The massive and rapid move to remote workforces that was triggered by the global pandemic placed unique challenges on CISOs and their security teams. They need to balance the need for maintaining effective remote worker productivity without compromising on enterprise-grade security. The challenge is made even more difficult by the changing threat landscape and increasing complexity of systems.
CSO Magazine has launched a podcast called “Strengthen and streamline your security” to explore this topic in more detail. Featuring insights and tips from Microsoft executives and leading industry security experts including 10Pearls CSO Peter Hesse, this podcast is exploring modern security strategies focused on helping leading companies balance security and productivity.
The first episode of the podcast focused on “Zero Trust” – a concept first developed by Forrester in 2009 which many security experts see as the best hope for stopping security breaches. Zero trust is a strategy that can be simply stated as “never trust, always verify.”
Balancing Security and Productivity
Traditional thinking of focusing only on strong perimeter defenses is out of date. Modern application architectures include internet-based software as a service (SaaS) solutions. Having all remote workforces forced to connect to a corporate VPN to get work done is impractical. If we make it difficult for users to be productive through our security solutions, they will work to find ways around them, and potentially expose the network.
Instead, balancing security and productivity starts by considering identity as the new perimeter. Understanding the identity of the person, device, or application making a request is a critical first step. Wherever possible, we should strengthen our understanding of identity by using other data points, such as multifactor authentication, location, and user behavior.
Once the identity is understood, it can be used for access control decisions both inside and outside the network. This is the “always verify” portion of the Zero Trust strategy. By default, no access should be granted. Requests will only be fulfilled after positive identity verification. This way even if your internal network has been breached, only trusted identities can access sensitive data.
The Zero Trust approach allows leading companies to prioritize their security efforts. Starting with their most sensitive information and systems, they can build in additional layers of access control and protection based on identity. They can take a risk-based priority approach to extend these controls and protections to additional systems based on the availability of their applications, security, and infrastructure teams.
Security must be a business enabler, rather than be seen as something that introduces friction to the employee experience. Leading companies are balancing security and productivity by ensuring their applications work in a Zero Trust model with identity as the perimeter.
If this topic is of interest to you, we would love to hear from you. We are helping businesses with all things digital, including cyber security and are always seeking great talent.