The rapid transition to remote working by organisations around the world, has been nothing short of remarkable.
Microsoft believe that two years-worth of digital transformation took place in just two months at the beginning of the COVID-19 pandemic.
Whilst some organisations tentatively allowed some workers to return to the office, the likelihood is that a flexible hybrid-working scenario will be the new normal for many of us — with employees mixing remote working and office working depending on government advice and a range of different professional and personal considerations.
Whilst this will offer a range of benefits for both employers and employees, many organisations will find that their cyber security is not fit for purpose to support a modern distributed workplace.
Why security needs to change
The traditional ‘castle and moat’ approach to security involved a perimeter-based model, where you essentially built a wall around your network and everything you wanted to protect; anything within the perimeter would be trusted. However, once attackers had penetrated these defences, the perimeter controls would offer little to prevent the attacker from moving across the network laterally — often doing untold damage before being detected.
Whilst that approach was once considered sufficient (despite its obvious flaws) it is no longer fit for purpose in a world where we have people working remotely with users, data, apps and devices sitting outside the old network perimeter. Whilst organisations can try to bring these users and data back to the ‘safety’ of the company network, users will inevitably work and collaborate as efficiently as possible –often finding ways to circumvent security measures to speed up working and turning to consumer-grade services outside of the organisation’s perimeter (shadow IT).
Why Zero Trust is the answer
This is why a ‘boundaryless’ modern security approach called ‘Zero Trust’ is now considered critical for businesses. It’s known as ‘Zero Trust’ as this approach deems all users and devices to be ‘untrusted’; the core principle is simply “never trust, always verify” and treats requests as if they were originating from an open network. With this approach, every access request is subject to a dynamic risk-based evaluation to determine whether access should be granted or denied. Just a few of the signals that can feed into the verification process include: identity, device health, location, service, data, and anomalies.
Zero Trust also works on the principle of ‘assume breach’. By assuming that you will incur a breach eventually, you can put in place measures to prevent lateral movement by the attacker. This includes segmentation of network, users, devices and apps and end-to-end encryption across sessions with the use of threat monitoring and analytics to provide threat detection and protection.
Zero Trust also uses a ‘least privileged access’ approach, where only the minimum level of access permissions are granted through risk-based adaptive policies and data protection.
Microsoft reported that 94% of businesses are in the process of deploying Zero Trust capabilities to some extent, and that because Zero Trust architecture will eventually become the industry standard, everyone is ultimately on a Zero Trust journey now.
Quick wins for remote working
Moving to a Zero Trust security model isn’t an overnight exercise, however if you’re looking to improve your security for your remote workforce there are some quick wins which you can implement to dramatically improve your security without significant time and expense.
These quick-wins are based around identity — which is the best foundation for a Zero Trust model as all access requests require an identity to be authenticated and will form the bedrock of your security posture.
Implementing strong authentication with Azure AD and multi-factor authentication (MFA) is the best starting point to quickly improve user verification and your security.
MFA allows users to add a second form of identity verification to their accounts in addition to their password — such as their phone, security key or biometric identifier. Therefore, if their password becomes compromised, the requirement for a secondary form of verification will ensure their account remains secure and access will be denied to the attacker using the stolen credentials.
Around 90% of cyber-attacks rely on compromised passwords and businesses of all sizes are targets. Weak passwords are easy for hackers to crack with phishing scams, spray attacks and credential-stuffing — so it’s vital that every organisation takes this threat extremely seriously.
MFA reduces the risk of an account being compromised by 99.9%, which is why it is critical that your organisation implements it as soon as possible.
With remote workers outside the company network and potentially using personal devices, how do you determine whether or not an access request can be trusted?
The answer is Azure AD Conditional Access. When any access request is made, conditional access evaluates a range of signals associated with the request before deciding whether to allow, restrict or block access. The decision is made by an enforcement engine which assesses whether the signals meet the requirements of the granular access policies which you set for your organisation — hence the term ‘conditional’.
Some of the signals include:
- User identity
- Access rights
- Device health
- Application safety
- Network safety
- Data sensitivity
- Real-time risk
The decision doesn’t have to be as simple as only ‘block access’ or ‘grant access’. Depending on the policies you set, access may only be granted subject to multi-factor authentication or a device being marked as compliant. You can decide exactly what conditions have to be met for a user to be able to access specific company resources.
By implementing Conditional Access and setting granular access policies, you can benefit from dynamic and conditionally-granted access decisions that are based on an intelligent assessment and an understanding of the risk associated with every access request across your organisation — preventing hackers from moving laterally across the network using stolen credentials.
Single sign-on (SSO) is a quick-win that massively improves both user productivity and security.
Your remote workers likely need to access multiple apps throughout the day. Rather than having to manage multiple passwords and log in repeatedly, you can set up SSO to ensure staff only have to authenticate once using their main corporate credentials to access all their apps —extending your robust security policies across both company and third party apps.
Azure AD Application Proxy
If your organisation has any on-premise web applications, it’s likely that you’ll need your distributed workforce to be able to easily access the apps remotely.
Azure AD Application Proxy is a feature which enables users to authenticate once with a single sign-on to Azure AD, allowing easy and secure access to your on-premise applications through an external URL — just like when they access Microsoft 365 and the other SaaS applications which you’ve registered for SSO.
Users don’t need to use a VPN, reverse proxy or open inbound connections through your firewall. App Proxy provides a secure connection which can utilise Conditional Access and MFA. Because App Proxy runs in the cloud, it’s simple to use and doesn’t require any infrastructure alterations or changes to your on-premise environment.
MFA is free across all Azure AD pricing tiers, as is something called ‘Security Defaults’. Security defaults provides preconfigured security settings for organisations, including MFA and some basic conditional access policies. If you’re already using and managing your own conditional access policies with Azure AD Conditional Access, you’ve already outgrown ‘security defaults’ and should avoid using them due to potential conflicts. However, they’re a great option if you’re just getting started with the basics.
SSO is also free across all Azure AD tiers. This includes unlimited access to cloud apps, but Azure AD Application Proxy is required for on-premise applications.
To use Azure AD Conditional Access or Application Proxy, an Azure AD Premium P1 licence is required, which is only £4.52 per user per month (at the time of writing) or included with EMS E3 (£6.60 per user per month at the time of writing).
Hopefully you are already benefitting from these tools and a Zero Trust approach. If not, these quick-wins are a great way to get started.
It’s important to remember that Zero Trust is a journey and not something you can implement overnight. Once you have the foundations in place, you can progress your transformation to a Zero Trust model over time — demonstrating the value along the way.