Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Dan Blum
Dan Blum
Connect Directly
E-Mail vvv

Is Zero Trust the Best Answer to the COVID-19 Lockdown?

Enterprises need to recognize that remote access and other pandemic-related security challenges cannot be fixed with buzzwords or silver-bullet security tools.

As businesses operate under the COVID-19 shutdown, they undergo forced digitalization. Many people are teleworking, exponentially expanding remote access loads. Organizations also experience disruption to the supply chain, business continuity/disaster recovery (BC/DR) issues, and ramped-up cyberattacks. How well they are able to navigate the new abnormal depends on where they fall in the network security continuum between a relatively closed or relatively open "zero-trust" environment.

Figure 1 above illustrates three network security scenarios:

  • Relatively closed prepandemic IT environment with main security zones of trust. Users may be strongly authenticated by the VPN, but internally to the network both users and services tend to be trusted with minimal (e.g., password-based only) authentication.
  • Relatively open IT environment with no VPN and minimal perimeter layers. All access to applications and services gets strongly authenticated via services such as Google Authenticator or cryptographic mechanisms.
  • Hybrid environment including elements of both the relatively open and relatively closed models.

Expanding Remote Access
Businesses that had robust remote access and/or cloud security strategies before COVID-19 have found it relatively easy to ramp up teleworking. They can run many business applications as is and open up access rapidly to many others. During one of the interviews I conducted for my 
upcoming book, Rational Cybersecurity for Business — after the COVID-19 shutdown — a chief information security officer (CISO) from an asset management firm told me:

We'd done a tabletop exercise two and a half years ago to uncover weaknesses in remote working and fix them. This exercise was focused on the potential requirement to evacuate offices and keep the business running in the event of an active shooter scenario. We needed to define:

  • How do we communicate?
  • What critical systems would we need?
  • Would team members have the equipment required to work at home? (We even looked at seemingly minor issues, such as whether users have headsets.)

Architecturally, we had to make security decisions about which systems, or security zones, to keep behind the VPN and which to make accessible through the Internet. We implemented a zero-trust architecture and started to move some applications to the cloud. That really helped reduce the load on the VPN.

Although COVID-19 has been a completely different scenario, the remote access challenges are similar. Being prepared in advance has made the disruption much less painful for us.

It's Never Too Late, but…
Other businesses, whose time to prepare in advance has passed, must set themselves realistic expectations. If staff predominantly worked from the office on desktops before the lockdown, organizations may lack the budget and infrastructure capacity to swiftly roll out notebook computers to everyone. Such businesses will need to start, formalize, or expand a bring-your-own-device (BYOD) program as well as a remote access expansion project. Otherwise, they'll be opening up business applications to potentially compromised home devices. It's also important to adapt network architecture to this new way of working.

Look at the use cases below to determine which systems can be exposed to BYOD, remote access, and Web access. 

Zero Trust Is Not Always the Answer
In its most simple description, the zero-trust security architecture holds that all network access should be appropriately authenticated and that the access must never be granted based on device network location alone (i.e., being inside a "trusted zone"). With a capability for strong authentication in place, one can — in theory — safely take down some of the perimeter layers in the relatively closed scenario from Figure 1.

However, zero trust isn't suitable for use cases where staff are working on home computers absent an effective BYOD program that may include endpoint health checks, user awareness training, corporate-provided endpoint security software, and legal agreements. It isn't appropriate when the target applications or systems cannot defend against cyberattackers attempting to exploit direct access. When applications haven't been hardened or isolated commensurate to the risk they create, exposing them to direct Internet access is unwise.

By analyzing use cases similarly to what we see in Figure 2 rather than attempting to force-fit VPNs, zero trust, or any other one-size-fits-all approach, a company could do the following:

  • Start to get its feet wet with zero-trust access to lower risk assets
  • Use selected groups of staff members to pilot BYOD solutions in return for higher levels of access to employee intranet informational applications
  • Load up the VPN only with applications, such as the call center, that pose more risk
  • Augment or replace the VPN with solutions better suited to the highest risk use cases, such as privileged account management (PAM) tools

Although the zero-trust principles may seem suited to the challenges of our time, proceed with caution. Even Google's BeyondCorp initiative — a poster child for zero trust — took two to three years and a major investment to accomplish. Enterprises just starting now need to recognize that remote access and other COVID-19 security challenges cannot be fixed with buzzwords or silver-bullet security tools. Instead, they demand a risk-based focus and careful attention to network security and identity and access management (IAM) architecture.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Biometrics in the Great Beyond."

Dan Blum is an internationally recognized strategist in cybersecurity and risk management. Dan was a Golden Quill award winning vice president and distinguished analyst at Gartner, Inc. He has served as the security leader for several startups and consulting companies and has ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
5/25/2020 | 12:08:25 AM
Nice Insight
COVID-19 surely has pushed many company for teleworking. And as this article point out, it can cause system security problem. While zero trust do show promise but company must also understand the challenges that can be arise in its implementation. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...