In the span of a week, Zero Trust went from a buzzword to a must-have. The COVID-19 crisis overnight converted vast swaths of enterprise, education and government into 100% remote organizations with massively distributed workforces. This shift instantly morphed and expanded the attack surface going through the transition. The shift scrambled compliance realities and made it far more difficult to address the requirements of many core certifications such as SOC2, HIPAA and ISO 2700. We don’t know how long we will have to work under these conditions, but it’s likely this is not the last time that a Black Swan event recasts our reality. When conditions change so quickly, Zero Trust becomes critical because it is the only way to maintain security, compliance and continuity. So how can businesses adjust?
Change Your Zero Trust Security Posture And Playbook
For many security teams, the most fundamental monitoring practice to secure all endpoints is the network scan, where you look for anomalies on your network. Now that all employees are operating remotely on corporate networks and logging in from a mishmash of hotspots, cable modems, DSL lines and other home broadband connections, network scans are not as effective. This means IT and security teams need to revisit endpoint security capabilities and make sure they are all up to date. This also may mean adding new endpoint tracking and validation mechanisms to BYOD devices, smartphones and other connected systems that were not on the network before but now need to be added. In addition, you may need to significantly increase the number of VPN connections your organization can support to make sure that users following procedures are not mired in bandwidth issues. You should also expect employees working from home will be more tempted to become Shadow IT practitioners just to get work done. There is a lot more pressure in the job market, and so they may be more inclined to bend the rules.
Optimize the Employee Experience Within A Zero Trust Framework
Look for simple ways to make the lives of everyone that depends on your technology support to improve the way they work within the confines of your existing IT footprint. For example, if employees are experiencing difficulties using VPNs, then help them all (or even better, remotely enable) G Suite or Office 365 to work offline. This would limit their dependence on fast connections. Or if employees need to purchase new hardware or software that formerly had to go to a central office for imaging and tagging, make time to walk them through imaging remotely. (We have Oomnitza customers doing this right now with our mobile app). Or use this opportunity to move your entire organization onto password managers that you can centrally control, that make life easier and enforce better security hygiene and Zero Trust by default.
Create async processes to make them all mini-IT practitioners, such as allowing them to scan in new devices using apps on their phones that service desks and procurement teams used to use. In fact, look at this as an opportunity to improve the ability of employees to self-serve without adding a significant burden. And definitely view this entire process as a way to boost the resiliency and flexibility of your IT organization, while still maintaining sufficient control. Ultimately, you may need to allow them to buy what they need from unauthorized sources as a last resort. But if you are successful, you may not need to take this last step – which unfortunately blows up Zero Trust by breaking your chain of custody.
Deprioritize The Large Chunks of Infrastructure That Are No Longer Relevant to Zero Trust
The big shift we are now undergoing does afford IT, security and service delivery teams the luxury of walling off large chunks of what they formerly had to monitor and track. When the office is empty, no one cares about maintaining e.g. distributed networks of printers, PBX and VOIP phone systems. You still need the core voice routing capability, but the devices on the desktops can and should be shut down.
For security, you now have the luxury of a much smaller white list to maintain. That may allow you to shift from legacy security processes which look to boil the ocean to more efficient processes. For example, remember the now outdated network scans? You can swap it for newer tools that monitor DNS for unauthorized outbound calls from your network that are often indications of a breach. In that mindset, take this time to rethink the mechanics of your security stance and consider how to make it more modular and more efficient as a way of making Zero Trust more defensible.
Conclusion: This Can Be A Zero Trust Watershed Moment
All the old rules are being broken. We are setting new policies and procedures on the fly. IT and security teams are being asked to do things on tight timetables of weeks or days that formerly might have taken months or years. This is actually a tremendous opportunity to shift your organization to embrace a more modern and forward-leaning approach to Zero Trust that will make your company, your core assets and your team more secure, more productive and more resilient while actually saving money. Use this time wisely, even in the midst of a fundamental shift, to build a Zero Trust organization and ethos that can keep you productive and safe through the next Black Swan event – whatever it may be.
Arthur Lozinski CEO