The death of the corporate network had long been predicted. You can't rely on your old corporate controls anymore — firewalls, NIDS, and WAFs don't keep attackers out; "they are a Band-aid," they said. They give you a "false sense of security," they cried. I know you think your hardened perimeter protects you, but eventually, someone will find their way past it. Once there is that single crack, an attacker can rampage around your network's soft center. Building a castle wall around your data won't stop a persistent threat.
The security industry had an answer for that; you started to hear about more and more companies pushing towards a Zero Trust security model. Then you started to read about Google's BeyondCorp implementation. And then you visited the vendor floor at a major security conference, and you found a lot of companies willing to sell you that zero trust dream.
It all made total sense. Why should you trust a device just because it's inside your perimeter? Why do you even need a perimeter?! Do I even know what my perimeter is?!
Then, on Monday morning, you returned to your headquarters and were confronted with your reality. Most people were still in your office. They came in every day and left again. Maybe they did some work here and there outside of the building, a flex-day to work around an appointment or a school sports day. The corporate applications that kept your Business running mostly still lived in your data center, within your building, and accessed from the local network. Your perimeter was pretty hard; it was the walls of your buildings that wrapped around your employees. Adding external access outside of your corporate VPN introduced its own set of problems and risks. Then, before you could start decoupling them, they were still heavily integrated with an old legacy IAM system, which was also sitting in your data center.
What you had was mostly fine. It's hard to get investment in the digital transformation when things are static and mostly the same.
Then it wasn't the same.
Overnight your workforce moved out of the office, off your network to their homes. And, your corporate network was no more. The process now was remote.
I've repeatedly heard this story from many Security and IT leaders. Their world has suddenly changed overnight. A scramble began to build or upgrade the infrastructure needed to move their employees into a remote environment: they quickly spun up a VPN, or in some cases, they just open applications up to the Internet. They allowed users to roam beyond their castle walls and allowed access to data in ways that would have terrified them previously.
There Never Was a Castle Wall Around Your Data
I was having some fun in the intro, but most security professionals have had the realization that their networks were not fortresses. Unless you are able to disconnect your users from the Internet, then you were only ever one firewall rule change, misconfigured wireless access point, or a secret operations maintenance backdoor away from having unexpected and unmonitored remote access. If you issued Laptops, then unless you had locked in a mandatory full tunnel VPN, then your users were likely taking them home to work on the weekends, and you lost visibility into their activity "off-net."
The reality of Shadow IT in Enterprise environments is not new. People expect to move quickly, and if your infrastructure was static and restrictive, then likely your users had silently adopted a new cloud tool. This means that your data was being moved to unknown and unmonitored locations. Finding and curbing this has always been ongoing risk mitigation for IT and Security teams.
Remote Is Here to Stay So Make It Your Strength, Not Your Weakness
In the early months of this pandemic, we thought a lot of this new infrastructure would be temporary. But we already see a changing landscape for remote work. Twitter's announcement they would permanently move to a remote model received a lot of headlines, and they were quickly joined by a number of large companies, including Atlassian, that have made it clear that this will be their new normal.
This has always been our normal at Auth0, and, in fact, we viewed our remote workforce as a competitive advantage. We could find talent anywhere in the world, offer candidates real mobility and flexibility, and attract top talent who wanted to escape expensive tech centers. Employees had been identifying remote work as a key differentiating job perk before it became a necessity.
So, your security controls need to catch-up with this new reality. Remember, being nimble with your infrastructure and policy means you can now move at the speed of the Business. You can give them what they want!
A Remote Workforce Doesn’t Have to Reduce Your Security Posture, in Fact, the Opposite Is True as Long as You Put the Right Building Blocks in Place
This new environment changes your Threat Model and your risk. For example, a fundamental principle for our environment has always been that our employee laptops are never on a "safe" network. Sometimes, people are in the office, but likely they are at home or traveling. With this in mind, you harden them accordingly - making sure they are resistant to a colocated attacker and that you have deep visibility into their behavior.
The Zero Trust concept is itself maturing, and with NIST's publication of their Draft ZT Paper, an agreed definition of a Zero Trust Architecture (ZTA) is forming. This also clears the way for the Federal Government and risk-averse Enterprises to consider this approach. The security industry rallying around a standard approach is good for our users as we are all working together. And, to tie it back to our threat model, what this approach does is recognize that a lot of attacks are successful because that attacker is able to steal a credential and leverage it. So that an "outsider" immediately looks like an insider and is therefore trusted.
This puts authentication at the forefront of your security controls and further drives home that Identity is the perimeter. And, at a minimum, this means the building blocks of:
- Strong authentication, are you using multifactor authentication everywhere in your Enterprise? Preferably use a hardware token.
- Maintain an agile IAM solution that provides centralized SSO for all these new apps to be monitored and controlled.
2020 has forced some quick and reactive changes upon us. As we move forward, there should also be space for some positive security wins to come out of a terrible situation. This is the new normal, but we do have the building blocks to secure it, especially if you begin building with Identity at the heart of your Security Architecture.