Lorna Hardie, VMware.

Companies must remain vigilant and maintain a healthy security posture, but has there been an unintended impact on businesses? Have security practices moved on over the last few years to enable greater worker freedom, or have they reverted to a ‘lock down everything’ approach of old but under a new name…‘Zero Trust’?

Businesses have needed to question the most established security practices to maintain flexibility. A ‘Zero Trust security’ methodology has emerged as the desired approach to protecting the business. At the core of the Zero Trust principle from a user access perspective is that they, and their devices, are treated as hostile at first until verification and authentication proves otherwise (and continuously), thereby establishing trust.

This is also known as ‘never trust, always verify’ or the ‘least privilege’ concept. In theory, then, we can apply this in a way that means we can cater for people accessing information and applications regardless of location. The question is, are we doing it right?

Zero Trust in practice can feel like a ‘one-size-fits-all’ approach and become a source of friction, particularly when not implemented with employee behaviour in mind too.

It’s important to note that the Zero Trust model is not the issue but, instead, it is in how many organisations have approached the model in relation to their workforces. Locking everything down to start with is the correct approach, but it can’t stop there.

Zero Trust was meant to help organisations adopt a granular, risk-based approach to security, and thus provide increased flexibility for the workforce, while balancing the security posture needs. For example, by allowing more access to lower-risk applications and data to employees on personal devices, or only allowing access to more sensitive things only via very secured methods. In reality, what tends to happen is the model is implemented in a way that organisations often impose the same rigid rules on all employees.

Zero Trust done badly can mean putting security above all other aspects of the business, including individual job functions and the organisation’s overall need to focus on user experience, agility and innovation.

Basically, the more draconian organisations are with their implementation of Zero Trust, the more backlash they may face from employees. If an employee’s job functions are being disrupted by tight security controls, they’re going to find ways around it – which can create a whole host of new security issues.

So what is the right way to embrace the principles of Zero Trust while balancing the needs of the people doing their work under its umbrella? Organisations should look to adopt a bespoke or tailored approach to Zero Trust, leverage Zero Trust principles but combine this with risk profiling, treating users and devices with the scrutiny reflective of their job function plus the data they need to access. It’s a ‘persona-driven’ approach that places the individual – rather than just the organisation – at the heart of the process, to provide a more flexible experience, without compromising security.

There are several key elements to consider with this approach. The first step is understanding the job function and then the associated risk in relation to the apps and data required to be accessed as part of that person’s working day. These risks might be location, the data sensitivity, the device being used etc. The Zero Trust model has five main pillars of risk context and context is important here. The other important part of the Zero Trust thinking is the concept of verification. This part done badly can have a massive impact on the experience received. There must be a balance, an appropriate level applied based on risk and importantly if that risk changes.

The rise of Machine Learning means we can make decisions on risk more quickly and this will help make the ‘always verify’ part of Zero Trust succeed. In other words, look for changes, things out of place, verify, but in a way that does not impact the end person.

A great example of utilising a good Zero Trust approach is Rentokil Initial, a leading pest control and commercial hygiene services provider with 36 000 employees working across 80 countries. Its security teams use an intelligence platform to help identify vulnerabilities and risks based on user behaviour – which can help with profiling.

Finally, as an extension of Tailored Trust, a business’ approach to security training should reflect its overall security posture. Just as with any other form of training, security training ideally should be personalised to a specific job function or level. I wouldn’t be surprised if employees switch off after hours of security training that isn’t relevant to them, which creates further problems for IT teams down the line. At Rentokil Initial, the company splits its workforce into different personas based on their existing knowledge of cybersecurity, helping to identify which workers need which type of training.

Ultimately then, like with most things in life, there has to be a balance. Our recent Digital Floorplan report found that anywhere work led to a higher number of cybersecurity breaches in 2022, compared to 2021 across EMEA. However, something’s not right if it’s being prioritised above all else, especially not over your employees’ ability to get their jobs done. There needs to be an evolution on the part of businesses to enable employees to do their best job without compromising the security of the online environment. Choosing to take a Zero Trust approach isn’t a bad decision, but it can be the wrong one if not done correctly.

bongiwe.nhlabathi@broadcom.com