20 Apr 2021

The Drive for Zero Trust Security in a Global Pandemic

Guest blog: Dr David Robinson from Atkins as part of our #Cyber2021 week.

Exposing IT to Zero Trust

The Covid-19 pandemic has disrupted the traditional model of IT, forcing a move to remote working on an unprecedented scale. This is the reaction to what was termed the ‘new normal’ as a sudden unexpected step change to the way IT service in support of the business are provided. The trouble is the new normal has not been stable and further changes are likely. As a result of businesses’ adapting through flexible working it has become apparent that there are advantages to working this way. Consequently, there is no longer the same appetite to return to what many see as a dated way of working.

For IT systems, the new working environment should be considered as a move towards distributed working rather than remote working. There should be a mix of onsite and offsite collaboration through not only the provision of VPNs but through collaboration tools and digitisation of business functions. The IT infrastructure needs to be resilient to shock and segmentation. It needs to be agile and intrinsically future proof. It needs to be federated and coherent. But it also needs to be trusted.

There is then a mix of devices, potentially of mixed ownership, increasing in number as the business expands with reduced control of their state and where they are. The users are remote and work in a different way. Therefore, the users can be exposed to new risks, the devices may operate in a riskier environment, and there is less knowledge or control over the networks the users are using or where they are used. Even worse, the users are switching between home working to office working dynamically and they may be switching between networks as well.

The drive to Zero Trust though human factors and agile working

The commute has gone, for some but not for all. Work is now more dynamic with a mix of home working and office or factory working with social distancing in place. For some the change is more static finding oneself permanently at home or permanently at work. For others it is a mixture. For all, nothing about this is permanent. And that is the point. The psychological impact of this should not be underestimated.

This presents new challenges to the way people are managed and supported as well as new challenges to the individuals to be flexible and resilient. Support networks need to be in place and agile working must be embraced. The new routine becomes that of accepting the change and further change. Of being more “mobile” and getting used to using mobile technology to work remotely as well as onsite. Embracing the new norm of distributed working.

Devices may be lost or stolen, users are more likely to make a mistake when changing from home to work activities and could let in a virus, protecting data assets is more challenging because they don’t stay in one place. The psychological impact of the pandemic can mean that the user could be considered more vulnerable to a social engineering or phishing attack. The users’ new demands call for security that can be relied upon but at the same time is transparent and not dependent on the users to work.

Business structure and digitisation, the new Zero Trust landscape

With the evolution of computing the dream was to move away from the need for paper. Now the reality is the need to move away from the dependency on the office. Business functions have been progressively digitised over the years and now the digitisation must become more comprehensive as well as adaptable. The relationship between the structure of the business and that of the IT that supports it should be better aligned. So, the business structure should be agile and federated too but at the same time able to accommodate business functions that must be ‘onsite’. A holistic enterprise level review in the new environment becomes necessary as ad-hoc changes are made to survive. These need to be consolidated and embraced towards more resilient, agile and distributed business structure adopting the leading IT technologies, collaborative tools and digitisation of the business functions.

Components of the business become Zero Trust and not just the devices or even the users. Changes in the business landscape changes the threat surface. It is harder to architect the business for business continuity as different parts of the business are exposed to different levels of risk. For example, the information assets for different parts of the business carry different values. Embracing new tech solutions can introduces more vulnerabilities. Changes to the business structure and its digitisation introduces the potential for further security risks. Welcome to the dawn of Zero Trust as a security philosophy and an approach to the delivery of secure solutions.

Solutions for zero trust security

There are several practical steps organisations might take in adopting a ‘Zero Trust’ Architecture. These need to be holistic in nature and address the governance, process, human and technological aspects. A few of these are presented below:

Understand the environment to assess controls and depth of defence
Establish a trust model and review regularly against the business needs and risk appetite.
Know your information and physical assets. Track their use.
Structure your network into segments to incorporate manageable security zones
Know your transaction flows. Identify who and what should be on the network.
Architect your network to tag information assets validate them throughout the network.