COVID-19 forced enterprises to transition to a distributed, remote workforce almost overnight. As employees brought their offices home, cybersecurity teams had to suddenly adjust their practices and priorities. The security architecture you may have scrambled to build within an unreasonable timeline includes desirable properties you likely were planning to implement anyway. Once you have a chance to strategize, you will be able to use them to advance your cybersecurity program for the long term.
By Lenny Zeltser, CISO at Axonius
The shift from security paradigm grounded in a traditional network perimeter began years ago, driven in part by the popularity of SaaS products, which were easier to deploy and use than the applications that enterprises needed to manage themselves. Cloud computing made it possible to run code away from the local environment and enabled businesses to spend less and move more swiftly. Also, organizations started warming up to the idea of at least some employees working remotely.
So, even before the pandemic, cybersecurity teams needed to start accommodating:
- Sensitive connections traversing untrusted networks
- Transactions originating from potentially unmanaged computers
- Business logic running on infrastructure managed by others
- Web-based applications provided as a service by third parties
The ruthless fervor of the COVID-19 pandemic did not impose many new cybersecurity requirements. Instead, the sudden dispersal of the employees dramatically accelerated pre-existing trends. That is why many of the security measures you may have rushed to implement will serve you well in the long term.
The challenge is that when rushing to support a suddenly distributed workforce, you may have had to make in-the-moment decisions related to a variety of risks that usually would take months if not years to address:
- When you cannot trust the network, how can you protect the data from being intercepted or modified?
- When there is no network perimeter, how can you defend and safely manage your endpoints?
- When you rely on someone else’s apps and infrastructure, how can you live up to SLAs and track security metrics?
- When you lack centralized visibility into major aspects of your IT operations, how can you oversee their security and respond to incidents?
Fortunately, there is a security model that offers guidance for addressing such risks. It is called Zero Trust. John Kindervag, who coined this term back in 2010, explains that this paradigm “examines information about the device, its current state, and who is using it” when making security decisions. As described in the recent Zero Trust Architecture document by NIST, the idea is to narrow the sphere of trust from large networks protected by a perimeter to components, such as endpoints and users.
Zero Trust, as NIST puts it, “is a response to enterprise trends that include remote users and cloud-based assets.” This is the very configuration you are supporting due to the pandemic, so even if you weren’t sure how to begin your journey toward Zero Trust, COVID-19 forced you to advance down this path even.
When you get a chance to shift focus from tactical to the strategic planning of your security program, look at Zero Trust guidelines from the sources and people you trust. You will discover that your Zero Trust journey will likely include:
- Centralizing identity management using a provider that can integrate cloud, SaaS, and on-premise applications.
- Minimizing reliance on VPNs, so having access to a particular (once-trusted) network doesn’t give the user special privileges.
- Strengthening your endpoints’ security posture with the help of modern systems management, Mobile Device Management (MDM), and anti-malware tools.
- Implementing Single Sign-On (SSO) in a way that allows you to make access decisions based on multiple factors, such as the state of the user’s device.
- Automating user provisioning and de-provisioning based on people’s business needs in a way that incorporates the principle of least privilege.
- Gathering IT asset data from all components of your heterogeneous environment to maintain asset inventory and identify security gaps.
The business requirements of your organization today–remote workforce, distributed endpoints, heavy reliance on SaaS and cloud services–likely represent the ongoing needs of the enterprise. Take a look at the current state of your crisis-induced cybersecurity program. Decide which aspects of it you want to keep and which you will need to change once you are no longer in crisis mode. Consider using Zero Trust principles as guidelines. You might find that the work you have already done has advanced your program farther than you were expecting.
About the Author
Lenny Zeltser is the Chief Information Security Officer at Axonius, a cybersecurity asset management company, tackling foundational IT asset management challenges to dramatically improve organizations’ cybersecurity posture. Previously serving as VP of Product, Zeltser now focuses on protecting the company’s information assets, expanding its security architecture, and advocating a strong security culture to help enable the business. He previously led security product management at Minerva Labs and NCR.
Disclaimer
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.
