Zero trust in the remote working era
The massive shift to remote working as a result of the COVID-19 pandemic has created challenges with the traditional network security perimeter model. The use of personal and corporate devices to access the network via public networks and third-party clouds is introducing an expanded attack surface. Many organisations are turning to a zero trust security model to mitigate the risk, through advanced authentication and continuous monitoring.
The expanded threat landscape
For years, security professionals have been battling to evolve and strengthen corporate cyber defences as fast as adversaries discover ways to circumvent them. This has worked – up to a point, however, recent rapid changes to working practices, coupled with an increasingly sophisticated cyberthreat landscape, mean conventional cyber security models are no longer effective.
Now, more than ever, employees work from remote and sometimes unexpected locations, accessing networks via a mixture of corporate and personal devices. Businesses use public networks, third-party cloud infrastructure and software-as-a-service to give users access to the tools they need with absolute flexibility so they can do their job wherever they are and whenever they want to. In this drive for productivity, traditional security approaches can struggle to distinguish genuine connections and data interactions from malicious infiltration attempts.
The increasing interconnectedness of today’s corporate ecosystems also creates challenges. Corporate networks are linked with those of partners, suppliers and service providers. This means that new risk – arising from malicious activity or simply poor security in a third party – can emerge from these ‘trusted’ partners at any time. Simultaneously, cyber criminals are growing increasingly skilled and strategic. Rather than trying to tackle corporate cyber defences head-on, they look for weak links, such as poorly protected partner companies or less well-protected parts of the network and use them to breach an organisation’s defences.
As both the workplace and the cyberthreat landscape have changed, and the attack surface has grown exponentially, the security systems designed to protect organisations have proved inadequate. A new approach is needed, one with the scale and flexibility to respond to threats wherever they emerge from and whatever form they take. This takes the form of a philosophy, rather than a product set: zero trust.
Enter zero trust
Historically, cybersecurity has operated on the “castle and moat” principle. This assumes that everything within the organisation’s perimeter, or “moat” can be trusted and given unrestricted network access. Under this approach, efforts are focused on preventing adversaries from crossing the moat but, if they do succeed, they have unrestricted access in the same way that a genuine user does. This creates unacceptable levels of risk.
Zero trust rejects the idea that any user or device can ever be trusted, operating on a principle of “never trust, always verify” and applying this across the board. It incorporates all the applications and endpoints, users, APIs, IoT devices, microservices and other elements that form an organisation’s IT footprint.
The advantage of implementing zero trust is that it is a model, not a product, so it doesn’t require the replacement of existing technology. Instead, it is based around establishing and verifying the identity of the people and devices trying to access the network. It prompts organisations to think about managing access in a way that limits it to a least-privileged basis, reducing the potential for data breaches and data loss on the basis that you can’t leak what you can’t access.
In the zero trust environment, identity is established on multiple levels – from user credentials to confirming geographic location and the authenticity of the accessing network – regardless of whether the user or device is inside the network perimeter. Once this complete picture has been built, the zero trust identity is analysed against the type of data it is requesting to access and the policies governing that data. Access is granted only when the identity has been established and verified – and only to the network areas authorised for that user. This means that even if a bad actor gains access to one area, the potential for lateral movement into other parts of the network is limited. Further, a zero trust platform may require reconfirmation of a user or device’s identity at any time.
The zero trust approach allows organisations to gain visibility of user and device activity across their network and to enforce policies on data access and movement.
The print infrastructure in a zero trust environment
As the traditional office environment evolves into the more flexible, hybrid approach that is likely to persist in future, the implications for the print infrastructure and its incorporation into a zero trust environment become more complex. An unsecure printer or MFP can prove to be the weak link through which adversaries access the network, which means protecting it at a device and access level is critical. Also, with more employees working from home and potentially using personal devices to print corporate documents, this represents a further data security risk that must be managed.
By following the concepts of a zero trust architecture, print device manufacturers, along with independent software vendors (ISVs) and the print channel can help to ensure that the print infrastructure is not the weak link that malicious assailants target in an attempt to breach a part of an organisation’s zero trust environment.
Quocirca’s new Executive Briefing examines the zero trust concept and its principles, and discusses the document security strategies that organisations should consider when adapting to a zero trust security model. The report includes recent Quocirca primary research on print security concerns and requirements from organisations.