Cybersecurity, Emerging Issues in Security, Policies and Training

Zero Trust: Securing the Future of Flexible Work

The future of work is quickly evolving to prioritize flexible work environments, whether that’s fully remote, hybrid, or shared in-person workspaces. Yet with this heightened demand for flexibility comes added security risks across your virtual and physical organization.

While “zero trust” might be the hot new marketing buzzword, the framework behind it is anything but.

Picture this: You have a new employee starting in five days and they’re fully remote. You send their new laptop out to their address, arriving two days before their start date. The laptop arrives, but it’s snagged by a porch pirate.

That’s fine, though. You have a zero trust framework in place, meaning that the thief essentially nabbed themselves an expensive brick. While the business may be out the cost of the shipping and that laptop, it’s a small price to pay to know that your data remains secure.

While many experts have a slightly different definition of zero trust application in their organization, the foundation of it remains the same: Zero trust is a framework that builds a more secure architecture by ensuring all access to applications and data (be that in the cloud or on-premises) are constantly validated, tracked, re-assessed, and protected.

At its core, zero trust abandons the “trust but verify” methodology and instead operates on the assumption that, until verified, everything is a threat to the security of your organization and must be validated to earn access. This thinking is especially critical as more organizations find themselves pivoting to fully remote or hybrid workspaces, rendering physical security useless and opening up more opportunities for cyberattacks. Essentially, it limits the “blast radius” should a breach occur.

A zero trust framework is a great option for employers looking to evolve their current policies and procedures to accommodate users across their evolving workforce—whether they’re in office, at home, or on a boat—and regardless of status or title.

At Businessolver, we use this framework to scale security across our organization and ensure that employees, regardless of location or title, only have access to what’s necessary for their role and job function. As a health and benefits company, our zero trust framework is essential to our global compliance efforts as we’re responsible for handling our clients’ and their members’ data in a secure, HIPAA-compliant manner.

Here’s what security teams should keep top of mind as they use zero trust to build out more workplace flexibility across their organizations.

In a virtual world, no network is “safe.”

Trust nothing. Validate everything. This is a core tenet of the zero trust framework, a methodology designed to build a deep moat of security around your organization’s data and IP. As more organizations build in remote-first workplace models, the security risks grow exponentially.

No network is truly safe, not even the one you and your team have spent countless hours securing in the home office. Everything—and everyone—is subject to security threats, cyber and otherwise.

By baking this assumption into your security protocols, your tech organization can ensure security across the board, regardless of whether a user is logging in through your office network or a VPN abroad.

At Businessolver, we’re rolling out network access controls, building in added assurance and validation that each employee only has access to the data they need for their job. Similar to role-based access, our zero trust framework doesn’t continuously assume that the user accessing the network is actually that user; instead, our network is constantly validating through multi-factor authentication and our teams are regularly reviewing access permissions to ensure right person, right access.

All users are subject to the zero trust framework.

Zero trust means zero trust (until validated).

If you got an email from your CEO asking you to wire over half-a-million dollars, the first thing you’d do would be to validate that it’s actually coming from your CEO. The second thing you’d do (if it really was your CEO) is send them through proper channels for that request.

Now scale that concept to everything in your organization:

  • How can we ensure that the user requesting access is actually that user?
  • Does our multi-factor authentication process align with a zero trust framework?
  • How are we building scalable frameworks to manage and monitor user verification?
  • How are we educating our users on the concept of zero trust and helping them become better security ambassadors across the organization?

Continuous validation is critical.

Just because the credentials were validated the first time doesn’t mean successive logins or access sessions inherit that validity.

“It’s me, I swear!”

Is it, though?

Alongside your multi-factor authentication protocols, a zero trust framework also leverages continuous verification, be that per session or at set intervals, per user per access point per network. Think of it as asking a few critical questions over and over and over again:

  • Who are you?
  • Why do you need access? Is it necessary for your job?
  • How long will you need access to this?

Your organization should also build in regular audits to ensure that all of those virtual doors remain closed and locked. Just because someone requested access doesn’t mean they need that access all the time, so why leave that door open?

Your framework is only as good as your policies.

For zero trust to be effective, you need a vehicle to distribute that framework and ensure consistency across the organization. Workplace security policies ensure that you have user-facing documentation and agreements in place.

Key policies to consider include:

  • Acceptable use
  • Bring your own device
  • Access control
  • Third-party security
  • Risk management

Building out policies is also a great opportunity to work with your partners across the organization, like HR, compliance, legal, and operations, to ensure that you’re communicating these policies effectively across the organization and that you have consistency from the top down.

Additionally, information security awareness shouldn’t just be a part of your annual process review. At Businessolver, we engage our team members on a monthly basis through monthly newsletters, simulated phishing exercises, and maintaining an open line of communication between employees and the security teams.

Make sure your services and vendors support your zero trust framework.

As the future of workplace flexibility continues to scale into remote and hybrid environments, the need for additional technology and virtual solutions grows, bringing with it added security concerns.

Security teams can get ahead of this with both policy and a “smart shopping” approach to ensure that you’re curating a vendor roster of trusted, effective, and secure services and partners for your organization.

This might look like:

  • Working with your compliance and contracting teams to build in specific language into your vendor and service agreements to ensure adherence to your organization’s security policies and frameworks.
  • Continuously re-evaluating that roster, looking at both the need and the effectiveness of the services and solutions they provide for the organization.
  • Monitoring the security of those services against CIS benchmarks.

I hope these tips are helpful as you and your organization scale your security efforts. As a remote-first organization, we have found great success in applying these methods as we scale our benefits technology and infrastructure. As more and more employers adopt similar employment models, it’s important that security teams have the structures, policies, and awareness in place to manage access and data security.

Greg Tatum is Chief Information Security Officer at Businessolver, a provider of SaaS-based benefits technology and services.