When John "Four" Flynn co-developed Google's BeyondCorp enterprise security initiative, he did it with the intention of burning down the security drawbridge.
Flynn, now CISO of Uber, said in the '90s, people were not the target of cyberattacks because computers and servers stayed in the office. The same is no longer true.
People have been carrying devices to and from work for about two decades, testing the limits of a secure perimeter. The coronavirus outbreak and the work-from-home model obliterated a secure perimeter. Zero trust is what's left because business data is everywhere.
"We're looking at something that's anything but normal," said Flynn, during a virtual roundtable hosted by Billington CyberSecurity Wednesday. He noted that the recovery timeline for the coronavirus might be W-shaped, which means there might be periods of employees regularly transitioning between working in an office and from home.
Companies should prepare for uncertain movement of employees, devices, and access to business data. Older solutions, such as network and detection monitoring, are dependent on employees working in a mostly controlled environment.
In a scattered workforce, security moves to the endpoint. Zero trust judges each user, each device to indicate how much access it should have to business resources.
Threats of yesteryear
Before the health and economic crisis hit the U.S., companies that were adopting a zero trust strategy did it thoughtfully. Now, companies are forced to implement zero trust principles at an expedited pace, "whether they know it or not," said Wendy Nather, head of advisory CISOs at Cisco's Duo Security, during the call.
In an effort to boost cybersecurity posture, companies might be tempted to haphazardly integrate solutions which will unintentionally increase their risk. "There's no time to think it through," with no discussion on how new solutions can impact the existing security architecture, said Nather.
Companies looking for a temporary security structure, supplemented by free offerings or new trials, might be blindsided when they find they can't rip out what they put in. "We don't know when this will be over," which means security functions should be integrated with the expectation they will remain for the foreseeable future.
Duo found employees use about 2.5 devices on average. At larger technology corporations, such as Google and Facebook, employees use between five and seven devices. Remotely, that number — and the number of unknown devices accessing business data — changes daily.
It doesn't stop at devices. Remote employees are using multiple operating systems simultaneously. Employees likely weren't issued preconfigured devices before going remote and any VPN networks lack elasticity to support everyone, said retired Brig. Gen. Greg Touhill, president of AppGate and former federal U.S. CISO, during the call.
Businesses with older technology stacks didn't prepare for this kind of remote scale, and their "architectures have been showing their age," said Touhill. Zero trust is touted as the ultimate security model because it accounts for all cyberthreats, not just the ones relevant today. This is especially helpful now because threats "we talked about 15 years ago are back."
Phishing attacks were up 667% from February to March and ransomware is circulating among healthcare providers in wateringhole attacks. Bad actors revisiting old tactics is an attempt to exploit people who are already "psychologically vulnerable," said Flynn.
A solution to any hysteria is tightening gaps between an organization's threat intelligence and security awareness functions. "Typically, those groups don't interact as much," but as the threat landscape is in a constant evolution, Uber is sharing insights with employees, according to Flynn. By doing so, employees might be better prepared to protect their virtual work and personal lives.
However, that transparency is hard to come by. "Threat analysts know a lot more than the employees" and that's by design, according to Nather. Any known threats, especially successful intrusions, make leadership nervous about further disclosure. But communication "in both directions" is needed. It's up to leadership to designate a formal communication structure for all employees regarding security.
Support staff, systems administrators, network operators "know what's going on, even if they don't have a formal function of reporting," said Nather.
Zero trust or bust
Zero trust's role in endpoint security is to best outline a user and a device's privileges, or lack thereof. A zero trust model allows security to be independent of the technology, said Touhill.
The gray area of endpoint security is how far an employee will allow its company to inject security protocols on their personal devices. "We all have these super privileged users who say, 'you're not touching my phone,'" said Nather. "That's getting even worse right now." If there's too much resistance, companies instead need to adopt stronger detection abilities.
Do you know what devices employees are using to access business resources?
If so, what are the characteristics of those devices?
The other option is compromise. If IT can bargain with employees — such as exchanging a software update for more access to resources — endpoint security is more in reach. IT "can't manage things that they did not issue," said Nather.
Another layer of consideration is what businesses do when a device has been compromised. Uber was built on a distributed workforce and had to develop remote forensics and acquisitions for these purposes, according to Flynn. Virtual desktop environments might be the only solution for companies that can't issue devices to remote employees.
Depending on the user, IT's introspection abilities might be limited. But a user or device can inform a business of its trust level, how much access to resources can also be determined. If it's a personal device, trust might be more conservative, for example.
Security is then founded on identity. "It's hard," because it's identifying who should be able to access data separate from the device, said Touhill. But during the pandemic, "IT is saving the day … we're doing better than anyone expected."