The Drive for Zero Trust Security in a Global Pandemic
Exposing IT to Zero Trust
The Covid-19 pandemic has disrupted the traditional model of IT, forcing a move to remote working on an unprecedented scale. This is the reaction to what was termed the ‘new normal’ as a sudden unexpected step change to the way IT service in support of the business are provided. The trouble is the new normal has not been stable and further changes are likely. As a result of businesses’ adapting through flexible working it has become apparent that there are advantages to working this way. Consequently, there is no longer the same appetite to return to what many see as a dated way of working.
For IT systems, the new working environment should be considered as a move towards distributed working rather than remote working. There should be a mix of onsite and offsite collaboration through not only the provision of VPNs but through collaboration tools and digitisation of business functions. The IT infrastructure needs to be resilient to shock and segmentation. It needs to be agile and intrinsically future proof. It needs to be federated and coherent. But it also needs to be trusted.
There is then a mix of devices, potentially of mixed ownership, increasing in number as the business expands with reduced control of their state and where they are. The users are remote and work in a different way. Therefore, the users can be exposed to new risks, the devices may operate in a riskier environment, and there is less knowledge or control over the networks the users are using or where they are used. Even worse, the users are switching between home working to office working dynamically and they may be switching between networks as well.
The drive to Zero Trust though human factors and agile working
The commute has gone, for some but not for all. Work is now more dynamic with a mix of home working and office or factory working with social distancing in place. For some the change is more static finding oneself permanently at home or permanently at work. For others it is a mixture. For all, nothing about this is permanent. And that is the point. The psychological impact of this should not be underestimated.
This presents new challenges to the way people are managed and supported as well as new challenges to the individuals to be flexible and resilient. Support networks need to be in place and agile working must be embraced. The new routine becomes that of accepting the change and further change. Of being more “mobile” and getting used to using mobile technology to work remotely as well as onsite. Embracing the new norm of distributed working.
Devices may be lost or stolen, users are more likely to make a mistake when changing from home to work activities and could let in a virus, protecting data assets is more challenging because they don’t stay in one place. The psychological impact of the pandemic can mean that the user could be considered more vulnerable to a social engineering or phishing attack. The users’ new demands call for security that can be relied upon but at the same time is transparent and not dependent on the users to work.
Business structure and digitisation, the new Zero Trust landscape
With the evolution of computing the dream was to move away from the need for paper. Now the reality is the need to move away from the dependency on the office. Business functions have been progressively digitised over the years and now the digitisation must become more comprehensive as well as adaptable. The relationship between the structure of the business and that of the IT that supports it should be better aligned. So, the business structure should be agile and federated too but at the same time able to accommodate business functions that must be ‘onsite’. A holistic enterprise level review in the new environment becomes necessary as ad-hoc changes are made to survive. These need to be consolidated and embraced towards more resilient, agile and distributed business structure adopting the leading IT technologies, collaborative tools and digitisation of the business functions.
Components of the business become Zero Trust and not just the devices or even the users. Changes in the business landscape changes the threat surface. It is harder to architect the business for business continuity as different parts of the business are exposed to different levels of risk. For example, the information assets for different parts of the business carry different values. Embracing new tech solutions can introduces more vulnerabilities. Changes to the business structure and its digitisation introduces the potential for further security risks. Welcome to the dawn of Zero Trust as a security philosophy and an approach to the delivery of secure solutions.
Solutions for zero trust security
There are several practical steps organisations might take in adopting a ‘Zero Trust’ Architecture. These need to be holistic in nature and address the governance, process, human and technological aspects. A few of these are presented below:
- Understand the environment to assess controls and depth of defence
- Establish a trust model and review regularly against the business needs and risk appetite.
- Know your information and physical assets. Track their use.
- Structure your network into segments to incorporate manageable security zones
- Know your transaction flows. Identify who and what should be on the network.
- Architect your network to tag information assets validate them throughout the network.
Dan Patefield
Dan Patefield
Dan leads the techUK Cyber Security programme, having originally joined techUK in August 2017 as a Programme Manager working across the Cyber and Defence programmes. He is responsible for managing techUK's work across the cyber security eco-system, bringing industry together with key stakeholders across the public and private sectors. Dan also provides the industry secretariat for the Cyber Growth Partnership, the industry and Governmnet conduit for supporting growth across the sector. A key focus of his work is to strengthen the public-private partnership across cyber security to support further development of UK cyber security policy.
Before joining techUK he worked as Forum Lead for the Westminster eForum. In this role he had a focus on the technology and telecoms space, on issues ranging from Broadband and Mobile Infrastructure, the Internet of Things, Cyber Security, Data and diversity in tech. Dan has a BA in History from the University of Liverpool.
- Email:
- [email protected]
- Phone:
- 020 7331 2165
Jill Broom
Jill Broom
Jill is techUK’s Programme Manager for Cyber Security, working across the cyber eco-system to bring industry together with key stakeholders across the public and private sectors.
Prior to focusing in on techUK's cyber security work, Jill was also part of techUK's Central Government programme team, representing the supplier community of technology products and services to Whitehall departments.
Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
- Email:
- [email protected]
- Twitter:
- @honeybroom
- Website:
- www.techuk.org
- LinkedIn:
- https://www.linkedin.com/in/jill-broom-19aa824
Annie Collings
Annie Collings
Annie joined techUK as the Programme Manager for Cyber Security and Central Government in September 2023.
Prior to joining techUK, Annie worked as an Account Manager at PLMR Healthcomms, a specialist healthcare agency providing public affairs support to a wide range of medical technology clients. Annie also spent time as an Intern in an MPs constituency office and as an Intern at the Association of Independent Professionals and the Self-Employed.
Annie graduated from Nottingham Trent University, where she was an active member of the lacrosse society.
- Email:
- [email protected]
- Twitter:
- anniecollings24
- LinkedIn:
- https://www.linkedin.com/in/annie-collings-270150158/