A new approach to security – Shifting Zero Trust to improve employee wellbeing

By Spencer Pitts, EMEA Chief Digital Workspace Technologist, VMware.

  • 1 year ago Posted in

As people are now working more and more distributed and or in a hybrid workplace, new and existing threats, such as social engineering phishing attacks and ransomware, continue to develop and target people working this way. To protect themselves, organisations must remain vigilant and maintain a healthy security posture of course, but has there been an unintended impact on businesses and their people? Have security practices moved on over the last few years to enable greater worker freedom or have they reverted to a ‘lock down everything’ approach of old but under a new name… ‘Zero Trust’?

Businesses have needed to question the most established security practices to maintain flexibility, especially now in the norm of hybrid. A ‘Zero Trust security’ methodology has emerged as the desired approach to protecting the businesses and the way they operate today. At the core of the Zero Trust principle from a user access perspective is that they, and their devices, are treated as hostile at first until verification and authentication, proves otherwise (and continuously) – thereby establishing trust. This is also known as ‘never trust always verify’ or the ‘least privilege’ concept. In theory then we can apply this in a way that means we can cater for people accessing information and applications regardless of location, in or outside the office. The question though is, are we doing it right?

Zero Trust in practice can feel like a ‘one-size-fits-all’ approach and can now be a source of friction – particularly when not implemented with employee behaviour in mind too.

What’s wrong with Zero Trust then?

It is important to note that the Zero Trust model is not the issue but instead it is in how many organisations have approached the model in relation to their workforces. Locking everything down to start with is the correct approach but it can’t stop there.

The Zero Trust approach was meant to help organisations adopt a granular, risk-based approach to security, and thus provide increased flexibility for the workforce, whilst balancing the security posture needs. For example, by allowing more access to lower-risk applications and data to employees on personal devices, or only allowing access to more sensitive things only via very secured methods, such as fully managed corporate devices on known networks.

In reality, what tends to happen is the model is implemented in a way that organisations often impose the same rigid rules on all employees but maybe this time round they filter to ‘outside the of the office’ – whether they’re regularly accessing sensitive corporate data or not. Many don’t take individual job functions into account when mapping the risk and, therefore, it doesn’t trust anyone. This can be

productivity limiting for those performing considerably “safer or less risky” roles. For instance, does it make sense in holding the person delivering your parcels to the exact same corporate security standards as an office-based VP of a business, especially if that process for access is time consuming?

Zero Trust done badly can mean putting security above all other aspects of the business, including individual job functions and the organisation’s overall need to focus on user experience, agility and innovation.

On a much more day-to-day level, the more draconian organisations are with their implementation of Zero Trust, the more backlash they may face from employees. Understandably, if an employee’s job functions are being disrupted by tight security controls, they’re going to find ways around it – which can create a whole host of new security issues.

Then there’s the term ‘Zero Trust’ itself. Hopefully the explanation of the term and methodology makes sense but if we put ourselves in the shoes of an employee who may not have heard of this ‘IT language’ before and hears that the business is implementing a ‘Zero Trust’ initiative for all employees, this can suggest negative connotations in their eyes about how they are ‘trusted’ to do their job. There’s a lesson here for all IT to think about the naming of projects and think how the very project name may sound from the people who will be the recipients of it.

Shifting Zero Trust to ‘Tailored Trust’

With all this in mind then what can be the right way to embrace the principles of Zero Trust whilst balancing the needs of the people doing their work under its umbrella? Organisations should look to adopt a bespoke or tailored approach to Zero Trust, leverage Zero Trust principles but combine this with risk profiling, treating users and devices with the scrutiny reflective of their job function plus the data they need to access. It’s a ‘persona-driven’ approach which places the individual – rather than just the organisation – at the heart of the process, to provide a more flexible experience, without compromising security.

There are several key elements to consider with this approach. The first step is understanding the job function and then the associated risk in relation to the apps and data the required to be accessed as part of that persons working day. These risks might be location, the data sensitivity, the device being used etc. The Zero Trust model has five main pillars of risk context and context is important here.

The other important part of the Zero Trust thinking is the concept I mentioned earlier, which is always verify. This part done badly can have a massive impact on the experience received. Imagine going to a restaurant for a meal, you’ve booked under your name and get asked for I.D at the front desk when you arrive. That sounds reasonable of course, now imagine that every five minutes the waiting staff

ask you again to show your I.D. I’m thinking that eating experience might live long in the memory and not for the right reasons.

So, would we want the same then for our employees simply trying to do their jobs but constantly asked for authentication? There must be a balance, an appropriate level applied based on risk and importantly if that risk changes. Up until recently how you collect information, the timeliness of and then apply context in terms of risk has been difficult. Technology has advanced here and the rise of Machine Learning in this area means we can make decisions on risk more quickly and this will help make the ‘always verify’ part of Zero Trust succeed. Back to our restaurant example, we can think of this as the staff only ask someone to show ID again if they notice they look completely different to the people who came in. In other words, look for changes, things out of place, we are verifying but in a way that does not impact the end person.

A great customer example who are working on this Zero Trust approach is Rentokil Initial, a leading pest control and commercial hygiene services provider with 36,000 employees working across 80 countries. Its security teams use an intelligence platform to help identify vulnerabilities and risks based on user behaviour – which can help with profiling.

Finally, as an extension of Tailored Trust, businesses’ approach to security training should reflect their overall security posture. Just as with any other form of training, security training ideally should be personalised to a specific job function or level. I wouldn’t be surprised if employees switch off after hours of security training that isn’t relevant to them, which creates further problems for IT teams down the line. At Rentokil Initial, the company splits its workforce into different personas based on their existing knowledge of cyber security, helping to identify which workers need which type of training. Ultimately then, like with most things in life, there has to be a balance. Our recent Digital Floorplan report found that anywhere work led to a higher number of cybersecurity breaches in 2022, compared to 2021 across EMEA. However, something’s not right if it’s being prioritised above all else, especially not over your employees’ ability to get their jobs done. There needs to be an evolution on the part of businesses to enable employees to do their best job without compromising the security of the online environment. Choosing to take a Zero Trust approach isn’t a bad decision, but it can be the wrong one if not done correctly.

Nadir Izrael, Co-Founder and CTO at Armis discusses the importance of critical infrastructure...
By Darren Thomson, Field CTO EMEAI at Commvault.
By Asher Benbenisty, Director of Product Marketing at AlgoSec.
By Steve Purser, former Head of Core Operations at the EU Agency for Cybersecurity, and Zivver’s...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist, Business and...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist, Business and...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist – Business and...