Zero trust: The new normal in cybersecurity and remote access

In the not-too-distant past, the typical office worker would enter a building, go to a workstation, log in, and access everything they needed via on-premise servers. But as digitalization and cloud adoption increased, the way in which users accessed their IT resources changed, too. And in a post-COVID world of remote, hybrid, and bring-your-own-device (BYOD) work environments cybersecurity teams need to do more than enable work for anyone from anywhere: they must ensure that every connection is always fully secure. Therefore, organizations are strengthening their security systems by adopting a Zero Trust model. [by Romain Pradelle]

According to Forbes, Zero Trust “is especially important in today’s world of work in which employees do their job on the go: at home, in coffee shops, at conferences, on laptops, iPads, and iPhones, and in and out of VPNs.” But to understand what this concept – sometimes also called “trust no one” – really means, we must look at how it developed from earlier security frameworks.

Conventional perimeter-based security frameworks assume that all services, devices, and users within one’s own network are trustworthy. Traffic and access from “outside” the network, on the other hand, are considered potentially dangerous and must be analysed and restricted. But this means that once someone has penetrated the company network, there are hardly any security measures left to prevent dangerous activities, e.g., an attacker trying to gain administrator rights throughout the network environment.

The Good Old Times behind the Firewall

Emails with malicious attachments and links, so-called phishing emails, are a great example of how traditional, perimeter-based IT security works: In the good old days some twenty-five years ago, the only place where an employee would receive, open, and read his emails was at his desktop computer inside an office. The computer was part of the company network and connected to the email server, which was connected to the internet and protected by a firewall. This firewall had, and still has, basically the same purpose as the physical fire walls and fire doors of any building: Protect the people “inside” from harm that is coming from “outside” or the other way around.

The outside in this example is the internet and mails coming in from other servers around the world. The inside is the company network and the physical servers that used to be in the basement. Hence, the only time when data had to be checked for malicious attachments or other malware was when the email was entering the network.

Zero Trust Is Not Distrust

With the advent of company issued laptops and smartphones things began to change quite dramatically. And in today’s digital and connected cloud computing environments and post-COVID remote work world there is no more “inside” or “outside” whatsoever. Anybody can work from anywhere with multiple devices. Anybody can access IoT devices, machines, and robots in smart factories or warehouses remotely. This is creating new and bigger opportunities for attacks.

Today, it doesn’t matter that much from which location somebody accesses the company network. It matters more who that user or device is. When people are not working in the office any more and we cannot physically see the familiar faces sitting at their workstations, we must check if the connections from, to, and within our networks are trustworthy by other means. And because this is very challenging, if not impossible, given the number of devices and connections nowadays, a new concept must be introduced: Trust no one or simply Zero Trust.

The Zero Trust model stands for a change in thinking compared to traditional concepts as it treats all devices, services, and users as equally untrustworthy. The basic assumption is that in a digitalized work environment, the interpersonal concept of human trust is not a valid principle of cybersecurity any more – if it ever was.

Under the Zero Trust model each action a user performs via the network is verified against a set of rules, enabling the detection of unexpected patterns. Consider this example: Monica usually works from an office in Berlin. One day, she tries to access the network from a Moscow IP address at 3am CET. This action either triggers an alarm or leads to her access being blocked immediately until the identity of the user can be verified.

This fundamental change has a significant impact on IT security architecture as systems must no longer only be protected at the boundaries but throughout the entire global network and at each step in between. Therefore, Zero Trust doesn’t mean we distrust our employees or other users, but that we must protect them and our network not based on physical presence but by other means.

How to Get Zero Trust Right

Cybersecurity is like an offence-defence game: For the defending team, the cybersecurity experts, there is little room for mistakes as one vulnerability in the line of defence is enough to give the attacker, or hacker, a possibility to score – game over.

For companies trying to go the Zero Trust route, typically a significant investment is implied, especially if an infrastructure already exists. The first step is to get an overview of the status quo, find gaps, cluster them, and define a game plan. In most cases, a “low-effort and high-impact action items first” approach is adopted.

While tackling 90% of the action items will put you in a safer place, the common belief is that attackers are lazy and go for the low-hanging fruits. This is only partially true. Advanced attacks are sophisticated, strategically planned, and can take place over a long period of time. To make your protection bulletproof, you need a 360-degree view into your network and safe defaults.

Remote Access as a Field of Application for Zero Trust

Take the example of remote access and control software: An established remote connection can give a person control over a device in your network remotely. Can you trust the employee who is on the other end of the connection, or verify their identity? Is it the friendly IT guy or only somebody pretending to help you?

The problem here is the so-called “human factor”: Users are often unaware of what they are doing and some people actively want to harm you. Together with unchecked IT environments or user rights, unpatched software, lack of network visibility, and not anticipated use cases of a software this quickly becomes a slippery slope for IT security.

How Conditional Access in TeamViewer Works

With its Conditional Access feature TeamViewer Tensor offers your company a convenient tool to introduce or strengthen Zero Trust principles and enhance your security setup. Conditional Access allows you to granularly manage who can access your network remotely. This means that instead of restricting what cannot be done, you decide what can be done. As a security expert, an IT manager or the person responsible for the infrastructure you are therefore now in full control.

By combining Single sign-on (SSO) and fine granular controls within Conditional Access, you can thoroughly manage who connects to whom and to which device as well as when and how they are establishing those connections. That way, even if a clever user works around other measures you have in place, the policy you have defined within Conditional Access will act as your best ally and your strongest safeguard.

And it goes even further: with Tensor, you also have the option to activate multi-factor authentication for your accounts and incoming connections.

German-Engineered IT Security with End-To-End Encryption

TeamViewer features like Conditional Access must follow strict European as well as national laws. We built our binaries with built-in security and privacy by design. This helps you to be on the safe side from a GDPR (General Data Protection Regulation) perspective. TeamViewer is also HIPAA-certified. Many critical businesses around the world already use Tensor for these reasons. And because TeamViewer connections are end-to-end encrypted nobody can see the content of your remote sessions – not even TeamViewer.

Learn more about the concept of Zero Trust in this short video with our expert on cybersecurity, Romain Pradelle.