Forrester’s zero trust concept has grown in acceptance as we come out of the pandemic. Today’s columnist, Ben Smith of RSA, says companies will need to consider zero trust as employees return to the office. hyku CreativeCommons CC BY-SA 2.0

Now that we are a full year into the new world order and the pandemic has eased up a bit, companies are taking a deep breath and starting to consider how the past 14 months fundamentally reshaped their digital transformation plans. Many organizations pulled close to two years’ worth of future digital transformation plans into the present in the scramble to empower employees to work remotely. But even the most mature companies will admit that this rush was imperfect because of the compressed timelines of early last year.

There have been three important stages or milestones in this journey, but even now, many organizations have been singularly focused only on the first stage.

That first stage was the obvious challenge at the outset of the public health crisis: How do we set up our employees to work securely from their remote locations? Securing those connections at either end was something many were doing already, in the form of VPNs and endpoint protection technologies. In some cases, employers were forced to rely on workers using their personal devices to complete their work, a supposedly temporary situation that’s stretched into the everyday reality. Wise companies looked ahead during this time and began investigating and implementing strong, multifactor authentication options which took advantage of the computers we all carry around in our pockets, disguised as smartphones. Some moved even further, leveraging dynamic identity and access management capabilities to broaden the data set used in making the real-time decision to permit a remote user to access sensitive information.

The second stage has already arrived, even if many security teams haven’t felt it yet. Once the dust settled on the remote workforce question, more and more organizations realized that – given all those remote users, their remote devices, and the remote environments in which they have been working – visibility into that remote work infrastructure was not up to speed. Corporate-issued laptops, phones, and other devices have been in close quarters with employees’ families for an abnormally long period of time. It’s more the rule than the exception that a corporate device somewhere at home was picked up and used at some point by family members other than the employee. Security teams cannot assume that credentials have not been shared or otherwise discovered by inquisitive children. We focus so much on external threats, when in fact it’s the insider threat – malicious or accidental – that’s far more prevalent. How confident are security teams that those corporate devices are as protected today versus when they were deployed a year ago? What additional software has been downloaded and now runs on that device ? What network traffic heads into and out of that home office setup? Visibility into what’s transiting the network, what’s running in memory on that remote device, and what can recognize and act on signs or indicators of compromise on those devices and networks has never been more essential. Still, many companies did not move this forward over the past year – a missed opportunity.

The third stage will arrive soon, and in some industries it’s here today – the regulatory stage. We’re not expecting new government-issued regulations directly tied to the public health crisis – this stage encompasses the regulations organizations have been operating under all along. Sometimes missed in the rush to maintain business continuity at the start of the public health crisis was the fact that users, and/or the data they work with, were suddenly in new jurisdictions. Business processes designed with assumptions around geography in mind may or may not have been revised. Isn’t now the right time for this review? Are your existing threat detection and response capabilities focused solely on technical assets, overlooking the underlying business processes those assets support?

Regardless of which stage the company’s in, it’s never too late to start moving in the right direction, even now as companies consider the possibility of its remote employees coming back into the office on a temporary or permanent basis. Zero trust – in which identities and devices are constantly checked and re-checked as they move within the network – has emerged ready-made for today’s world, where users and their devices are not always in their expected locations, connecting at the expected time of day, or touching the expected corporate assets. Don’t forget that zero trust isn’t just about identities; it’s also about network monitoring, a function that’s often overlooked.

Remember that almost every crisis moves through defined phases or stages, and the survivors tend to be organizations that not only put out the fire that initiated the crisis, but they also introduce new safeguards so that the fire is less likely to happen again. The digital transformation your organization is experiencing today is only accelerating – it will not slow down – and the more you appreciate the benefits of full visibility across your collection of networks, devices, and humans, the better prepared you and your organization will be for your next unexpected challenge.

Ben Smith, field chief technology officer, RSA