Traditional approaches to security, using ‘implicit trust’, are not enough to protect data in a new hybrid work environment. In a new environment, context-driven zero trust protection needs to be applied, with continual assessment and constant verification.
This is according to Richard Davis, head of cyber security strategy, EMEA at Netskope, who was addressing a webinar on the tricky balance of securing hybrid work security while empowering the workforce.
Davis said: “Work environments changed overnight during the Covid-19 pandemic, and with that IT teams scrambled to provide connectivity to remote workers. Today, new hybrid and remote work models mean a variety of devices, applications, identities, and locations have complicated security.” Shadow IT and the Internet of Things have added to this complexity, he said.
“Three key hybrid work challenges today are top of mind for organisations today: securing access to private applications in the data centre or the public cloud, achieving complete visibility and control of the entire stack – across devices, applications, SaaS, IaaS and PaaS environments and shadow IT, and protecting data everywhere,” Davis said. “With the way people work today, data could be anywhere, and the really sensitive data needs to be tied down more, and that is top of mind for organisations.”
Polls of webinar participants found their top hybrid work priorities were controlling sensitive data and preventing data loss when people are working remotely (52%), followed by secure and fast access to private apps (21%), simplifying the security stack (15%) and gaining visibility into and control what apps and websites people are using when working remotely (10%).
Davis outlined a continuous adaptive zero trust model, which continuously adapts rules and policies, taking into account changing risk profiles of users and devices with contextual risk-based verification, without introducing latency or friction for users.
With this approach to zero trust, security can be an enabler of the business and support hybrid work, he said. “We need to think about providing access to all of our resources in a simplified manner, to anywhere in the world.”
“With this simplification comes a requirement to consolidate. We do this by looking for convenient convergence points – looking at where the majority of users are, where the convergence points are for a convenient security layer. This reduces latency and helps organisations reduce friction and overheads. This drives productivity and skills for the future,” he said.
Another aspect to consider when architecting a hybrid work environment is to consider multi-cloud, with fast access into any clouds, he said. “Fast access must also have granular data protection that doesn’t hinder users’ productivity- unless they are doing something where we need to take action.”
The hybrid work transition demands secure digital transformation, with a converged network and security platform, Davis said, noting that business value is optimised by finding the right balance of agility, risk and cost.
“You need to remove implicit trust, define and refine least privilege access, and continuously monitor access. In context-driven Zero Trust, the ‘who’ should consider the user’s identity, role, risk score and history; the ‘what’ looks at devices and their configuration; the ‘when’ addresses time of day and day of the week; the ‘where’ looks at the geolocation of the worker and data; and the ‘why’ covers factors such as the data sensitivity level and application risk score. Bringing all of these together gives us all the context we need to continually re-evaluate access decisions.”
Davis said that for many organisations, the current security state is a patchwork of organically grown networking and security stacks, multi-vendor security appliances, with full tunnel VPN and MPLS adding latency or split tunnelling increasing vulnerability.
Moving toward an effective zero trust model has to start with talking to the business and understanding where the critical data lies and what the critical access requirements are, Davis said.
“Business also needs to understand what applications and SaaS applications are in use within the business, and what the internal interactions are with these apps. You also need to think about access for external resources and third parties. From there, you can think about building up a zero trust policy, managing entitlements and defining the context for access to data – public, private and confidential, and then build out the policy for least privileged access.”
“Having the internet as the central access point, with a cloud-powered security and networking infrastructure, brings together cloud security, private cloud, SaaS, branches, data centres, IoT and remote workers,” he said.
Netskope empowers hybrid work with a converged platform that increases enterprise agility while reducing risks, costs and complexity. Netskope notes that Gartner recently gave new integrated security services a name: Security Service Edge (SSE), including cloud access security broker (CASB), secure Web gateway (SWG), and zero trust network access (ZTNA). However, Netskope believes that integrated security services also need to provide integrated data context, visibility, and instance awareness, adaptive policy controls for users, devices, and applications and complete threat and data protection with sensitive data awareness. Netskope’s intelligent SSE is a converged platform in the cloud, enabling adaptive zero trust with AI and ML-powered data protection using context.
Share