Today, enormously accelerated by the pandemic, employees work from anywhere and with any device, using several cloud services and applications every day. Employees also expect a completely frictionless working environment and one that closely mirrors their own personal use of devices and software. Security must evolve to keep pace with these seismic changes: it needs to be an enabler of the new frictionless workplace and largely invisible to the end user.
As the workplace has moved outside of the traditional perimeter, security has had to evolve quickly with the added complexity around what workers will be willing to do to maintain security and what they won’t. If security Policies are too onerous, workers will find ways to get round them – they must be smart and transparent for the end-user.
Below we look at what organizations can do to meet the security challenge of the new normal and what we can expect in the year ahead.
Identity as the new perimeter
The pandemic has been the hugest catalyst in how the digital workplace has recently evolved and how the way we work was refined. Because of the ever-greater adoption of cloud computing and Software as a Service offerings, an increasing amount of an organizations’ sensitive data is shifting outside the legacy corporate network perimeter. From workplace security being very IT-centric and centrally managed and controlled, we now have users outside the company and on the road making traditional perimeter security null and void.
Moreover, the increase in remote working, and modern digital workplace architecture over the last years, has changed the threat landscape and the new security strategy must be data-centric, applied wherever data sits and governed by identities with identity being the new perimeter.
Zero trust security model
A new set of principles must therefore be defined when designing our information systems and, consequently, their security controls, to maximize the enterprise’s overall security posture and reduce risks. This set of principles is called Zero Trust and is defined by the US National Institute of Standards and Technology thus:
“Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
Zero trust is not a single technology solution and therefore cannot be achieved solely through implementing one or more security products. It is a fundamental change in mindsets and approach that will drive the selection of the right technologies, how they should be implemented, and the definition of overarching security policies. In short, zero trust can be summarized as: “Never Trust, Always Verify” and means that identities are constantly challenged to ensure they are authentic and authorized to access the company resources, as well as taking signals like real-time risk and compliance status into the access request decision process.
The five basic tenets to adopt when applying a zero-trust approach are:
- All communication is secured regardless of network location.
- No resource is implicitly trusted.
- Access requests to resources are continuously re-evaluated on a per-request basis.
- Access is decided dynamically based on its associated real-time risk.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
Zero trust network access is the application of the concept to end-users. It accepts that users, applications, and data will not reside on a common trusted network. The approach requires an efficient and continuous evaluation of the overall context of the user, his or her device, the requested resource, and the overall enterprise security risk posture. The outcome of this evaluation will trigger enforcement of a policy to challenge the user further and/or restrict their rights and actions if there is any cause for concern. This is a continual automated process behind the scenes, which the user will not be aware of.
Multi Factor Authentication
Since Zero Trust is heavily based on continuous verification, for it to be effective we must also tackle the issue of passwords and credentials and move towards more robust security controls. The principle behind Multi Factor Authentication, coupling the use of password managers and biometry or security keys, can provide a strong, reliable, flexible and secure way forward. It will enhance the user experience by removing frictions while increasing digital security. Biometric authentications using fingerprints, face, voice and even gait, gesture and motion can provide a frictionless and continuous authentication through users’ ongoing interaction with their device.
According to a 2019 Verizon Data Breach Investigations Report (DBIR), click rates on phishing emails have fallen from 25% in 2012 to 3% in 2021. This is in part due to end-user awareness, but largely due to Multi Factor Authentication, which is extremely effective in reducing successful attacks. Shifts to Multi Factor Authentication and away from passwords are becoming more necessary – Microsoft believes that 99% of phishing attacks on credentials could be prevented through MFA.
Although it is unlikely we will be able to lose the password altogether in 2022, reducing it is vital. Passwords have long been the gateway for most attacks – Humans are always the weakest link for security. All the large technology firms are working on ways to move away from these by deploying passwordless strategies combining biometrics (with Apple Face ID and Touch ID, Windows Hello for Business…), or security keys and implementing more contextualized authentication.
Away from phishing attacks, the type of threat protection deployed must keep pace with new cyber threats, beyond the classic anti-virus software. Having a multi-layered approach filters attack vectors from the system. These layers are:
- Web and Mail gateway scan for threats
- Multi Factor Authentication to protect identities in the case the password is leaked.
- Endpoint Detection and Response to detect any malicious activity and behaviour.
- Data loss prevention solutions to prevent any exfiltration or destruction of sensitive data.
- Privileged Identity and Access Management based on principles as Just-In-Time- and Just-Enough-Administration as well as limiting admin rights of end users’ devices.
The end goal is to prevent the progression of attacks.
Next steps for workplace security
For the short and mid-term, we are very focused on the Zero Trust model. For the long-term we will step into the next zero trust maturity level with Secure Access Service Edge (SASE). With SASE we will be able to accomplish Zero Trust in a cloud-native architecture.
Traditionally every organization has had a security stack solution inside their perimeter, which every user would need to go through. However, as the perimeter has disappeared SASE puts this security stack at the edge of the cloud – where the data and users are. There is therefore no longer a need for users to go through their companies for access to information, they can have the same security measures in their own cloud solution accessed from anywhere, regardless of the network. The solution is to put security as close to the user as possible.
Currently, this level of security is too expensive and complex for the majority of Small and medium-sized enterprises, but the future will see the market for managing user networks expand and economies of scale will begin to make these solutions accessible to all workplaces. We have been on a journey in workplace security and the last year has seen a necessary acceleration of advancements. This will continue – at pace – over the next years.
About the author
Ahmed Salah Messaoudi
Global Security Architect and Evangelist for Digital Workplace
As an Atos Expert, Ahmed is driving the R&D and Service development for the Digital Workplace Security. With 15+ years of professional experience in IT, he is holding multiple IT industry recognized certifications in Cybersecurity, Microsoft Technologies, IT Architecture and Governance (like MCSE, ECSA, TOGAF, ITIL …).
Ahmed is working with customers, partners and industries to develop security strategies, consult on security challenges and implement security solutions in areas like Identity and Access Management, Threat Protection and Data Protection. He occupied different roles during his IT career from engineer to consultant to architect in different fields of IT and cybersecurity which resulted him gaining a very broad and deep knowledge of enterprise IT on-prem and Cloud technologies.