Forward-thinking companies were already exploring work-from-anywhere practices before the Covid-19 pandemic. However, the lockdown thrust the challenges of working remotely onto every company operating online, with over 58% of employees working on a hybrid basis. Hybrid working is a flexible working model where employees work partly in the office and partly in a remote workspace.
This rapid change put stress on company security practices designed with traditional models.
Zero Trust providers, like Perimeter 81, are replacing these outdated models with robust security architectures. In this guide, we look at Zero Trust and how it should be considered essential for a company shifting to hybrid work.
How does traditional network security design work?
There are many ways to design security for your company’s critical assets. In general, traditional security models distinguish between internal and external networks, with everything on the internal network being trusted to access everything else on the internal network.
While far from perfect, this wasn’t a huge issue when employees were required to work in the office, as malicious use necessitated physical access to the building.
Remote access was mostly performed using a virtual private network (VPN). By connecting through a VPN, the remote user gains complete access to the company intranet and can run applications as if their device was plugged in there.
Again, this served its purpose for small-scale use but it doesn’t offer the flexibility large-scale remote work requires.
What are the flaws in this system?
Several issues with this model should be apparent. Firstly, if a remote machine is compromised, the malicious user will have complete access to all of your company’s network.
Secondly, low-level employees shouldn’t be granted access to everything on the company network. You should be able to control the specifics of which business assets each user can access and which they can’t. Using just the traditional network tools at your disposal, it’s very difficult to set different user permissions for each employee.
Thirdly, this design presumes all vital company assets are situated in one place. As soon as resources are stored in multiple data centers, on cloud infrastructure, or cached worldwide, secure access to these resources can’t be easily managed.
VPNs also don’t scale well because all traffic needs to be routed through a single server. When you have tens, hundreds, or thousands of employees worldwide, all requiring access to your critical business assets, using a VPN can cause a huge bottleneck, and application performance suffers greatly.
How is Zero Trust different?
Zero Trust is a policy where no user or device is implicitly considered trustworthy. This is in stark contrast to the traditional model outlined above.
A Zero Trust framework assumes there are no traditional network perimeters. Instead of a network perimeter, access controls are managed on a per-device, per-user basis. Users and devices are constantly monitored and checked to ensure they continue to meet the security rules you define. Users’ access is limited to the authorization required to perform their necessary tasks.
Building networks and applications with a never trust, always verify principle may initially sound like a headache, but when you have that strong foundation in place, so many of your other security challenges become much easier to solve.
Zero Trust and hybrid work
Hybrid working changed the security threat landscape. Beyond all the issues that remote work has, hybrid work (where employees work remotely and then bring their devices to work) has additional security concerns.
Employees can use devices inside and outside the premises, and poor security hygiene can result in compromised laptops being plugged into the company network. This can be devastating if your company allows broad access to all resources to computers on the network.
Zero Trust virtually eliminates this issue, as a computer plugged into the company intranet isn’t implicitly trusted.
Companies were forced to move exceptionally quickly toward hybrid work because of the pandemic, and cybercriminals quickly took advantage. As a result, ransomware and other malware have been a massive issue.
Zero Trust solutions are often designed to monitor all devices for such problems and automatically deny access to company resources if security protocols have not been followed.
Implementing Zero Trust in a hybrid environment
By moving away from the traditional perimeter-based model, you can better secure resources on other networks. Once authenticated by your Zero Trust system, remote workers can access your resources stored on cloud networks. Zero Trust enables you to secure every element of your business, no matter where it is located.
With Zero Trust in place, you can more easily move business resources to the cloud. Your employees will use a single authentication system, making things more straightforward and less error-prone. And, because network traffic no longer needs to be routed through a single access point, applications can run faster and be more responsive for your employees.
Implementing Zero Trust without disrupting your business requires rolling it out in stages. Protecting your business-critical assets is the priority. Examining all the users, devices, and applications in your business and how they work together will allow you to build access policies for every element, and develop a much more robust and versatile security policy.
Hybrid work represents a fundamental change in how we do business and creates additional security challenges for companies. Zero Trust tackles these concerns by setting security to be strong across the board, no matter where an employee is located.
For more information on hybrid work, check out what hybrid work is, how hybrid work is changing the employee experience, and some of the best hybrid working tech you can buy.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Richard brings over 20 years of website development, SEO, and marketing to the table. A graduate in Computer Science, Richard has lectured in Java programming and has built software for companies including Samsung and ASDA. Now, he writes for TechRadar, Tom's Guide, PC Gamer, and Creative Bloq.