Sarah Armstrong Smith - Securing the Future of Remote Working with Zero Trust

‍

We've been tuning in to all the fantastic tech talks at the AtlanTec Festival this week.

Given the increasing use of technology by companies as a result of the pandemic, focus is turning to cloud computing to drive their digital transformation in order to adapt to the new business landscape. AtlanTec 2021 is exploring this increased digitisation and work environment through the hosting of multiple events including discussions with leading names in cybersecurity. An international line-up will cover topics ranging from the future of work to wellness, in hopes of easing the transition into an increasingly digitised work space.

One of the first speakers at the 2021 AtlanTec Festival, Sarah Armstrong Smith spoke about securing the future of remote working through the principles of zero trust. Speaking as the Chief Security Advisor at Microsoft and all-round influential women in cybersecurity, Sarah provides fantastic insight into the future of working from home and its security repercussions. She explains how the remote working landscape provides new opportunities for cybercriminals to access information and to attack networks and advises a continuous and conscious evaluation of risk to combat cyber attacks.

Working from home presents a whole range of different challenges for businesses, ranging from increased distraction from others in the home, to individuals having more responsibility for the security of their devices. The changing risk model means that businesses have to reevaluate their security strategies and move forward with a ‘zero trust’ system. This system would compel employees to assess the risk of situations constantly, and ask themselves how much risk am I willing to take? This constant awareness would allow them to understand the behaviour of users and devices, as well as their environments, and to more easily identify anomalies should they arise.

To describe the concept of zero trust in more detail, Sarah explains the principles on which it is based. She stresses the importance of verifying explicitly every aspect of security. This includes verifying that a user is using the right credentials, and verifying that a user is logging in from an approved device. She also speaks about the concept of least privilege. Least privilege provides that individuals only have access to what they absolutely need to in order to limit the potential risk of an attack or accidental error. Building on these principles, she emphasises the importance of identity and data which when properly handled, help to secure the perimeter of your company by limiting access and effectively managing your cloud environment. The use of Multi-Factor Authentication is a great tool in achieving this.

In addition to user behaviour, zero trust also concerns device health. Devices should also be monitored and updated to ensure they are using the right operating systems and have not been infected by any malware. Security policies need to extend to every aspect of devices, including applications, and users need to be made aware of how these policies affect them and their devices. A standard also needs to be devised in case a device does become compromised in order to form an effective and rapid mitigation strategy.

Sarah uses the Microsoft Exchange Server hack to demonstrate the importance of having controls in place. Due to a lack of segmentation in the network, attackers were able to access the server through some unpatched infrastructure. Control is important to prevent this type of attack from happening, and to be able to react to events efficiently. Thus, she explains that we are not just talking about preventive cyber security but also crisis management and incident response should an attack occur.

The bottom line of this discussion was that people need to be educated on how their actions influence data. In addition to access control, users need to be guided on how to handle data, for example, by reaffirming why are we asking you not to perform a certain activity, why are we asking you to double check the recipient of the data, and why are we asking you not to share credit card information when you're talking in a Teams chat. Reinforcing this behaviour and looking at consistent awareness training will help to maintain a security embedded culture within the organisation as well as ongoing compliance.

According to Sarah, adopting a zero trust approach will ultimately benefit everyone, including employees and customers. By increasing security and reducing the vulnerabilities, potential blind spots are removed and people are empowered to take an active role in protecting their organisations - an interesting stance to keep in mind!