Digital transformation is the key to the future of business; it’s what every CIO is thinking about. We live in the information age and as advances in technology, communication channels and collaborations evolve, innovation and speed are critical. An effective digital transformation can significantly improve a company’s speed to market and improve user productivity.
From a technology point of view, this transformation has many potentially disruptive elements – be it moving to the cloud, adopting BYOD or introducing the use of the IoT. However, as organisations adopt these new cloud-based strategies, it’s important to consider that traditional security practices and technologies are no longer adequate or scalable enough to protect far-flung data and applications.
Gaps in security
As an organisation progresses its digital transformation, there is a lot of extant technology that needs moving into the new world. It’s inevitable that as migration to the cloud takes place, organisations are left with environments comprising legacy, cloud and third-party systems. Having an IT environment consisting of so many different systems can quickly increase a company’s vulnerability to security incidents. Legacy systems in particular can present a serious risk, particularly as many companies may stop focusing on them as they adopt new systems and continue to migrate towards the cloud.
Basic best practices such as software updates and patches, as well as user account management, can be made more complicated by the presence of different operating systems and applications, and errors can begin to creep in. For example, the add/remove process for granting access for new employees, and amending or removing it for movers and leavers, can easily end up overlooking certain systems, or even breaking down entirely – particularly with legacy systems. This scenario can lead to a major security incident, as forgotten user accounts can be commandeered by cyber attackers or even the former employees themselves.
Tracking potentially malicious logins through ageing legacy systems is made more difficult in today’s perimeter-less workplace. It has become standard practice in an increasing number of companies for users to log in remotely, and many even spend more time out of the office than in. Companies can address this risk to an extent by using automated processes that will disable accounts when a user leaves the company. However, they should also be investigating alternative strategies for verifying users and securing access.
How zero-trust can help keep control
One of the most effective strategies for maintaining security throughout the digital transformation process is to take on a zero-trust approach. Whereas enterprise security has traditionally afforded trust to anyone with the correct user credentials, zero-trust means that users also need to go through a number of other steps to verify their identity before they are granted access.
The zero-trust model has become increasingly popular as a solution to the growing trend for staff to work remotely. The strategy is an effective way of differentiating a cyber criminal trying to break into the network using stolen credentials and a legitimate user who just happens to be at an unfamiliar location or using a different device.
These same principles are also extremely beneficial for ensuring that all access points to the network are kept secure, even as the shape of the enterprise network grows and changes during the on-going digital transformation process.
By securing all of its applications with a zero-trust policy, an organisation effectively turns each application into a separate house with a single locked door as entry. This means that even if a user has the key to the network, they still need to unlock the door to the individual application as well, creating a multi-layered defence. When implemented correctly, the verification process should also be extremely quick and painless for users, establishing security without impacting workflow.
This agility and flexibility mean organisations can easily bring new applications on board, whether they are running in the cloud, in a local data centre or as a third-party application. No matter where the doors are, they can be open or shut from a central point based on a policy. This allows the business to more freely pursue new solutions as part of its business transformation strategy without security throwing up unnecessary barriers that hinder progress. Applying zero-trust as a universal policy across the company will guarantee that legacy systems enjoy the same level of security as new applications.
Making zero-trust work
A central tenet of a successful zero-trust strategy is making it as easy and painless as possible for legitimate users. The moment security begins hampering productivity, it starts to be seen as a burden by employees, rather than a benefit.
Users can prove their identities with measures such as two-factor authentication in addition to their normal login credentials, which will block imposters who are trying to access the system with stolen details. Organisations can also set a number of different conditions to confirm the endpoint device has not been compromised, such as the need to run on the most recent OS and be fully updated and patched, as well as proving it is free of malware.
One of the best ways to ensure the process remains user-friendly is to take a risk-based approach, with the level of verification required changing based on the importance of the assets being accessed, and external factors that can indicate higher risk, such as location, the status of the device being used (personal or corporate managed), etc. For example, accessing your company’s cafe menu yields a much lower threshold for verification than attempting to access a production environment from a previously unknown location, which would probably require using a well-patched, corporate managed device and additional authentication steps. Companies can also integrate the process with established single sign-on (SSO) capabilities, which will allow a user's rights to be identified without the need for any duplication of effort. It can also be presented through a browser-based gateway screen to provide a simple, secure single point of entry into each of the application doors.
With a well-managed and accessible zero-trust policy applied across the entire organisation, businesses can keep both new and legacy systems secured as they continue their digital transformation journey.
Richard Archdeacon, Advisory CISO, Duo Security
Image Credit: Chombosan / Shutterstock