contain the blast radius of a breach. In an optimal world, an organization would encrypt traffic end to end, but still have insight into all resources, networks, and communications to improve threat detection and response.
Think of it like a nightclub. The bouncer at the front door ensures employees are “on the list,” aka authorized to access their work-related applications. Once inside, a security guard monitors their behavior to detect potential risks, and can step in to apply additional levels of security or controls as necessary. In enacting such a model, IT can give employees the flexibility to work where they choose using the devices and apps they prefer without sacrificing their experience or corporate security.
Life on the edge
In addition to how they protect, IT teams also need to rethink where they protect and learn to live on the edge. Networks today are defined by the individual and the device, not physical boundaries. As a result, the old “castle and moat” method of security no longer works. Teams need to place security controls close to apps and end users to ensure networks are continually protected, no matter where employees work or what devices they use.
ZTNA solutions make this easy to do, as they prevent lateral movement on a network by authenticating at the application layer only. Unlike VPNs and SSO, which authenticate at login only, ZTNA solutions continuously evaluate risk factors throughout each session. When suspicious activity gets detected, granular security controls automatically kick in to change how users are authorized to interact with apps.
Strike a balance
Employees today must work when, where and how they want using the applications and devices of their choice, and IT needs to empower them to do so in a secure and reliable manner without getting in their way. It’s a delicate balance. But security teams can do it.
With the right ZTNA solutions, IT can grant hassle-free access to the applications employees need to get work done, wherever it needs to get done, and apply security policies and controls in a transparent way to preserve their experience. Users for instance, might encounter watermarking when using a BYOD device, or be prevented from downloading documents when accessing from an unknown network. But in most scenarios, they won’t notice anything and will continue work as usual, as adaptive authentication and access control policies work in the background.
Hybrid work has no doubt complicated network and application security. But ZTNA can simplify security management. And in embracing it to deliver corporate apps, IT can empower employees to engage and stay productive from anywhere and advance the future of work.
Ricardo Johnson, chief information security officer, Citrix