How to Design a Zero Trust Strategy for Remote Workers

By Federico Charosky, Founder and CEO, Quorum Cyber

The modern workforce expects to work anywhere from any device. To support this approach investment is needed in a broader security program beyond the network. Identity is the new security perimeter as complemented by intelligently managed devices, the applications they run and the data they access.

To answer the question of designing a secure solution for remote workers we need to start by setting some context. First, what is zero trust? This has three pillars which are explained below but can also be encapsulated by the idea that the network carries little trust. The concept of coming to an office to plug into a network point or WiFi to get full access to an organization’s resources is swiftly receding. The network has too much of an attack surface, too many hidden doors and is stretched to breaking point (VPN anyone?) to provide a reliable security perimeter. Instead of the network, a zero-trust strategy implies:

1. Authenticate. Always and often. Normally user authentication with a username and password, but a lot more in the future.
2. Time it. Do you really need Global Admin rights all the time? No user account should have elevated rights, they should all be standard users. And then, as required, the user can elevate their account to obtain more permissions for a fixed time period.
3. Assume breach. The question is not will you be attacked, but when. Therefore, invest in defense as well as detection to help limit the blast radius when a breach occurs.

Secondly, for remote workers we assume their network is irrelevant (the network cannot be trusted) and therefore the remote employee can connect using any method such as broadband, mobile, local WiFI and even low-orbit satellites. The key is which device they will use to connect to resources, will the organization allow for any device to access all resources or only corporately issued devices to connect, or a more hybrid approach depending on the data being accessed. They may require a fully patched laptop to access and pay invoices but are allowed to use their personal iPads to access email, for example. Policies can be created to cover countless possible combinations of home owned, corporately owned and corporately issued devices.

The design process will follow four key steps:

1. Identity
   The most important factor when creating a remote access strategy. How will your employees authenticate? Traditionally, this has been against on-premises services such as Microsoft Active Directory and more recently cloud-based solutions such as Microsoft Entra ID. Many organizations have already implemented multi-factor authentication (MFA) which cuts down on identity attacks by over 99%, but that is almost now a given. For the future we need to look at removing passwords entirely (the biggest risk to becoming compromised) and look at more modern ways of authenticating, such as Passkeys.
2. Device
   Monitor and enforce device health across all the platforms you wish to manage including Bring Your Own Device (BYOD), smartphones and even Internet of Things (IoT) devices.
3. Applications
   An application policy can dictate, for example, which email apps are allowed to connect to the email server, which can monitor Shadow IT, enforce Software-as-a-Service (SaaS) usage policies and apply different access permissions depending on the device type.
4. Data
   Discover, classify, label, encrypt and restrict access based on a policy. This includes unusual data movement and mass storage events that could indicate data egress via USB storage devices, by ransomware and by various cloud storage services.

The biggest changes for enterprises will be moving to an identity-based perimeter, where nothing is explicitly trusted by default – zero trust! Companies will need to implement a wide-scale data security program to identify and control access to sensitive data, limited to a zero trust least privileged model. To be successful these enterprises will need the right employee skills to design, develop and deploy all elements of the strategy.

About the Author

Federico Charosky is a risk and cyber security expert with a career spanning more than 20 years. He currently leads Quorum Cyber  as its Founder and CEO. Quorum Cyber, a UK-based cyber security firm, serves a global clientele across diverse sectors, helping customers win in complex and hostile digital environments. Federico has held several high-ranking positions across the globe. He served as the Head of Security at a Middle East bank, took on the role of Company Director and Head of Consulting at a UK cyber security firm, and acted as a Senior Advisor for numerous prestigious blue chip and FTSE 100 companies. His breadth of experience covers the Americas, Europe, and the Middle East. Federico can be reached online at [email protected], https://www.linkedin.com/in/federicocharosky/ and at https://www.quorumcyber.com.