How to stop worrying and love zero trust

Countless articles have been published in the past few years about zero trust, most of them explorations and expositions for security professionals.

But I want to write for remote workers on the other side of the so-called “trust” equation — the people who will deal with the changes and inconveniences as zero-trust strategies are implemented and refined over the next few years.

Welcome to this jargon-free explanation of zero trust.

If you’re a security professional or IT pro of any kind, please keep this newsletter to share with employees — especially remote employees — who need to understand what’s happening and why.

First and foremost, zero trust is not a product or a service — it’s an idea, an approach, a strategy.

We need zero trust to secure the future of the workplace. And the reason is that the old strategy — perimeter security — doesn’t work anymore.

With perimeter security, a company firewall was established. Any person, device, and application inside the firewall was assumed to be safe — they were trusted because they were inside. Remote employees could get inside the firewall by using a virtual private network (VPN), which is software that encrypts data and enables an authorized person to get inside the firewall, even from a home office or a hotel in another country.

Perimeter security worked well enough in the old days, but the world has changed. And now it doesn’t work. Connectivity is far too complex, and cyberattackers have become far too sophisticated. Nowadays we have all kinds of old-fashioned networking, complicated cloud computing arrangements, and huge numbers of tiny, connected, often sensor-based units all lumped together under the Internet of Things (IoT) umbrella.

And we have you. Yes, you.

The biggest reason perimeter security no longer works is because people work remotely not only from home offices, but over any connection in any place from anywhere.

Consider the home office. With a perimeter security arrangement, you would connect via your home Wi-Fi using a VPN, enabling your main work laptop to be inside the firewall. Now, any number of things could happen:

1. The neighbor’s hacker kid, who can reach your Wi-Fi from her bedroom, uses that access to hack your laptop, compromise your VPN software and thereby compromise the entire company because now she, too, is inside the perimeter at your workplace.
2. You step away from your laptop for a few minutes, and while you’re still logged in your son’s friend goes into your home office to sneak a look at porn. In doing so, he visits some shady site that auto-downloads all kinds of malware to your laptop. After that event, your laptop connects to servers in Eastern Europe all day, every day, which enables professional malicious hacker gangs to enjoy VPN access to your company’s networks.
3. Your parents buy your kids a toy for Christmas, which happens to connect via Wi-Fi. Now you’ve got an IoT device on your home network from a company that has no intentions of ever issuing a security update. This device is another doorway to your Wi-Fi, to your laptop, and to your company by clever drive-by hackers operating from a car at the curb out front.

These scenarios involve just one WFH employee. Now imagine 5,000 remote employees at a single company working from home and from around the world, all with untold varieties of vulnerabilities.

You see why remote work is the enemy of perimeter security?

Here’s how zero trust works. Instead of relying on a secure “perimeter” that cannot be secured, your company will require that every user, device, and application is authenticated individually.

That means: Even if your laptop and you are authorized to gain access to company resources, if someone plugs in a thumb drive into your system, neither that drive nor the software thereon will be authorized to access those same resources. The hacker kid next door can’t gain access. The malware downloaded to your laptop can’t gain access. The random IoT devices that show up on your home Wi-Fi can’t gain access.

The downside, as you can imagine, is that all that authentication will increase inconvenience. You’ll need very good password hygiene and practices. You’ll probably need biometric authentication. There will be accidental occurrences where an authorized device or application will be denied access, and you’ll have to work with the support desk to sort it all out.

But all this inconvenience is the price we pay for the power of IoT, cloud computing and, above all, remote work.

The process is coming, and there will be a learning curve. But, in the end, I urge you to trust zero trust. It’s just the way things have to work now.