With the current rise in remote working there has been increasing discussion on the potential mechanisms that can be used to secure resources needed by the remote workers.

Of course, remote working is far from new, it’s been a gradual shift, until now, and it’s the current enforced revolution (as opposed to the previously gradual evolution) that is bringing this to the forefront of discussion.

The question itself is ultimately very simple: how do you allow safe, secure, easy access to systems that the workforce need to perform their jobs?

Two key models exist for this today, secure perimeter and zero trust.

  • Secure perimeter is the long-established corporate IT network, resources existing within a walled garden of security. A virtual private network (VPN) is then used to extend the garden to a different ‘location’ (via a ‘tunnel’ of sorts).
  • Zero trust is the stand-alone scenario, each resource taking and enforcing its own security policies.

Secure perimeter vs zero trust/amusement park vs fairground

At this point an analogy might be useful to both understand the differences and the challenges brought by remote workers. Although not perfect, let’s consider an amusement park and a fairground.

The amusement park is our secure perimeter example. Strong walls all around the park and a controlled entrance. Sure, there might be long queues there, and you typically pay a large sum to get in, but once you’ve got your entrance ticket all rides are open access. There might be some gating, for example as a junior you get a green entrance ticket so can go on any green ride, as an adult, a yellow ticket, but once you are in, you are in.

The fairground is the zero trust example. Each ride is independent. It doesn’t matter what other rides you might have been on. You pay for the ride you want; the operator checks you are suitable based on the ride’s individual safety restrictions; takes your money and you get access to that one ride. Each ride in the fairground has its own queue, rules, and payment.

Now, forgive me whilst I stretch this analogy a little. You want to access a ride from home. For the amusement park (secure perimeter) this would mean extending their boundary onto your driveway (VPN), a complex operation and given that you already have others using your driveway (with or, maybe, without your knowledge!) represents an increased risk to the park as a whole – once you are in, you are in.

For the fairground (zero trust), they could bring the ride to you, enforce their rules and charges and you could access from your driveway the same as you would from the fairground. {Your neighbours might not be so impressed but you get the idea.)

A zero trust system, by its very definition, does not rely on any other information. The system will enforce its own checks, policies, controls and provide resource access accordingly.

Remote working and security

We see more and more organisations providing direct access to their systems for external parties, customers, partners and suppliers. These interactions need to be as secure, as controlled as any interaction, and the techniques used to enable them can effectively support employees just as well. We’ve spoken before on the blurring of lines between internal and external users – the current step change in operating practices is critically accelerating that blurring and driving organisations to adapt.

A word of caution though when dealing with IT security – we are already living in a world of increased security incidents, breaches being an almost daily news story. Changes in IT security should not be undertaken lightly. Sure, companies might be looking to fast track access programmes, but due consideration is critical.

At Ubisecure we’ve been providing systems to mediate identity and enable zero trust systems for 20 years. If you would like to continue this conversation and understand more about the due consideration that should be in place, please get in touch.