Hybrid work models are here to stay. We know that more than one-third of Australians prefer a flexible approach to hybrid work, where they can choose when they work at home, in the office or somewhere in between, according to recent Citrix research. However, while hybrid work provides employees with increased flexibility, the resulting security complexities are creating a new set of challenges for IT managers, Martin Creighan at Citrix, writes.
With employees working from anywhere – in some cases using personal devices to access cloud applications and corporate resources – the attack surface is larger than it has ever been. Many organisations are struggling to defend it. More than 40 per cent of IT leaders globally called out ransomware attacks as the highest risk exposed by hybrid work. On top of this, the Australian Cyber Security Centre reported nearly 500 ransomware reports during the 2020-21 financial year; an increase of 15 per cent on the previous year.
Out with the old
Network-centric security worked well when employees still came to the office. But today’s users are working from many different locations and devices. Research from the Australian Bureau of Statistics shows that 70 per cent of businesses enable bring-your-own-device (BYOD).
This adds up to serious security vulnerabilities – just one session from an unmanaged device infected with malware can put the entire network at risk. Once an unauthorised user gets through, the door to lateral movement is wide open.
To combat these new threats, IT teams need to rethink their approach to security. When it comes to protecting a workforce that cycles in and out of the office, IT must be able to continuously evaluate risk factors in a contextual way and when suspicious activity is detected, automatically apply granular security controls to keep things safe.
In with the new
Traditional solutions like virtual private networks (VPN) can’t provide the level of visibility or control that IT leaders need to enhance their organisation’s security posture. Enter zero trust network access (ZTNA), an IT security framework founded on the principle of never trust, always verify.
Though zero-trust architectures vary, each can be broken down into three main principles based on the tenets of the NIST Cybersecurity Framework:
- Explicit and continuous verification: authentication and authorisation should be enforced before access and driven by dynamic policy before and during a session, based on behavioural and environmental properties.
- Least privileged access: grant access to IT resources on a per-session basis, limited by just-enough-access policies to minimise risk but not impede productivity. Accessing micro-segmentation becomes an integral part of the architectural approach to mitigate lateral movement threats and justify the rise of privileged access management (PAM). With such an approach, IT teams can prevent unauthorised access, remove privileges as needed, and manage remote access appropriately.
- Minimise blast radius: segmentation zones that extend the rule of least privilege to the network and hosts by defining security zones can minimise unwanted access to sensitive applications and data, reducing lateral movement and shrinking the attack surface to contain the blast radius of a breach. In an optimal world, an organisation would encrypt traffic end-to-end but still have insight into all resources, networks, and communications to improve threat detection and response.
Working on the edge
IT teams also need to rethink where they protect and learn to live on the edge. Networks today are defined by the individual and the device, not physical boundaries.
Security controls need to be placed close to applications and end users to ensure things are continually protected, no matter where employees work or what devices they use. ZTNA architecture represents a shift from the old “handing over the keys to the castle” approach of VPNs, to requiring all users to incrementally earn trust over time.
Unlike VPN and single sign-on (SSO), which authenticate at login only, ZTNA solutions continuously evaluate risk factors throughout each session. When suspicious activity is detected, granular security controls automatically kick in to change how users are authorised to interact with applications.
Striking a balance
Australian employees must be able to work when, where and how they want using the applications and devices of their choice. IT teams need to empower employees to do exactly that, in a secure and reliable manner. This is a delicate balance, but it can be struck.
With the right ZTNA solutions, IT teams can provide seamless access to the applications employees need to get work done, wherever it needs to get done, and apply security policies and controls in a transparent way to preserve their experience.
For example, employees might encounter watermarking when using a BYOD device, or be prevented from downloading documents when accessing the company network from an unknown network. But in most scenarios, they won’t notice a thing and will continue work as usual, as adaptive authentication and access control policies work in the background.
Looking ahead: Keep it simple
Hybrid work has no doubt complicated network and application security. But ZTNA will simplify things. Now is the time for IT teams to ensure they have zero-trust principles in place to provide consistent access to the applications employees need to get work done, from anywhere.
Martin Creighan is the managing director at Citrix Australia and New Zealand.