How the Zero Trust method can increase security when many people work from home
The days of clocking into the office at eight and going home at five are long gone. Back then, there was a point to building a strong wall around the company network. Today, with more and more people working from locations other than the physical office, different strategies are required. Microsoft's solution to the problem is called Zero Trust and the message is simple: don't trust anyone, act like you're already hacked.
Traditionally, the office network has been protected by castles and moats. And sure, firewalls and proxy servers are effective protection as long as company data is inside those walls, but they're of little use when employees take valuable data outside them, or when an attacker has already gotten in.
Today, we are used to being able to work unhindered wherever we are, at any time of the day or night. That's why we need new ways to protect company data. Microsoft's solution to this problem is called Zero Trust. The approach is based on treating all devices the same, regardless of which side of the firewall they are on. All connections are considered insecure until the user has identified themselves, at which point the user should only be given access to the resources the task requires.
Minimum rights to complete the task
The technology is based on integrating the identity, which is almost always the user's username or email address, into Azure AD, along with the device and business applications the user is expected to use. Which groups of users should have access to which resources is completely controlled by policies, all the time focusing on everyone having the lowest possible rights to do their job. The reason? If an account were to be hijacked, you don't want to give the perpetrator free access to all company data. If a user needs to extend their rights, this can be solved by PIM (Privileged Identity Management). This allows the user to apply for rights for a limited period of time. It also means less work for the IT department, as they don't have to decide who should have what rights.
Does the device meet all the requirements?
Another important part of Zero Trust is the company's ability to set specific requirements for the devices it uses. Common requirements are that the hard disk must be encrypted, that the latest security updates are installed and that the device is protected by a PIN code. If an employee is using their personal computer or phone, they may be able to read and edit documents, but not download them. Is an employee trying to log in from the other side of the world? If so, an additional authentication method may be required, such as a code sent to the mobile phone. That said: don't trust anyone.
Balance between safety and productivity
Having to prove your identity all the time can sound cumbersome and no one wants to be sent a code four times a day because the computer requires two-step verification. It's all about finding the right level of security for the right person at the right time, and above all, doing the right groundwork. With well-thought-out policies that give the right users the right access, and tools like facial recognition and fingerprints, hopefully there will be no need for codes at all, except in emergencies.
Worth investing in cloud service security
Zero Trust tools are included in your Microsoft 365 licence and the more advanced your licence, the more security features you get. Conditional access support is already available in Microsoft 365 Business Premium, but with the more advanced licenses you also get access to features that use artificial intelligence to analyse user habits, look for anomalies and respond to potential threats.
As we see it, many times it can be better to reduce the budget for traditional IT security in the network and instead spend some of the money on cloud service security. Perhaps especially if you're about to renew a legacy system and want to avoid a large one-off cost. There's also nothing that says it has to be either/or. You can still have a secure network in the office, but go into the Zero Trust model when employees leave.
Because outside the office they will be moving around - so why not ask an extra control question the next time there is a knock on the door?