For millions, work used to be somewhere you go. Now it’s something you do. From an IT point of view, being unable to control the security of the remote working environment is a significant concern. The employee now sits at home on their laptop, connecting to business servers and applications through virtual private networks, remote desktop or using the cloud. This is all within the control of the IT security team.
However, what processes are run on the laptop, which other devices are connected to the home network, and the security of the employee’s Wi-Fi makes the environment a bit like the lawless Wild West. At the same time, hackers have upped their game, with a massive growth in both the quantity and sophistication of phishing, malware and user account compromise attacks.
Picture an apocalyptic landscape where the employee’s laptop is now teeming with hackers intent on stealing any locally saved data, then piggy-backing on the user’s live connections to business servers, extracting more information and maybe even deploying ransomware.
IT security challenge
A little fanciful perhaps, but cyber security must deal with this scenario. We have to assume that the remote network environment is hostile, and that the employee is deliberately or unwittingly a potential threat. Staff working from home unobserved are also more likely to have fewer scruples about stealing data.
Many organisations put their faith in full disk encryption to protect data, but once the employee’s laptop is running, the door is wide open to malware and access any file, fully decrypted.
Zero Trust is just ringfencing
Traditional security solutions were based on the concept of a finite network perimeter, but now that perimeter has changed exponentially. Today’s users and devices are everywhere and we can no longer base our security on the location from which an access request originates.
As a result, organisations have begun moving to a Zero Trust security model, which mandates a ‘never trust, always verify and enforce least privilege’ approach to access from both outside and inside the network. It starts with the idea that traffic inside the perimeter should be no more trusted than that outside of it. The model demands that all requests for network access should be verified and authenticated on a need to know basis and all traffic should be inspected and logged.
Using a Zero Trust approach starts with data classification and process mapping by asking, “if this device were compromised, what data and resources could it access and compromise?” This process is then repeated for every user and device connected to the network. Obviously, there are some limitations. If you restrict access too tightly, or take too long to verify the access request, you create bottle necks which can cripple networks. Also, there are other issues affecting confidentiality, integrity and availability of data which Zero Trust doesn’t address, including DDoS, human error, unintended consequences of patching or network problems.
While Zero Trust is still important, it has now become evident that this approach is no longer adequate alone, and the critical idea for the ‘next future’ is to drive security deep into the data itself.
It’s all about the data
A fundamental assumption on which the traditional approach to security is based is that you can keep the attackers out. This is simply not true, so there needs to be another way of protecting data. IT Security must rethink its traditional ‘castle and moat’ methods of protection and prioritise a ‘data centric’ approach, where security is built into data itself using file encryption. This way, if data is stolen, it remains protected and therefore useless to the thief – even if extracted by a member of staff.
Most data encryption solutions use a single decryption key, then rely on access management to control the visibility of data. While this in principle meets regulatory requirements to encrypt data it does nothing to prevent data theft through compromised user accounts or through malicious insiders.
Authenticated file encryption based on Public Key Infrastructure (PKI) means that each file can only be decrypted using individual keys held by authorised users. In this way, data cannot be decrypted by information thieves. PKI also allows for simple and natural file sharing across user groups, networks and in the cloud
Modern PKI-based file encryption techniques are designed to work completely seamlessly so that neither the application nor the legitimate user is aware of the security functions’ activity. This data centric approach is the only way to ensure data is 100% secure in use, in transit and while stored, and no matter where it gets copied.
Learning the lessons
The rapid roll-out of home working went well and home and remote networks have held up, employers have managed to support staff in this move and web conferencing has become second nature.
However, institutional lax attitudes towards data protection, the alleged Russian antics and Twitter’s woes all illustrate that data remains vulnerable. Add the insecure, uncontrolled environment of the home network and you have a recipe for data theft by both cybercriminals and rogue employees. While technologies such as identity management and Zero Trust rightly remain important, the focus for security must become data-centric. If security is built right into the data itself, then it will no longer matter when information is stolen – it will ultimately be useless to the thief.
Contributed by Nigel Thorpe, technical director, SecureAge