More trust from outside by trusting nothing within

Trust is a hard-won commodity. Businesses want it from consumers. Governments want it from citizens. People want it from peers. But there is one walk of life in which we dial back the trust, where we call loudly for less of it. The cybersecurity industry is currently urging the implementation of zero trust — the perimeterless approach that assumes a breach and treats every process, user, and session as a potential threat.

While this may sound somewhat draconian, zero trust can be implemented in a way that is relatively invisible to users. It may also sound a little like surrender — that security professionals have given up on prevention. But nothing could be further from the truth. Zero trust is merely a recognition of the times in which we live. The common-office environment, an IT term used to describe the technology, consumables, and security that make up a thriving business, has become more digital.

But some organisations are reticent. IBM’s 2022 Cost of a Data Breach Report, which surveyed 550 organisations worldwide, including 31 in the Middle East, shows that 80% of critical infrastructure organisations have yet to implement zero trust. And the report cited significantly higher average breach costs for such entities compared with those that had zero trust policies in place.

If you are a stakeholder or decision maker in an organisation that has yet to adopt zero trust, let the following be your guide. At this point in history, it is doubtful that you have not moved at least some of your IT to the cloud and also likely that at least some of your employees have worked from home. Zero trust is an identity-centric posture, which is ideal for the world of hybrid work that characterizes the modern common-office environment.

To support the always-connected requirements of the hybrid office and the diverse family of endpoints and third-party networks that comprise it, trusted work and workloads must routinely operate outside the traditional office perimeter. The list of now-relegated defense tactics is long — firewalls, intrusion prevention, network segmentation, and wired network security. They still have their uses, but they no longer belong on the front line.

Today’s common-office environment already has a foot in the cloud, which just happens to be the ideal staging area for zero trust. Cloud environments, leveraged properly, can deliver impressive capabilities for the management of devices and identities, no matter where they are operating. And coincidentally, NIST best-practice guidelines on zero trust call for data sources and computing services to be considered resources, no matter where they are operating.

The common-office environment should therefore adopt the Information Technology Infrastructure Library, ITIL framework for asset management that classifies hardware, software, applications, and other technology into appropriate logical groups for the purposes of risk assessment.

Let us consider other NIST guidelines for the modern common-office environment’s adoption of zero trust. All communication, internal and external, should be secured and encrypted and network security standards should not change based on location. All devices should be fully patched and monitored for any anomalous behavior. Access to any system or resource should be granted in full consideration of dynamic risk-based policies and through the highest standards of dynamic authorisation and authentication.

It should be granted only as needed, and expire in a timely fashion, preferably immediately upon termination of a session. And all logs and any other data collected in the environment should be gathered as often as possible to give optimally accurate information.

Zero trust environments implement closed security models, as opposed to the open models used by most of today’s OSes. A zero trust common-office environment will ensure that authentication and authorisation are dynamically provisioned with support from up-to-date contextual data from a variety of sources. Per-session access, closely monitored and analysed, is safer and allows for suspension or termination of processes and sessions when anomalies are discovered.

There is a reason that zero trust is finding its way onto the pages of more and more international best-practice manuals. It is the gold standard of security for the precise IT environments that we have been building recently and are likely to continue to build. Between employees’ personal devices and shadow IT, and the mysterious mesh of networks that make up our cloud services, there are too many unknowns for security teams to implement anything but zero trust.

In the modern common-office environment, zero trust shrinks attack surfaces and narrows threat windows through broad and granular enforcement of least privilege. And it significantly reduces the risks from all attack vectors by limiting privileges and access. Just as a drop of oil is easier to spot on a clean floor, cyberthreats tend to stand out more clearly in a sanitised identity-centric digital space. Strangely, but happily, the zero trust common-office environment actually leads to more trust – more trust from the outside world by trusting nothing within.

Key takeaways

• 80% of critical infrastructure organisations have yet to implement zero trust.
• Zero trust environments implement closed security models, as opposed to the open models used by OSes.
• A zero trust common-office environment will ensure that authentication and authorisation are dynamically provisioned.
• Per-session access, closely monitored and analysed, is safer and allows for termination of processes when anomalies are discovered.
• Between employees’ personal devices, shadow IT, mesh of networks there are too many unknowns.
• Zero trust shrinks attack surfaces and narrows threat windows through broad and granular enforcement of least privilege.