Home Business Why Zero Trust Access alone is not enough to protect remote work

Why Zero Trust Access alone is not enough to protect remote work

by jcp

By Pete Smith, Vice President and General Manager EMEA of archTIS

As we emerge from the COVID-19 induced isolation of the past 12-18 months, a recent BBC survey of 50 of the UK’s biggest employers revealed that the majority plan to go forward with a mix of home and office working. Staff will most likely be asked to continue to work from home two to three days a week. It therefore looks as though the practice of remote work forced upon us by the pandemic is set to remain for the foreseeable future.

The mass switch to remote work that occurred during the first lockdown was quickly followed by a huge spike in the use of Cloud-based collaboration tools like Microsoft 365, Teams and Zoom that remains today. In the UK 75 percent of organizations deployed Microsoft Teams despite their vulnerability to internal and external threats.

Limitations of Zero Trust Network Access

Everyone accepts that trusting remote workers to do the right thing is not viable for protecting company data. Consequently, we hear a lot about Zero Trust access to networks to support today’s distributed workforces. Although there is nothing wrong with this approach per se it is worth remembering that Zero Trust Network Access (ZTNA) only secures access to the network and applications. It does nothing to protect the data itself.

It is all too easy for distributed workers using productivity tools to overstep their privileges and cause a data breach through negligence and oversharing. The recent breach of UK Special Forces personal data via WhatsApp is a case in point. In this instance the personal details of 1,182 British soldiers were shared in a spreadsheet that was freely accessible to any member of the 80,000 strong British Army.

For all the productivity benefits of collaboration apps an event like the UK Special Forces incident wipes out any gains in an instant. Insider threats using collaboration apps can stem from four categories of individual namely overprivileged users, ordinary users/employees, contractors and suppliers. They may each be responsible for two kinds of threat – those that are accidental and those committed on purpose. According to the 2021 Verizon Data Breach Investigation report privilege abuse and data mishandling, such as emailing confidential information to the wrong distribution list, are a primary concern for companies with large numbers of remotely distributed employees.

A Change of Mindset is Required

To deal effectively with the insider threat made possible by online collaboration tools organisations need a change of mindset. Rather than solely focus on ZTNA, which applies policies and parameters around who can access what system and applications, organisations should also extend the approach to the data layer. This would not only cover who can access what data, but also how they can use it and who they can share the information with. In other words, with a data-centric approach threat protection runs from the inside out as opposed to the conventional outside in model.

This inside out approach can be achieved with attribute-based access control (ABAC). The ABAC security model considers both data and user attributes rather than applying a role-based principle of least privilege to determine access.

A data-centric security approach gives much more granular control. It analyses a given file’s security classification and permissions, user attributes like nationality, security clearance, and environmental attributes such as physical location, time of day and type device used. Additional edit/copy/download and share restrictions may also be applied. Parameters may be adjusted in real-time. If all conditions are met access is granted. If not, then access is either denied outright or a restricted view of the data provided. As an example, if an authenticated user tries to access a sensitive file they have rights to but it is outside of business hours or they are using a BYOD device in another country, then file access will be denied – effectively thwarting any attempt by hackers trying to gain access using stolen credentials.

The Future of Secure Remote Work

In summary, Zero Trust data protection is not simply a matter of role-based authentication. It extends to the data itself by applying granular controls at file-level that automatically identify and classify sensitive, company confidential information to strictly regulate and record anyone who tries to access them. Organisations that deploy ABAC technology can at a stroke resolve the cybersecurity conundrum posed by cloud-based collaboration tools. Namely, how to support remote work and protect sensitive data against negligent users inviting anyone – inside or outside the organisation – to access and share privileged information.

You may also like