Long before the pandemic evicted office workers and sent them scrambling to set up laptops on dining rooms and kitchen tables, the shift to remote work gained traction.
A decade ago, when technology enabling remote work began launching (like Basecamp, Slack, Google Drive, and Zoom), companies quickly saw the value in a distributed team. They could access talent across the country (and the world) and run a more streamlined operation. Nearly a year into the pandemic, many office refugees have permanent home office setups. Every day new companies announce plans to continue moving toward a distributed model or maintain a largely remote workforce indefinitely.
Remote work is great for productivity and access to talent. But it creates a security nightmare for companies relying on the traditional perimeter defense model. Security based on administrators and standing privilege worked well for exclusively on-premise workforces. Now, many workers are outside the office more than they’re in it, using software and connecting to resources that live in the cloud. Work occurs on both personal devices and company-owned ones; traditional security models no longer apply. Modern companies need a new basis for the security perimeter.
This post explores why identity is the ideal perimeter and how it works with the Zero Trust security paradigm.
Why We Need to Change the Perimeter
Several trends are driving the need for a change in how we define the perimeter. These trends range from technological developments to operational shifts. Let’s look at three that are especially influential.
The Cloud is Everywhere
Even in the largest enterprises, on-prem resources are losing their attractiveness. It’s simply cheaper, faster, and easier to use the cloud. This is especially true of software solutions. The average employee logs into eight different SaaS solutions regularly. And these SaaS solutions are often not well managed. 71% of companies have at least one SaaS subscription without a billing owner (meaning the employee who signed up has left the organization). IT departments struggle to know who is using what resources and, importantly, who should be using what resources.
With Remote Workforces, the Office is Anywhere
Remote workers rarely work from a single location. They’re typically migrating from home to coworking spaces, to coffee shops. Many of the places they favor have networks of questionable safety with untrusted devices connected to them. VPN tunnels partially help solve this problem, but they’re slow due to capacity issues and expensive due to hardware costs, additional networking, and configuration/management challenges.
Contractors: Temporary, with Quickly-Shifting Access Needs
Contractors present an especially confounding challenge to the perimeter defense model. From temp force nursing staff working for multiple hospitals to accountants pulled in for year-end to engineers doing highly privileged work, to integrate a new product — contractors are inherently difficult to manage from a security standpoint. Their access needs vary widely, and they are often temporary. Additionally, at some point, many are re-staffed in a different capacity or move to a different team within the organization.
Modern Threats are More Complex
In addition to modern developments, we face modern threats, which come in various forms. Threats aren’t limited to bad actors on the outside trying to get in. There are numerous internal threats such as malicious employees, accounts with compromised credentials, and systems infected with malware that serve as jumping-off points for bad actors. These internal weaknesses are significant — the cost of insider threats has risen 31% in the last two years, from $8.76 million in 2018 to $11.45 million in 2020.
Why an Identity-Based Perimeter with Zero Trust is the Solution
Zero Trust is based on the premise that no one has standing privilege, not even administrators. Instead, every time a user or application submits an access request, all of the attributes associated with that user or application (role, position, duties, usage behaviors, etc.) are evaluated. To assess risk, the security system either auto-grants access or flags the request for further review. The full spectrum of identity determines access.
Two key pillars of Zero Trust are time-limited access and just-enough access. When a user or application’s identity is evaluated, a decision is made on what access to grant and how long it will persist.
With identity as the perimeter, founded on time-limited access and just enough access, Zero Trust solves the challenges associated with the modern developments described above. Old credentials are no longer floating around. People cannot access data or resources they shouldn’t after moving to a different department — or organization. And everyone can work more efficiently because slow-moving VPN tunnels don’t bog them down. Additionally, identity allows us to assume that even employees, resources, and infrastructure inside the organization could be compromised. So we are better able to defend against modern threats.
Check out our on-demand webinar, Securing Your Remote Workforce, to learn more about how Zero Trust and an identity-based perimeter will help you meet today’s security challenges.