Zero trust is addressing hybrid working challenges

IT leaders from legacy institutions and startups are all moving towards least-privilege

Tom Allen
clock • 5 min read
Zero trust is addressing hybrid working challenges

Nearly three years on from the COVID-19 pandemic forcing swathes of the global workforce out of the office and into semi-permanent remote working environments, many firms still face the question of how to optimise the employee experience without compromising on vital security features.

While each panellist at Computing's Deskflix: Identity & Access Management event this week approached hybrid security differently, they all agreed that the challenge was not in the initial move, but in ongoing support.

"We've transitioned completely to a laptop environment," said Terry Willis, Director of Technology at the Church of England, "and we use different technologies to make that happen and secure those devices remotely. Our world was predicated on a single corporate network [pre-pandemic], and now it's made up of diverse endpoints that could be anywhere from Australia to Amersham."

The Church found it very easy to shift to remote working, as it regularly ran remote days and staff already had laptops. It was even easier for Nick Ioannou, Information Security Officer at Goodlord, an eight-year-old startup that was already completely cloud based.

"All we had was laptops, no infrastructure whatsoever... There was no pain other than, instead of everyone being in one building we were dealing with issues like internet speeds aren't what people think when they're actually working from home. But the thing worked really well because we were geared up to one hundred percent cloud from the very start... We more than doubled in size during the pandemic."

On the other end of the scale is Bucks County, Pennsylvania, where John Regula is the CIO.

"As a government service agency, we still had many services that had to be conducted in-house: our emergency services, our correctional facilities, our skilled nursing facilities still had to operate throughout the pandemic... We were forced to ramp up education as far as what security tools and measures had to be used.

"We got to deploy 1,800 new laptops between 2020 and 2021, and we were just rolling out MFA at the time, so to get both of those delivered we had to do it in stages... We were not at the security posture we wanted to be, but we grew there pragmatically and quickly."

'Convenient' doesn't mean ‘easy'

Working from home is a big draw when employees are looking for a new role, but their convenience can mean headaches for IT and business leaders, who have to deal with issues around onboarding, education and culture.

"Onboarding users [is our biggest challenge]," said Nick, describing Goodlord's habit of not using email internally - all internal communication is done via instant messaging and video calls, which can be a culture shift for new joiners. "We've definitely evolved the process... We've moved in-person onboarding to Google Meet and sharing screens, and it works just as well."

For John, the issue is around education. His biggest headache of recent years is "trying to help people through navigating their own home environment to communicate with the County."

"Many of our employees either borrowed internet, did not have sufficient internet or did not have a sufficient home environment to properly conduct County work. Putting up guidelines and protocols for them to follow, and even having them ask the right questions of their ISP [was helpful]... It's really an ‘off my network' concern, but it really was a concern to try and help all of our employees sustain at home what we're asking them to do. So really, navigating protocols for home environment use from an employee perspective was the largest challenge."

The Church of England, meanwhile, has streamlined its onboarding process:

"We reimagined the [laptop rollout] process from start to finish," said Terry. "We're primarily a Microsoft stack, so we use Autopilot. We ship laptops directly to end-users and we email them a PDF that says, ‘Here are the three steps you go through', and that device sets it up in their home...

"The non-technical parts, the logistical and administrative parts, were probably the biggest challenge."

Zeroing in on security holes

Of course, security remains an ongoing challenge, and hybrid working has exposed new vulnerabilities on corporate networks around the world.

Zero trust is an increasingly popular approach to address these issues in the remote working era. Under zero trust, people only have access to the systems they need to do their job, rather than unrestricted access to every file and folder on the network.

"When you look at somebody 10, 15, 20 years ago, when you logged in you got all of your network access and rights," said John. "You would connect and have access to the network, and you could move about freely, both vertically and horizontally. Now, we're tying access requests to a specific resource."

Goodlord adopted zero trust in 2021, helped by the fact that the business operates on Chrome Enterprise. Zero trust is built into Chrome, where it's known as Context-Aware Access.

"Basically even if you have a username, password and two-factor [authentication], you still can't log in," explained Nick. "Your device still has to be approved, plus loads of other conditions have to met as well. It meant we could actually trust who was using what, rather than just sending out credentials and seeing various devices in the logs and wondering who owned what. Now unless we approve the device, it doesn't hit the system."

Even the Church of England, which many might think of as a legacy institution, has taken on a form of zero trust, buying an off-the-shelf product last year.

"We're also tying in a multi-layer approach," said Terry. "We're primarily a Microsoft stack so we use conditional access and set rules around that. When people log in we direct them to the asset they need, in a very similar way to John. We have a solution that allows us to do that.

"We still have a small amount of infrastructure sitting in a datacentre, so that allows us to have a line directly into the datacentre, but outside of that it gives us this shield of trust from the internet, which is multi-layered and conditional access and other Microsoft technologies underneath, protecting the end-user."

You may also like
Why do you need an AI PC strategy?

Artificial Intelligence

And how do you accelerate it once you have one?

clock 04 September 2024 • 2 min read
SSO is dead: Why the age of zero trust demands secure explicit sign-on

Security Technology

Single sign-on's cons now outweigh the pros

clock 03 September 2024 • 5 min read
Going passwordless in mid-size organisations: benefits and challenges

Security Technology

The banking world ushered in passwordless in the 2010s, but businesses have yet to catch up

clock 19 July 2024 • 6 min read
Most read
01
02

Teen arrested over TfL cyberattack

13 September 2024 • 3 min read
04

Ransomware targets London branch of China's ICBC

13 September 2024 • 2 min read
05

65 years of COBOL. Timeless, or time's up?

12 September 2024 • 6 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Microsoft offers advice on avoiding another CrowdStrike-style outage

Microsoft offers advice on avoiding another CrowdStrike-style outage

Vendors should minimise use of kernel mode, customers should make full use of integrated Windows security features

John Leonard
clock 29 July 2024 • 3 min read
'Gay furry hackers' breach conservative US think tank behind Project 2025

'Gay furry hackers' breach conservative US think tank behind Project 2025

Heritage Foundation calls group "degenerate perverts"

Tom Allen
clock 11 July 2024 • 2 min read
Why 'change' for the UK must include cybersecurity

Why 'change' for the UK must include cybersecurity

Labour needs to to get ahead and demonstrate a commitment to security from the outset

Rick Jones
clock 11 July 2024 • 4 min read