SolarWinds
The consumerization of IT has eroded the traditional line between "work" and "play." Propelled by the bring-your-own-device (BYOD) era, our personal devices are commonly used for work.
This is especially true as more companies embrace the flexibility of working remotely, and as new devices and networks are used for work purposes. Personal smartphones are loaded with business email accounts, and personal computers and laptops used for remote work have business software, email, and documentation that may contain confidential information.
To top it all off, we aren't just using work devices in the office. We're using them on airplanes, at client offices, in coffee shops, and at home. All this means that the idea that protecting a perimeter is outdated. Instead, as "the workplace" becomes impossible to define as a physical location, technology professionals and IT teams must shift from managing devices to managing people, in order to stay one step ahead.
Protect the Crown Jewels
One easy way to begin implementing this new risk management strategy is to follow the Pareto principle (also known as the 80/20 rule), where companies treat 80% of the people one way while treating the riskier 20% of users with a higher level of security. Access should only be allowed via corporate devices, where multifactor authentication is mandatory, behavioral analytics is applied, and full auditing must be carried out regularly.
If a person within an organization has the keys to the kingdom, it's crucial to make sure that their device isn't dirty, the network isn't compromised, and activity is completely monitored. There then needs to be a division between most of the staff and the VIPs, and between most data and the "crown jewels" (in other words, the most important and most sensitive parts of a business that would be most appealing to an attacker).
Zero Trust: Suspect Everyone
At the same time, by doing away with a perimeter-based security model, where those inside the perimeter are trusted, organizations now need to implement a new model that better matches the vulnerabilities inherent to today's mobile workforce. We must suspect everyone.
A Zero Trust policy assumes untrusted actors exist both inside and outside the network and, as a result, every user access request must be authorized. When implemented correctly, Zero Trust networks can improve security while also increasing productivity. What's key to true Zero Trust environments are adaptive controls that are contextually aware. Without context, we always need to put the strongest possible security in place; with context, we can adapt the level of security based on risk.
Still, Zero Trust is a work in progress. Until it's mainstream, password management products that offer complete privileged management systems to password vaults will help to reduce the complexity of users remembering multiple passwords while encouraging stronger password use.
Ultimately, employees need to be the new "endpoints," with the risk they pose to the organization assessed rather than simply determining them as safe depending on whether they are inside or outside a perimeter.