Home offices have posed a security challenge for many enterprises, requiring IT professionals to rethink their overall network strategy and embrace a Zero Trust approach.
Securing a suddenly all-remote contingent of knowledge workers was an ongoing effort over the past couple of years, and the job of tightening up that security posture will continue post-pandemic, according to two enterprise security experts who took part in a session I moderated in the recent Interop virtual event, Future Proofing IT for the Hybrid Workforce.
“A lot of people relaxed a lot of security standards as they pushed the employees out,” said John Cavanaugh, VP and CTO at NetCraftsmen consultancy. “[Now] how do I deal with the plethora of equipment that’s deployed in people’s homes, and the risks associated with that?”
In particular, Cavanaugh and the session’s other panelist, Peter Newton, senior director at Fortinet, highlighted the home broadband router as a point of concern. Both suggested enterprises should take more active steps in securing this device.
Fortinet’s answer is a joint venture with Linksys that has created a router that can segment the home network into two virtual networks, one for the employee’s personal systems and one managed and secured by their employer’s IT organization. The device not only provides security; it also lets the user manage bandwidth allocation to the two virtual networks to optimize application performance.
“The personal home network remains private and confidential, the employee manages that network, and everything they want to do is up to them,” Newton explained.
Kavanaugh endorsed the idea of enterprises taking greater control over the home router. Without spelling out the specifics of a preferred approach, he said companies should hearken back to the earliest days of work-from-home, when some enterprises insisted that remote workers use a company-owned and -controlled edge device. While Kavanaugh wouldn’t say organizations should revert all the way to this position, he said, “I think we need to go back a little bit to that, just to have a little bit more control over it.”
Both speakers agreed that the broader answer to the challenge of security for remote workers comes in two words: Zero Trust.
So, what exactly is Zero Trust in the context of remote access and communications? At Enterprise Connect 2022, Beth English, founder and lead consultant at EE and Associates, led a session in which she spelled out some of the key attributes of Zero Trust:
- A framework that assumes no traditional network edges
- It shifts access controls from the perimeter to devices and users
- Allows for work securely without the need for a traditional VPN
- A strategic approach to cybersecurity that eliminates implicit trust
- The principle of never trust, always verify
- Encompasses users, applications, and infrastructure
- Comprehensive vision and plan
- Continuously validate at every stage of interaction
- Includes response plan
As Cavanaugh and Newton explained, Zero Trust relies on features that extend security from the enterprise perimeter out to the individual user, regardless of that user’s location. At the same time, it seeks to unburden the user of some of the traditional efforts that made security inconvenient and less likely to be used consistently by the end user. For example, the introduction of automatic encrypted tunnels eliminates the need for end users to sign into a VPN each time they log onto the network, while multi-factor authentication (MFA) can help eliminate passwords — both of which can create friction for the end user.
“Zero Trust is not a product that you go out and buy and say, ‘Hey, now I’ve got Zero Trust,’” Newton said. “It really requires a shift in thinking and in your approach overall to cybersecurity.”