While the concept of Zero Trust security has been around for over a decade, it’s more recently started to gain traction in the face of widespread remote work, BYOD policies, and decentralized IT networks. In the last few years, big-name companies like Google and Amazon Web Services implemented a Zero Trust model, and more businesses are following suit, paving the way for Zero Trust to become a business standard and demonstrating its necessity in digital workspaces. In this article, we’ll cover the basics of Zero Trust, how the rise of the digital workspace spurred its growth, why it’s well-suited to remote and hybrid work environments, and how to implement it in your organization.
Perimetered Security and the Origins of Zero Trust
Zero Trust is an approach to security that was developed as a response to an older, perimeter-based security model that used to reign supreme and is still quite common today. With the conventional perimeter model, IT organizations would create a layered security perimeter around their network, like a fortress with a drawbridge and a moat. Inside the perimeter, the core network hosted the company’s most critical assets and, in theory, the defense in-depth approach made it difficult for hackers to get to them. Generally, IT organizations thought of the layers as network, application, data, endpoint, and identity at the core.
This security approach posed two critical problems:
- It involves implicitly placing trust in not only the perimeter layers, but also users who operate inside the perimeter. Depending on the organizations’ setup, this typically includes most employees and can extend to contractors, vendors, and other parties.
- It assumes a central on-prem network and applies security on the basis of a centralized physical infrastructure. This fails to account for cloud-based infrastructure and digital workspaces, which are becoming increasingly popular.
As workplaces became more digital and workers more mobile, emerging trends and increasing security incidents made it clear that layered security perimeters and the users inside them couldn’t be blindly trusted.
For one, the security tactics themselves weren’t quite as impenetrable as many believed. Hackers work quickly — often, their development cycles are shorter than those of the businesses they target — and have developed methods for penetrating these layers. For example, 73% of hackers say traditional perimeter firewalls and antivirus are ineffective and obsolete.
Compounding this risk, users are often even more detrimental than bad actors, even when they mean well: human error accounts for 88% of data breaches. This human risk is the result of poor password practices (and unrealistic password expectations placed on the user), a lack of security awareness, low supervision in remote environments, insufficient security tooling, and other factors common in digital workspaces.
Additionally, the idea of the security perimeter began to break down as the physical perimeters surrounding company networks and resources did. Digital solutions started replacing the building blocks of the physical perimeter, from the walls surrounding physical office spaces to the Ethernet cords holding computer desktops in place and physical firewall appliances protecting company servers in an office server room.
The Basis of Zero Trust
Zero Trust security emerged to address the changing nature of the workplace and the risks that came with it as a diametrically opposing view to the perimeter-based security approach.
Zero Trust security acknowledges that, in modern environments, there is no physical perimeter. Instead, it replaces the wired, brick-and-mortar perimeter with an elastic, dynamic, software-based one, applying layered security methods that never trusts a user or device without verification. In a sense, the “perimeter” in the Zero Trust model is the user themself, and the layers extend out from them via their identity, device, and network when accessing an IT resource.
Zero Trust does not make exceptions for internal users or devices; instead, it regards all sources of network traffic, both external and internal, as potential attack vectors. Therefore, all users and IT resources must be verified before authentication, system data must be collected and analyzed, and network access must be limited and monitored.
Why Zero Trust Is Critical to the Digital Workspace
Although Zero Trust rose in popularity recently, the concept was developed by John Kindervag and Forrester Research Inc. in 2009. It took so long for businesses to adopt it because most weren’t operating remotely or thinking about remote security until recently. For many businesses, the shift to cloud computing and remote work during the coronavirus pandemic was the wake-up call they needed to adopt this more robust security approach that was better suited to the modern business environment.
With the mass shift to the cloud that took place over the last decade or so, businesses started moving critical data, applications, and resources from their on-prem network architecture to the public internet, creating new vectors for bad actors to exploit. In-office setups became more spread out and open as mobile-friendly layouts emerged to accommodate hybrid-remote workspaces, increasing offices’ use of WiFi over wired Ethernet. Remote employees needed to access all their resources from different locations, and the pathways businesses created to enable this are often the same pathways hackers seek out and exploit.
In short, the nature of the workplace changed significantly, moving from wired offices with a brick-and-mortar perimeter to disparate networks with no physical boundaries. To neglect to adjust security measures to this new environment would be like sticking with outdated line infantry tactics when facing guerrilla warfare.
Businesses soon realized this need for a change in security measures when cyber attacks zeroed in on identity and climbed exponentially. In fact, 2020 saw a 435% increase in ransomware and a 358% increase in malware from 2019. In the U.S., social engineering, system intrusion, and basic web application attacks accounted for 92% of breaches last year. Most incidents focused on compromising credentials or personal data.
In 2021, JumpCloud® surveyed over 400 IT professionals to learn about their experience with Zero Trust, remote work, and other factors influencing the IT climate today. We found that 24% of IT professionals surveyed have already adopted it at their organization, and 33% more plan to implement it by the end of 2021, demonstrating its swift rise in the digital workplace.
Zero Trust Security in Practice
In practice, Zero Trust security relies on strong identity and access management (IAM) posture that includes device and network management. An organization must be able to establish trusted identities, trusted devices, and trusted networks; users must be able to demonstrate their association with those trusted identities, devices, and networks to access their resources. This is the basis for Zero Trust. Each access transaction must be scrutinized and verified to be safe and secure.
The simplest, yet most powerful, way to confirm identity is to leverage multi-factor authentication (MFA). Requiring a second factor eliminates a massive level of risk by ensuring that compromised credentials alone won’t be enough to ensure access. Of course, MFA alone is not sufficient in a Zero Trust model, but it is a key pillar.
Zero Trust and Multi-Factor Authentication
Multi-factor authentication (MFA) is a critical component of Zero Trust security. With MFA, users are challenged to prove their identity with an additional factor, each factor proving their association with one of three trusted entities (identity, device, or network). Successful MFA input authenticates the user so they can access their allocated resources.
When you fortify MFA capabilities with strong passwords, SSH keys, and strong internet hygiene (i.e., ensuring that you are safe on the web with SSL/https and only going to credible sites), you can further reduce the chances of a breach. By requiring significant step-ups in authentication, as well as a keen policy of internet vigilance, IT organizations can adopt a Zero Trust Security model and apply it to identity management.
Easing Friction with SSO and Conditional Access
While MFA and Zero Trust significantly ramp up security, they sometimes do so at the expense of the user experience (not many people love finding a code on their phone and typing it into the computer). And when employees are asked to do it over and over, it can eat away at productivity. Conditional access and single sign-on (SSO) are highly effective ways to reduce friction in the authentication experience without compromising security.
Note: In addition to the solutions below, some new MFA solutions drastically improve ease of use, like push notifications that only require a tap of a button. Explore MFA factors by accessibility in our blog.
Conditional access policies are authorization policies that allow security teams to either step-up or step-down security measures based on given criteria. For example, if an employee inputs their correct credentials on their assigned device and over a trusted network, IT could choose to let them bypass the MFA step. This helps maintain a balance between security and the user experience.
On the other hand, conditional access can tighten restrictions as well. For example, IT could configure a policy that requires additional security steps or denies access altogether for login attempts that come through on an unrecognized device or over a public network.
With single sign-on (SSO), users use one set of secure credentials to log into all of their resources. (This single set of credentials can — and should — be fortified with MFA). This presents a few key benefits to both the user experience and security:
- It reduces friction by drastically lowering the number of times users have to input their credentials.
- It prevents password misuse by only requiring employees to remember one password (rather than different ones for the average 170 websites users have to log into).
- It streamlines onboarding and offboarding, preventing IT from having to manually provision and deprovision access and reducing the risk of accidentally allowing employees to maintain access after leaving the company.
SSO is accomplished through a central directory that manages employee roles/data and access permissions and can facilitate authentication and authorization to all company resources they have permission to access. With a robust SSO solution implemented with a multi-protocol cloud directory service, this can include web applications via protocols like SAML; networks and VPNs via RADIUS; files and NAS via Samba, LDAP, and other protocols; and many other resources and protocols.
Zero Trust Security and Network Access
Network security is critical for remote and hybrid workspaces. RADIUS can help manage both in-office and remote network access by uniquely authenticating users accessing the network.
As most in-office employees now tend to use WiFi instead of wired Ethernet connections, using RADIUS is a more secure way to enforce WiFi access than the shared SSID and passphrase that circulates around the office (and often outside the office as well, as guests, clients, and office neighbors get ahold of the credentials).
RADIUS for VPNs functions similarly for remote employees, ensuring only trusted employees can access the central network from a VPN. Some directory service solutions integrate RADIUS, and it can pair with MFA as well.
Additionally, consider implementing VLAN tagging on your network to support strong Zero Trust posture. VLAN tagging enables micro segmentation of the network, allowing for more granular permission controls and easier network quarantining in the event of compromise. The result is that when users connect to the network they are dynamically placed in the correct VLAN based on their permissions and attributes.
Getting Started with Zero Trust
Digital workspaces create disparate networks and wider attack surfaces. This means that the foundational tools implementing Zero Trust authentication and authorization must be able to do so securely for resources on and off the central network, including devices, SaaS apps, cloud infrastructure, network-attached storage, VPNs, and other resources. Users must be able to authenticate using Zero Trust tactics from anywhere.
Unfortunately, many tools that exist today handle only part of this initiative — like some MFA solutions or on-prem directories. Companies that use these solutions end up with a fragmented web of applications that sometimes create more security issues than they solve.
The best way to implement Zero Trust in a digital workspace is with one centralized user management system that can accomplish user management, device management, MFA, network access, and multi-protocol authentication. This way, all authentication processes source the same core directory information from the same identity provider (IdP) without cumbersome add-ons. Ideally, the directory should offer conditional access policy configuration and SSO as well to streamline the user and admin experience while bolstering security.
Start with the Right Directory
JumpCloud is the world’s first cloud directory service. JumpCloud uses a multi-protocol authentication and authorization approach to authenticate identities and authorize their secure access to virtually all IT resources, whether they are tied to the on-prem network or in the cloud. JumpCloud takes a Zero Trust approach to security and offers the tools you need to implement Zero Trust in your organization, including MFA, conditional access policies, SSO, RADIUS, VLAN tagging, and more. Learn how it works.
To dive deeper into Zero Trust in the digital workspace, download the free whitepaper on simplifying Zero Trust security in the cloud.