Driving to Zero: Zero Trust for Economic Sustainability

In the early months of 2020, companies found themselves rapidly transitioning their business models from in-person to remote work.

Although initially considered a short-term operational change, research increasingly indicates that the full-time, remote workforce is here to stay. For many companies, maintaining a remote workforce model may be a key part of their economic sustainability and business continuity plans.

The organization, Global Workplace Analytics, conservatively estimates that the typical employer can save $11,000 per year for each half-time telecommuting worker.

These savings compound quickly at the enterprise level, particularly for organizations struggling during an economic downturn. For some organizations, the aggregate cost savings from a remote workforce could mean the difference between financial recovery and bankruptcy. 

Organizations benefit from distributed workforces in a variety of ways. With fewer people in the office, companies can reduce their real estate expenses, while saving money on utilities and related overhead. Simultaneously, research shows that remote workers are more productive while also less likely to look for a new job.

However, as with every rapid business decision, the full deployment of a remote work model comes with its own set of unique risks and overhead that manifest in other unexpected ways.

Specifically, the mass adoption of remote workforces by large enterprises has expanded the digital attack surface of corporate networks to now include the home networks of employees. Vulnerabilities that may have been only applicable to an employee’s home network now have the potential to reach within the internal corporate network through remote access.

Managing a remote workforce, however, needs to incorporate the cybersecurity strategies that can sustain this value. A single data security incident can undermine any cost savings associated with this new work model. In order to create a financially sustainable remote workforce, organizations need to start thinking differently about the ways in which they secure their IT ecosystems. 

From a cybersecurity point of view, organizations need to factor in the new risks associated with a distributed workforce. Workforce members may not be incorporating the key on-premises controls that protect a company’s IT stack. Firewalls and device management work well when employees sit inside an organization’s network. However, when working from home, workforce members may not have the necessary tools to protect their wireless connections or they may be using their own devices. 

For example, most internet service providers will supply equipment such as modems and routers for their retail or small business customers. This equipment is oftentimes set up with default configurations, and many contain unpatched vulnerabilities and/or exploitable vectors that have not yet been discovered. An example of this took place in 2017, when it was disclosed that AT&T Uverse modems were vulnerable to remote exploitation through the “SharkNAT&To” attack.

An attacker who is able to exploit a firewall from the public internet can tunnel into the local network. Upon gaining access to the user’s local network, if the attacker can successfully exploit a device within that network connected to enterprise resources, they can then pivot into the private corporate network by tunneling through the exploited employee device.

Most companies provide their employees with a device, many with endpoint protection to mitigate risks of known malware as part of its cybersecurity controls. Additionally, the organization may also ensure that its network is encrypted in both storage and transit, the goal of which is to make any information exfiltrated by an attacker unreadable. 

These types of controls are important to have in place but are not guarantees of protection. Obfuscated malware is able to bypass most endpoint protections, and encrypted data can be decrypted if an attacker has compromised an employee device that contains decryption keys. 

To successfully leverage a distributed workforce as a way to maintain financial stability while at the same time balancing operational risk, organizations need to rethink their security controls and procedures to extend beyond the perimeter of the corporate firewall.

In an on-premises situation, organizations “trust” many of their users and devices. Using a login ID and password, the workforce member can access anything from inside the company’s network. The company generally “trusts” those accessing its enterprise network, using the password as verification. Often, the company requires multi-factor authentication, or a password plus something the user has (a token, text to a smartphone) or something the user is (facial recognition, fingerprint). Once the user is outside the enterprise network, these types of authentication controls become more important. 

Zero Trust flips the security model. Instead of “trust but verify,” organizations “always verify but never trust.” The concept of 'Zero Trust' is advantageous whenever a resource is connected to a public network, or whenever an expected user-base is large enough that a percentage of traffic will always be malicious - either through misuse or unauthorized access. Web-based applications enable employee collaboration and productivity. Cloud services such as Google Suite or O365 offer a way for the enterprise to maintain control of data, reducing problems such as different versions saved on individual devices. However, access to and within these cloud services requires the employees to connect via the internet, ultimately increasing the cybersecurity risk. 

For example: if a network has 10,000 users, we can assume that 1% of users may be compromised by malware, another 0.1% may consist of insider threats and another 0.01% is an unauthorized outside attacker. That would make ~1.11% of the traffic on the network malicious - equal to about 111 users.

A Zero-Trust model would assume that all users or devices may at some point become malicious and perform unauthorized actions, and requires a 'permission-first' model, which is quite different from the previous models of denying malicious activity.  

Zero Trust can strengthen and streamline secure access across the enterprise because anomalous/malicious activity would be detected and reported/blocked before it could proliferate. Organizations can monitor all attempts at exploiting the vulnerabilities inherent in web applications and connections by monitoring the devices connecting to their networks for visibility and alerts around security risks. Zero Trust gives companies a way to treat these risky devices the same way they treat their traditionally secured devices, incorporating them into their continuous monitoring strategies.

However, balancing security requirements with end-user needs can be a roadblock if the Zero-Trust model is too complex. IT staff know what to do to secure a distributed workforce but getting the buy-in to switch their mentality may require additional preparation. Stumbling blocks for moving toward Zero Trust revolve around balancing “functionality” with “security.” If something is too secure, it won’t function. If something is too functional, it won’t be secure. 

Any organization looking to move toward a Zero Trust security model needs to prepare its employees for increased multi-factor authentication and decreased device sharing as part of this functionality/security balance. 

For the first time in history, organizations may be able to remain economically viable by reducing their real estate capital investments. Organizations have been adopting cloud services slowly over the last 5 to 10 years. The need to accelerate these strategies in 2020 is proving the cloud’s value where before many only hypothesized. To remain financially sustainable for the long term, organizations will need to focus more on cloud services and securing a distributed workforce. 

Creating the balance between security awareness, functionality, and security needs to be addressed fully as part of a Zero Trust strategy. Companies seeking to leverage the value of the remote workforce as part of their financial strategic plans need to leverage their cloud-first IT investments.

A solid starting point for implementing a ‘zero trust’ remote work program is to ensure that enterprise IT engineers have a full grasp of their corporate perimeter - this includes third-party hosted services that may live outside the enterprise network.