Zero trust is addressing hybrid working challenges

IT leaders from legacy institutions and startups are all moving towards least-privilege

Tom Allen
clock • 5 min read
Zero trust is addressing hybrid working challenges

Nearly three years on from the COVID-19 pandemic forcing swathes of the global workforce out of the office and into semi-permanent remote working environments, many firms still face the question of how to optimise the employee experience without compromising on vital security features.

While each panellist at Computing's Deskflix: Identity & Access Management event this week approached hybrid security differently, they all agreed that the challenge was not in the initial move, but in ongoing support.

"We've transitioned completely to a laptop environment," said Terry Willis, Director of Technology at the Church of England, "and we use different technologies to make that happen and secure those devices remotely. Our world was predicated on a single corporate network [pre-pandemic], and now it's made up of diverse endpoints that could be anywhere from Australia to Amersham."

The Church found it very easy to shift to remote working, as it regularly ran remote days and staff already had laptops. It was even easier for Nick Ioannou, Information Security Officer at Goodlord, an eight-year-old startup that was already completely cloud based.

"All we had was laptops, no infrastructure whatsoever... There was no pain other than, instead of everyone being in one building we were dealing with issues like internet speeds aren't what people think when they're actually working from home. But the thing worked really well because we were geared up to one hundred percent cloud from the very start... We more than doubled in size during the pandemic."

On the other end of the scale is Bucks County, Pennsylvania, where John Regula is the CIO.

"As a government service agency, we still had many services that had to be conducted in-house: our emergency services, our correctional facilities, our skilled nursing facilities still had to operate throughout the pandemic... We were forced to ramp up education as far as what security tools and measures had to be used.

"We got to deploy 1,800 new laptops between 2020 and 2021, and we were just rolling out MFA at the time, so to get both of those delivered we had to do it in stages... We were not at the security posture we wanted to be, but we grew there pragmatically and quickly."

'Convenient' doesn't mean ‘easy'

Working from home is a big draw when employees are looking for a new role, but their convenience can mean headaches for IT and business leaders, who have to deal with issues around onboarding, education and culture.

"Onboarding users [is our biggest challenge]," said Nick, describing Goodlord's habit of not using email internally - all internal communication is done via instant messaging and video calls, which can be a culture shift for new joiners. "We've definitely evolved the process... We've moved in-person onboarding to Google Meet and sharing screens, and it works just as well."

For John, the issue is around education. His biggest headache of recent years is "trying to help people through navigating their own home environment to communicate with the County."

"Many of our employees either borrowed internet, did not have sufficient internet or did not have a sufficient home environment to properly conduct County work. Putting up guidelines and protocols for them to follow, and even having them ask the right questions of their ISP [was helpful]... It's really an ‘off my network' concern, but it really was a concern to try and help all of our employees sustain at home what we're asking them to do. So really, navigating protocols for home environment use from an employee perspective was the largest challenge."

The Church of England, meanwhile, has streamlined its onboarding process:

"We reimagined the [laptop rollout] process from start to finish," said Terry. "We're primarily a Microsoft stack, so we use Autopilot. We ship laptops directly to end-users and we email them a PDF that says, ‘Here are the three steps you go through', and that device sets it up in their home...

"The non-technical parts, the logistical and administrative parts, were probably the biggest challenge."

Zeroing in on security holes

Of course, security remains an ongoing challenge, and hybrid working has exposed new vulnerabilities on corporate networks around the world.

Zero trust is an increasingly popular approach to address these issues in the remote working era. Under zero trust, people only have access to the systems they need to do their job, rather than unrestricted access to every file and folder on the network.

"When you look at somebody 10, 15, 20 years ago, when you logged in you got all of your network access and rights," said John. "You would connect and have access to the network, and you could move about freely, both vertically and horizontally. Now, we're tying access requests to a specific resource."

Goodlord adopted zero trust in 2021, helped by the fact that the business operates on Chrome Enterprise. Zero trust is built into Chrome, where it's known as Context-Aware Access.

"Basically even if you have a username, password and two-factor [authentication], you still can't log in," explained Nick. "Your device still has to be approved, plus loads of other conditions have to met as well. It meant we could actually trust who was using what, rather than just sending out credentials and seeing various devices in the logs and wondering who owned what. Now unless we approve the device, it doesn't hit the system."

Even the Church of England, which many might think of as a legacy institution, has taken on a form of zero trust, buying an off-the-shelf product last year.

"We're also tying in a multi-layer approach," said Terry. "We're primarily a Microsoft stack so we use conditional access and set rules around that. When people log in we direct them to the asset they need, in a very similar way to John. We have a solution that allows us to do that.

"We still have a small amount of infrastructure sitting in a datacentre, so that allows us to have a line directly into the datacentre, but outside of that it gives us this shield of trust from the internet, which is multi-layered and conditional access and other Microsoft technologies underneath, protecting the end-user."

You may also like
How fractional working could add up for individuals and employers

Skills

Closing the skills gap and boosting representation in a single swoop

clock 15 February 2024 • 5 min read
Meta to close major London office

Corporate

Social media giant is to close its London HQ at One Rathbone Square

clock 08 January 2024 • 3 min read
SonicWall snaps up zero-trust firm Banyan

Mergers and Acquisitions

Second acquisition for SonicWall in two months

clock 03 January 2024 • 1 min read

More on Security

Law enforcement takes down LockBit - updated

Law enforcement takes down LockBit - updated

NCA among the groups under 'Operation Cronos'

Tom Allen
clock 20 February 2024 • 2 min read
Microsoft's chief security advisor joins Cybersecurity Festival 2024

Microsoft's chief security advisor joins Cybersecurity Festival 2024

Sarah Armstrong-Smith will talk AI in security

Tom Allen
clock 19 February 2024 • 1 min read
Microsoft announces critical zero-day Exchange bug

Microsoft announces critical zero-day Exchange bug

Enables remote control of Exchange Server

Vikki Davies
clock 16 February 2024 • 1 min read