Home Business Why Zero Trust Access alone is not enough to protect remote work
Our website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Why Zero Trust Access alone is not enough to protect remote work

by jcp

By Pete Smith, Vice President and General Manager EMEA of archTIS

As we emerge from the COVID-19 induced isolation of the past 12-18 months, a recent BBC survey of 50 of the UK’s biggest employers revealed that the majority plan to go forward with a mix of home and office working. Staff will most likely be asked to continue to work from home two to three days a week. It therefore looks as though the practice of remote work forced upon us by the pandemic is set to remain for the foreseeable future.

The mass switch to remote work that occurred during the first lockdown was quickly followed by a huge spike in the use of Cloud-based collaboration tools like Microsoft 365, Teams and Zoom that remains today. In the UK 75 percent of organizations deployed Microsoft Teams despite their vulnerability to internal and external threats.

Limitations of Zero Trust Network Access

Everyone accepts that trusting remote workers to do the right thing is not viable for protecting company data. Consequently, we hear a lot about Zero Trust access to networks to support today’s distributed workforces. Although there is nothing wrong with this approach per se it is worth remembering that Zero Trust Network Access (ZTNA) only secures access to the network and applications. It does nothing to protect the data itself.

It is all too easy for distributed workers using productivity tools to overstep their privileges and cause a data breach through negligence and oversharing. The recent breach of UK Special Forces personal data via WhatsApp is a case in point. In this instance the personal details of 1,182 British soldiers were shared in a spreadsheet that was freely accessible to any member of the 80,000 strong British Army.

For all the productivity benefits of collaboration apps an event like the UK Special Forces incident wipes out any gains in an instant. Insider threats using collaboration apps can stem from four categories of individual namely overprivileged users, ordinary users/employees, contractors and suppliers. They may each be responsible for two kinds of threat – those that are accidental and those committed on purpose. According to the 2021 Verizon Data Breach Investigation report privilege abuse and data mishandling, such as emailing confidential information to the wrong distribution list, are a primary concern for companies with large numbers of remotely distributed employees.

A Change of Mindset is Required

To deal effectively with the insider threat made possible by online collaboration tools organisations need a change of mindset. Rather than solely focus on ZTNA, which applies policies and parameters around who can access what system and applications, organisations should also extend the approach to the data layer. This would not only cover who can access what data, but also how they can use it and who they can share the information with. In other words, with a data-centric approach threat protection runs from the inside out as opposed to the conventional outside in model.

This inside out approach can be achieved with attribute-based access control (ABAC). The ABAC security model considers both data and user attributes rather than applying a role-based principle of least privilege to determine access.

A data-centric security approach gives much more granular control. It analyses a given file’s security classification and permissions, user attributes like nationality, security clearance, and environmental attributes such as physical location, time of day and type device used. Additional edit/copy/download and share restrictions may also be applied. Parameters may be adjusted in real-time. If all conditions are met access is granted. If not, then access is either denied outright or a restricted view of the data provided. As an example, if an authenticated user tries to access a sensitive file they have rights to but it is outside of business hours or they are using a BYOD device in another country, then file access will be denied – effectively thwarting any attempt by hackers trying to gain access using stolen credentials.

The Future of Secure Remote Work

In summary, Zero Trust data protection is not simply a matter of role-based authentication. It extends to the data itself by applying granular controls at file-level that automatically identify and classify sensitive, company confidential information to strictly regulate and record anyone who tries to access them. Organisations that deploy ABAC technology can at a stroke resolve the cybersecurity conundrum posed by cloud-based collaboration tools. Namely, how to support remote work and protect sensitive data against negligent users inviting anyone – inside or outside the organisation – to access and share privileged information.

You may also like