Remote work is here to stay for many businesses—and so are the cybersecurity risks that came along with the pandemic-fuelled changes to how and where employees work. Today, many employees split their time between working from home and the office or are back in the office full time. Understanding what employees are accessing, what devices they’re using, and from where they’re connecting are critical checkpoints to protect sensitive data and services.
The answer to enhancing cybersecurity in remote work environments could be the rising adoption of zero trust security. Our team supports our clients remotely, and we work hand-in-hand to ensure we meet their network and cybersecurity requirements 100% of the time, including clients who are implementing zero trust.
What is zero trust security?
Zero trust is an interesting term—especially for BitBakery, since our tagline is “trusted outsource development.” But zero trust isn’t about not trusting anything or anyone. Instead, the framework is built around the idea that validating the network is no longer enough. Zero trust means authenticating:
- The user
- The device they’re connecting from
- The application they’re attempting to use
- The data they’re trying to access
Here’s an example—a remote employee needs to commit a pull request to a self-hosted GitHub Enterprise instance. In legacy security models, they might VPN into the network, authenticate using single sign-on (SSO) to the network, and then do their work.
In the zero trust model, the employee might still connect using VPN, but there would be additional checks:
- The device they are connecting from is verified.
- They authenticate on the network.
- They authenticate that they can access the internal GitHub instance.
- Lastly, there’d be an additional check that they are allowed to make the pull request they’re attempting to do.
Zero trust goes beyond SSO and VPNs
Our CTO, Joe Reda, said zero trust is a sensible and powerful evolution of traditional perimeter-based systems like virtual private networks (VPNs).
Zero trust also improves upon many of the limitations of VPNs, including better performance and reliability.
“Everybody hates VPNs. Employees—especially remote employees—don’t want to use a VPN. They’re very expensive, they cause slow downs on the network, and they only provide one layer of protection,” Reda said.
Reda added that VPNs still have their uses in environments like public WiFi or in a foreign country where the internet may not be safe.
“In the old days, a lot of enterprises would say if you’re on our network, you have access to everything. That was great, but it’s also very easy to find vulnerabilities,” Reda said. “Zero trust is the idea that even if you are in a most trusted location, you are not trusted. You still have to authenticate yourself. It is really smart and it’s the way things should be.”
Zero trust is more than authentication
Reda said that another part of zero trust that adds to its impressive security is the use of device posture checks. This process involves authenticating the user and their device—and then going a step further to ensure that their device is configured correctly for what the employee is attempting to do.
“Device posture checks can check the serial number of the device. They can verify you have the appropriate antivirus solution installed and that your hard disk is encrypted,” Reda said. “Zero trust is not simply about authentication—it’s also ensuring that you’re using the correct settings and software on the device.”
Reda added that zero trust could prevent the exploitation of many traditional security vulnerabilities. These include compromised user credentials, using stolen devices to access a network, and ensuring that a user is only accessing the systems or data they need access to.
That last example is a significant source of cybersecurity issues. According to the 2021 Data Breach Investigations Report from Verizon, 30% of breaches involved employees accessing systems to which they were not supposed to have access.
Your organization may already be meeting some of the zero trust requirements. Reda said that cloud-based organizations without intranets could essentially be zero trust already. Our team uses multi-factor authentication to access our cloud-based services, regardless of where we are working.
“There’s no place you can be where you have access to things just because you’re there,” Reda added.
Ready to learn more about how we can provide trusted outsourced development using zero trust? Contact us today.