Cybersecurity Challenges in Hybrid Work
Hybrid work presents unique security challenges, one of which is that a dispersed workforce multiplies the number of endpoints that agencies need to secure. In other words, hybrid work expands an organization’s attack surface, meaning vital data and systems have never been more vulnerable without the right security posture.
This is particularly true in a hybrid environment, where employees use devices both on- and off-premises. Devices may be more easily compromised off-premises, and agencies can face major breaches if those devices are then connected to their networks. The proliferation of smart devices at home only exacerbates the issue, as Glenn Johnstone, Vodafone New Zealand’s head of information and communications technology practices, pointed out at a recent CIO roundtable.
“The sheer number of smart devices in our lives means we are more vulnerable than we think. We’re connected through our phones, the printer, our cars, fridges, fish tanks — and any connection can be an issue. It means we need security across all devices in the office, at home, anywhere and everywhere your people are connected,” Johnstone said.
Hybrid work also means more reliance on cloud-based applications, which provide a much larger attack service for bad actors if not properly secured.
What Zero Trust Can Do for a Hybrid Workplace
A zero-trust security posture is designed to provide added security in modern networks, which have cloud-based assets and remote users. As the General Services Administration explains, zero trust shifts focus away from protecting the network perimeter and prohibits access until the access request, identification of the requestor and requested resource are validated. After a request is granted for accessing a zero-trust network, security teams continuously monitor how the organization uses and distributes the data.
As the name suggests, there’s no implicit trust in a zero-trust environment; data and resources are granted on a per-session basis, with no exceptions. The rigorous enforcement of authentication and authorization makes zero trust a natural fit for hybrid work.
Preparing for Zero-Trust Deployment in a Hybrid Environment
Before adopting zero trust, agencies need to take steps to analyze their environment and ensure they have the proper policies and processes in place to make deployment successful. According to the GSA, the first step is to identify a “protect surface,” which contains the agency’s most valuable data, assets, applications and services. The protect surface should be smaller than the entire attack surface because only critical assets are included.
“In zero trust, by defining a protect surface, we can move controls as close as possible to that protect surface to define a micro-perimeter. With our next-gen technology functioning as a segmentation gateway, we can segment networks,” wrote John Kindervag, a cybersecurity expert known for creating the zero-trust model, in a Palo Alto Networks blog post.
The GSA also points out the importance of subject provisioning, an identity and access management process in which users are given appropriate rights and permissions to access an organization's resources. The GSA actually recommends that strong subject provision and authentication policies be in place before moving to a zero trust–aligned deployment. This means agencies need to implement comprehensive security practices for a zero-trust approach to be effective.
“When balanced with existing cybersecurity policies and guidance, identity and access management, continuous monitoring and best practices, a ZTA can protect against common threats and improve an organization’s security posture by using a managed risk approach,” the National Institute of Standards and Technology noted.
NIST points out that there doesn’t need to be wholesale changes in an agency’s cybersecurity posture, considering many organizations already have these elements in their enterprise infrastructure.