informa
Commentary

Zero Trust Shouldn’t Mean Zero Trust in Employees

Some think zero trust means you cannot or should not trust employees, an approach that misses the mark and sets up everyone for failure.

After the last two years of breach events, it's no wonder the hype around zero trust is reaching fever pitch right now. Human error continues to be the leading cause of data breaches, and Tessian has found that 2 million malicious emails bypassed secure email defenses in a 12-month period.

Zero trust assumes that every user and every device that wants to access applications and data is untrustworthy until proven otherwise. The idea of locking down access and removing all levels of trust is appealing, but it's possible to go too far. Some people hear "zero trust" and think it means that you simply cannot or should not establish trust in employees. This approach really misses the mark and sets up everyone involved for failure.

As an industry, we need to recognize that trusting and empowering employees within well-defined boundaries is not only possible, it’s necessary. We must start extending trust beyond IT security teams if we are going to provide effective outcomes for the business, such as enabling hybrid work.

Here are a few effective places to start.

Push Security Up to Apps and Down to Devices
Zero trust relies on pushing security up to the application layer and down to client endpoints, such as laptops and mobile devices.

Network-based security solutions still matter. But today they're more of a luxury than something that can be expected to be always "on." This is because remote work, bring-your-own-device policies, and protocol-level advancements prevent traditional network security solutions from working.

At my last organization, my team was able to deliver a zero-trust architecture that provided employees with consistent authentication and access experiences across on-premises, private cloud, and software-as-a-service applications while ensuring that our security controls and policies were enforced at each and every access event.

We accomplished this by choosing technology solutions that enabled us to combine endpoint and application layer controls, ensuring that the user and device accessing an application met the necessary policy, configuration, and hygiene requirements. This further enabled our team to provide granular policy requirements for our applications. 

Zero Trust: More an Experience Than Just Architecture
An effective zero trust experience works for and empowers the employee. To them, everything feels the same — whether they're accessing their email, a billing platform, or the HR app.

In the background, they don't have broad access to apps and data that they don't need. This comes down to building a well-defined and measurable "circle of trust" that is granted to an employee based on their role and team. With these guardrails in place, you're removing the friction and providing a good user experience while establishing more effective security.

Security teams must be able to clearly and reliably enforce a trust boundary that's extended to employees based on what they need to get their jobs done. From there, zero trust is about building out those guardrails so that the trust boundary is maintained. No more, no less.

Implement Across the HR Life Cycle
Zero trust should be implemented across the entire HR life cycle, especially when staffing shortages and the Great Resignation have caused hiring and turnover fluctuations. Onboarding presents the first opportunity to get effective role-based access control in place and offboarding is even more important, especially to ensure that things like personal devices usage is accounted for. A report from Tessian found that 40% of employees plan to work from personal devices in a hybrid work environment. This can make it much more challenging for an organization to ensure employees aren’t walking away with sensitive data when they leave the company.

If the proper protocols are in place for onboarding, offboarding, and role changes within an organization, these necessary HR processes can happen without disrupting either employee trust or security.

More Trust, Not Zero Trust
As an industry, we need to get comfortable with the idea that trust must be extended beyond the IT and security team to include the actual constituents we are trying to support.

We also need to be comfortable with the fact that employees are going to open files in the emails they receive or click links in instant messages whether they are safe or not. Why? Because opening files and links sent by strangers is often part of their jobs, especially in roles like recruiting, sales, and customer success.

Ultimately, and perhaps ironically, zero-trust methodology should result in increased trust because it’s about establishing healthy boundaries. Employees trust that they are empowered and protected, without security being in the way, and security teams can be more comfortable with reducing friction because of trust in the boundaries. When done right, this is a win-win situation.

Recommended Reading: