- Remote work appears to be a permanent feature of the modern, post-COVID workplace, with many employees working 100% remote and others working on a hybrid schedule.
- Given the wide adoption of remote working and the inherent flaws of virtual private networks (VPNs), employees need a safer, more secure means of accessing their employer’s systems from outside the office while the company prevents bad actors from logging in and wreaking havoc.
- Zero trust networks take security a big step further than traditional VPNs—not just requiring a username and password perhaps with multi-factor authentication, but also restricting system access to certain devices, in known locations, and then assigning different levels of access to those devices once users are logged in.
In previous blogs, we’ve discussed how to set up your ETRM system hosting correctly, as well as an example of a robust monitoring tool to catch potential problems earlier. But what about enhancing the cybersecurity of your ETRM system?
Thanks to the COVID pandemic, more people are working remotely than ever before—from home, coffee shops, airports, and other locales. Some are on public WiFi. Some are using their own personal devices. What these people share in common is that they’re all outside the normal access modes for logging in to company systems, including ETRM systems.
Although some employees have started to venture back to the office, others will continue to work remotely for the foreseeable future. Or, their companies have adopted a hybrid schedule in which employees work on-site for a set number of days each week and work remotely on other days.
The prevalence of remote work means that companies rely heavily on virtual private networks (VPNs) to allow employees access to company files, data, and other critical information from wherever they’re located, which enables work to proceed uninterrupted. However, as many serious data breaches and cyberattacks have indicated, the widespread adoption of remote work has also exposed the flaws of VPNs and underscored their vulnerability to bad actors.
All a VPN really offers is a means of accessing a network using a private, supposedly secure connection. Typically, a user logs in to the VPN by simply entering a username and password. Once they’re logged in, they have access to everything on the network. As you can imagine, it’s not difficult for cybercriminals and other bad actors to circumvent these minimal security measures and cause a lot of damage for businesses.
Other times, employees’ devices could be infected with undetected malware, which can compromise company systems and cause major, costly problems.
The bottom line: Companies need a safer, more secure way for their employees to work remotely.
That’s why companies have started taking extra security precautions. For example, many companies have leveraged multi-factor authentication in which systems require users to provide additional information beyond usernames and passwords to verify their identity before allowing them to log in. Examples of multi-factor authentication could be system-generated codes sent to smartphones or other mobile devices, or even fingerprint scans.
Zero Trust: The Next Step Beyond VPNs
Zero trust has quickly gained momentum as the international standard for cybersecurity. It’s actively reshaping how IT departments consider approval of system access in the post-COVID workplace.
So, what is zero trust?
It’s an operational model in which no single user, device, or connection is trusted by default. They must first be verified and become known to the system.
Just because you have a username and password, you don’t necessarily have the right to access certain, much less all, company information.
Within the zero trust framework, you also need:
- A trusted device. IT personnel capture the unique identifier of each approved device—a serial number or Mac address, for instance—and place a certificate of trust on it. No other devices can be used to access company systems. So, a bad actor may be able to swipe a username or password, but they’d also have to possess the right device to obtain entry into an ETRM system.
- A registered, known location. Users can’t log in from just anywhere—they have to use an address or network that’s registered with the ETRM system. So, even if a device isn’t vetted, the virtual pathway into a company system is.
- Confirmation that a device isn’t compromised. Automated verification that current anti-malware software is installed on the device, and that any required security measures are in place.
- Ability to grant custom access permissions to certain users and/or devices. Once a user is logged in, they don’t have unfettered access to everything within the company system. In the event there’s a breach, the bad actor will be more limited in the damage they can cause.
By controlling access so robustly and thoroughly vetting users, devices, and connections, zero trust delivers multiple layers of security and represents a big step beyond multi-factor authentication. You could say it’s closing the gap between secure authentication and rigorous authorization.
Some cloud hosting providers, including Google and Microsoft, operate on zero trust 100%—and have for awhile.
For IT personnel, these controls offer greater peace of mind. Where the door to company systems used to be cracked open, now it’s almost closed.
As capSpire works with clients to set up their ETRM systems, our team can also help to evaluate security options and implement more enhanced security features. With our extensive knowledge of clients’ businesses and a think-outside-the-box mentality, we’ve proven to be a trustworthy resource for producing effective security solutions. If you have questions, we invite you to have a conversation with us.
How has the new culture of hybrid work affected your industry? What have you noticed in this space of remote work security? Share your thoughts with us at firstname.lastname@example.org.