How can SMBs efficiently move towards Zero Trust?

Hands typing on a keyboard surrounded by security icons
(Image credit: Shutterstock)

Zero Trust security reimagines our approach to both detecting and preventing security breaches when it comes to company data. The traditional siege mentality approach of simply hoisting up the drawbridge and securing the castle walls against external threats is now replaced by a system which not only monitors those outside our business, but those within. For an SMB this can be a difficult proposition; data that was historically enveloped under a macro blanket of security now needs to be monitored on a micro scale; every single attempted login run through a series of parameters that extend well beyond simply logging the IP address as a form of verification.

Ensuring Zero Trust on a limited budget

It is this more thorough approach that throws up the first real problem for SMBs, when it comes to efficiently implementing a Zero Trust system; time and money. At its core, Zero Trust relies on least-privilege-based access controls that can be difficult to implement and monitor on an ongoing basis. Legacy systems and a wide range of stakeholders all contribute to a landscape that can be difficult to adapt to this new way of approaching security. Large enterprises have the resources to invest in custom integration projects and the knowledge to effectively adopt software such as Identity and Access Management software from vendors like Okta, or Endpoint Management software like Jumpcloud and Jamf. But many SMBs and startups are struggling to justify the time and money needed to successfully implement and then manage these tools on an ongoing basis. It is often an imminent requirement for a security certificate like iso27001 which forces them into adopting these tools, although it would be in their best interest to do so much earlier.

The answer may instead lie in a different approach. There is a new generation of software emerging which aims to overhaul employee management. These products not only act as the system of record for HR processes, but also handle access and device management in a seamless manner; the two being inextricably linked when it comes to knowing which employees should be accessing data. 

Managing outgoing employees

Perhaps the most obvious immediate application (and challenge) of Zero Trust for an SMB, considering the fallout from the pandemic, is how to effectively manage the privileges of those ex-employees. More than one in four employees in the UK were furloughed over the last two years, with 8% of these not returning to their employer once furlough ended. If the access credentials of these former employees aren’t terminated along with their contracts, then they can still have access to potentially sensitive data. In fact, a recent study found that, on average, more than 80% of former employees retain access to at least one sensitive business system after they have left their role. This may be only a fraction of the systems utilized by the large enterprises, but for smaller SMBs this could be a critical level of data breach.

Optimizing for simplicity

By adopting next-generation systems, which fuse access management into HR processes, employees are automatically granted basic access rights when they join the company, privileges reviewed when they are promoted or suspended as they go on maternity leave, and removed when they eventually leave the company. Matching the privilege lifecycle of a user with its employee lifecycle already takes care of a big part of mitigating risk posed by employees. Furthermore, as most major business systems like Workspace, Salesforce and Github can be connected to these platforms in a matter of seconds, access to the majority of sensitive company data can now be monitored seamlessly in real-time, and privileges for individuals or groups of employees can be adjusted across several systems in just a few clicks.

Unification reduces friction between admins and users

Single-system platforms capable of unifying employee data and operations across HR and IT also simplify the human process behind access management. A least-privilege approach creates administrative complexity and can lead to friction between users and admins. Users need to be assessed and needlessly disturb admins to ask for access, and admins need to monitor access and manually make changes to user accounts when needed. This setup not only wastes a lot of time, but can also make users uncomfortable, particularly in a remote setting. A unified approach means users can request access to any company system directly via their employee portal and admins or their managers can approve or deny in one click. When an admin of a system is leaving the company, the offboarding flow automatically flags that ownership should be transferred to another user to prevent getting locked out. 

Device management becoming a must-do

Even the most sophisticated access control system for company apps is rendered useless if employees are using them on an unencrypted laptop without a password. One of the biggest sources of data breaches are lost or stolen employee devices, which are not properly secured. By connecting company devices to a unified employee platform, endpoint encryption and password policies can be automatically enforced and antivirus software installed, dramatically reducing the risk of lost devices or malware causing a breach or ransom attack. The systems are easily rolled out but, of course, they do still require all employees to at least understand why and how these Zero Trust policies are enforced. 

In essence, Zero Trust can only be efficient in an SMB if there are wholesale cultural changes in the way in which security is viewed. For the employer, this means ensuring that security measures are fully transparent and homogenous across the entire organization. A unified employee management system is a great start. Education and training will also play a role; educating employees on how to incorporate a Zero Trust approach, the reasons for doing so, and reassuring them that the shift from a “trust but verify” to “verify then trust” model is about preventing security breaches rather than any level of scrutiny into the workforce. 

With that in mind, employees must understand that more limited (or specific) data access is in their best interest. Security ecosystems will need to constantly evolve to protect against threats, but it still requires this complete cooperation from top-to-bottom for SMBs to effectively deploy Zero Trust.

Chris Priebe

Chris Priebe, CEO, Zelt.