Now that the COVID-19 pandemic has changed how and where many organizations allow their employees to work, companies are looking to set up hybrid workplaces for 2022 and beyond. That means rethinking traditional cybersecurity models to effectively protect both on-premises and work-from-home employees and resources equally.
Hybrid workforce model gains traction
At first glance, cybersecurity professionals may think supporting a hybrid workforce model requires minimal change. After all, many organizations allowed some degree of remote work before the pandemic. Supporting both remote and on-premises workers would seem to require some minor tweaks, if anything -- right?
That's an optimistic line of thought, but it's incorrect. One of the big changes created by the pandemic is that it's no longer possible to classify workers as "entirely or mostly remote" and "entirely or mostly on premises." The same workers require secure access to resources whether they're on premises or at home. Location is no longer a variable by which workers can be classified.
Workers should no longer be expected to follow different processes to log in to resources depending on their location. Whether employees are working from home or in the office, they should be able to follow the same login process.
This isn't just a matter of user convenience. Enterprises need a single, integrated security policy for all employees. Even if companies allow on-premises and work-from-home workers to access different systems and data, a single policy should be in place, not separate policies for WFH workers and on-premises workers.
Secure hybrid workforce best practices
For organizations putting a hybrid workforce model in place, consider the following five best practices to lock down security for wherever employees work.
1. Adopt zero trust
Adopt an integrated approach to security, specifically zero trust. Zero trust is a strategy and an architecture that protects enterprise infrastructure from end to end by taking an allowlist approach to accessing resources. That means users and devices may only access resources for which they have explicitly been granted permission by the cybersecurity policy.
A zero-trust approach is in stark contrast to the legacy perimeter-based cybersecurity model, which divides users and devices into "outside the perimeter" and "inside the perimeter" and typically allows all inside users and devices to access any resources they aren't specifically prohibited from accessing.
Not surprisingly, the zero-trust model has seen rapid adoption during the pandemic. More than 60% of enterprises plan to adopt zero trust by the end of 2022, according to Nemertes' "2021 Secure Cloud Access and Policy Enforcement" research study.
Zero trust correlates strongly with cybersecurity success. According to the Nemertes study, successful companies -- based on objective cybersecurity metrics -- are more than twice as likely (138%) to have adopted zero trust than their less-successful counterparts.
2. Adopt software-defined perimeter/zero-trust network access
Adopting zero trust has gotten considerably easier over the past few years. While it was originally envisioned as a strategy more than a concrete architecture, organizations, including NIST, have standardized a zero-trust architecture, as documented in NIST Special Publication (SP) 800-207. This means enterprise cybersecurity practitioners have a blueprint for putting their zero-trust architectures together.
Zero trust doesn't stop with NIST SP 800-207, however. NIST has convened a center of excellence that is collaborating with selected vendors -- the NIST List -- to enable the architecture.
One of the key components of the NIST zero-trust architecture is software-defined perimeter (SDP), also known as zero-trust network access (ZTNA). SDP tools provide permission-based access from user devices -- whether at home or on premises -- to cloud-based and/or on-premises resources. SDP eliminates hard-to-manage VPNs and provides a consistent process for users to access resources, regardless of the location of either.
It's worth noting that SDP eliminates the need for network-based security approaches, such as Secure Access Service Edge (SASE). Although many vendors provide zero-trust tools under the SASE moniker, strictly speaking, SASE continues the perimeter-based approach because users access resources differently based on where they are. With a SASE model, users connect to the service edge if they're off premises but connect directly to the resource from on premises -- thus breaking the unified access model.
Adopting SDP/ZTNA is a massive first step in building out a zero-trust architecture that every enterprise should consider. Several vendors on the NIST List provide SDP capabilities.
3. Move to an identity-centric architecture
At the core of the zero-trust architecture is identity. Specifically, zero trust enables specific users to access specific resources based on who they are. That means rock-solid identity management must be in place.
Consider traditional perimeter-based security. In that model, users outside the perimeter -- for example, WFH employees -- must tunnel in through the perimeter to resources. Access to the tunnel, often the VPN, may be protected via password or multifactor authentication (MFA). But, once users have connected to the tunnel, they can access any resources on premises unless specifically prohibited by the security policy. In other words, access to the resources isn't based on the user's identity; it's based on the user's ability to log in to the VPN.
With an identity-centric architecture, in contrast, access to every resource is controlled by the user's identity. Regardless of how users connect to -- or attempt to connect to -- the resource, they can only access it based on who the user is.
Several of the vendors on the NIST List provide identity capabilities for a zero-trust architecture.
4. Strengthen endpoint security
Cybersecurity practitioners know the importance of endpoint security, but they should also note that, with the advent of zero trust, securing the endpoint becomes even more critical. With an identity-based architecture, once users have authenticated themselves, they have access to all permitted resources. If the systems or devices they are using have been compromised, those resources may be compromised as well.
Some key considerations when it comes to strengthening endpoint security include the following:
- Acknowledge endpoint diversity. The endpoint is no longer merely a corporate-owned desktop. Laptops, tablets, phones and emerging devices, such as wearables -- all potentially owned by the user or the enterprise -- are typical endpoints these days. Any endpoint protection products should support a range of form factors and OSes.
- Implement MFA. Since the endpoint is the entry point into the network, it's important to implement MFA to protect it from unauthorized access.
- Consider endpoint-based data loss prevention (DLP). Since an increasing amount of data is stored on endpoints, it's worth assessing DLP tools at the endpoint, as well as elsewhere in the enterprise.
5. Enact collaboration security
Consider beefing up collaboration security. Hybrid workplaces are those with heavy reliance on collaboration applications, such as Zoom, Slack, Teams and the like. Cybersecurity practitioners may assume the security inherent in these applications is sufficient, but that's incorrect.
First, the security included is not integrated. Lack of integration means having a fragmented cybersecurity policy -- one of the most critical concerns. For example, a policy may prohibit sharing file type X over Zoom but permit it over Slack. Or it could apply to all Teams-related interactions but not to interactions over other collaboration tools. This type of fragmentation introduces security vulnerabilities.
Second, the inherent cybersecurity protections may not be sufficient. While vendors like Zoom and Salesforce, which owns Slack, have been steadily beefing up the security of their offerings, they're still not perfect.
Enterprise security practitioners should assess a range of collaboration security tools and platforms.