23 mei 2024

What is zero trust? The new normal in cybersecurity

We explore the main features and benefits of this increasingly popular and effective security approach.

  • Manage systems and machines
  • Not so long ago, the typical office worker would just go to the office, find a workstation, log in, and get everything they needed with on-premises servers. But as digitalization and cloud adoption increased, the way they accessed their IT resources changed. 

    In a post-COVID world of remote, hybrid, and bring-your-own-device (BYOD) work environments, cybersecurity teams need to do more than support work for anyone from anywhere: They have to ensure that every connection is always secure. One way of boosting their security systems is with a zero trust model.

    What is zero trust?

    According to Forbes, zero trust “is the idea that all entities, whether internal or external, need to be regularly authenticated and validated before they are given access.”

    But to understand what this concept — sometimes also called ‘trust no one’ — really means, we should distinguish it from earlier security frameworks.

    Conventional perimeter-based security frameworks assume that all services, devices, and users within one’s own network are trustworthy. Traffic and access from “outside” the network, on the other hand, are considered potentially dangerous and must be analyzed and restricted. 

    This means that once someone has penetrated the company network, there are hardly any security measures left to prevent dangerous activities, e.g., an attacker trying to gain administrator rights throughout the network environment.  

    Taking a zero trust approach, by contrast, means you stop bad actors long before they get in. Good for your team, your devices, and your company’s digital transformation.

    The good old times behind the firewall

    Emails with malicious attachments and links, so-called phishing emails, are a great example of how traditional, perimeter-based IT security works.

    In the past, an employee would only ever receive, open, and read emails on their computer inside an office. This computer was part of the company network and connected to the email server, which was connected to the internet and protected by a firewall. 

    This firewall had, and still has, basically the same purpose as the physical fire walls and fire doors of any building. Its purpose is to protect the people ‘inside’ from harm coming from 'outside,’ or the other way around.

    The ‘outside’ in this example is the internet and mail coming in from other servers around the world. The ‘inside’ is the company network and the physical servers that used to be in the basement. For this reason, data was only ever checked for malicious attachments or other malware when email entered the network.

    As I will now show, things have grown quite a bit more complex in recent years.

    Zero trust is not distrust

    With the advent of company-issued laptops and smartphones, things began to change quite dramatically. In today’s digital and connected cloud computing environments and post-COVID remote work world there is simply no more ‘inside’ or ‘outside’.

    Anybody can work from anywhere with multiple devices. Anybody can access IoT (Internet of Things) devices, machines, and robots in smart factories or warehouses remotely. This increase in device diversity creates new and bigger opportunities for attacks.

    Today, it doesn’t matter that much from which location somebody accesses the company network. It matters more who that user or device is. 

    When people are not working in the office anymore and we cannot physically see them sitting at their workstations, we have to verify the connections from, to, and within our networks by other means. 

    This is particularly challenging, if not impossible, given the number of devices and connections nowadays. As a result, a new concept must be introduced: trust no one or simply zero trust.

    The zero trust model stands for a change in thinking compared to traditional concepts as it treats all devices, services, and users as equally untrustworthy. In a digitalized work environment, it says that the interpersonal concept of human trust is not a valid principle of cybersecurity anymore — if it ever was.

    Under the zero trust model, each action a user performs via the network is verified against a set of rules, enabling the detection of unexpected patterns. Consider this example: Monica usually works from an office in Berlin. One day, she tries to access the network from a Moscow IP address at 3 am CET. This action either triggers an alarm or leads to her access being blocked at once until the identity of the user can be verified.

    This fundamental change has a significant impact on IT security architecture. Rather than only protecting them at the boundaries, systems must now be protected throughout the global network and at each step in between. 

    It’s important to say, zero trust doesn’t mean we don't trust our employees or other users. It just means that — because we can’t verify them by physical presence — we have to protect our users and network by other means.

    How to get zero trust right

    Cybersecurity is like an offence-defense game. For the defending team, the cybersecurity experts, there is little room for mistakes. One vulnerability in the line of defense is enough to give the attacker, or hacker, a possibility to score. And that can be game over.

    For companies trying to go the zero-trust route, typically a significant investment is implied, especially if an infrastructure already exists. The first step is to get an overview of the status quo, find gaps, cluster them, and define a game plan. In most cases, a 'low-effort and high-impact action items first’ approach is adopted.

    While tackling 90% of the action items will put you in a safer place, the common belief is that attackers are lazy and go for the low-hanging fruits. This is only partially true. 

    Advanced attacks are sophisticated, strategically planned, and can take place over a long time. To make your protection bulletproof, you need a 360-degree view into your network and safe defaults.

    Learn more about cybersecurity best practices in this recent article by our Chief Information Security Officer, Robert Haist.

    Remote access and zero trust

    Take the example of remote access and control software. With this, an established remote connection can give a person control over a device in your network remotely. Can you trust the employee who is on the other end of the connection, or verify their identity? Is it the friendly IT guy or only someone pretending to help?

    The problem here is the so-called ‘human factor’. Users are often unaware of what they are doing, and some people actively want to harm you. 

    Together with unchecked IT environments or user rights, unpatched software, lack of network visibility, and unanticipated uses of software, this quickly becomes a slippery slope for IT security. Which is where zero trust comes in. 

    How conditional access in TeamViewer works

    With its Conditional Access feature, TeamViewer Tensor offers your company a convenient tool to introduce or strengthen zero trust principles and enhance your security setup. 

    Conditional access allows you to granularly manage who can access your network remotely. This means that instead of restricting what cannot be done, you decide what can be done. As a security expert, an IT manager or the person responsible for the infrastructure, you are in full control.

    By combining single sign-on (SSO) and fine granular controls within conditional access, you can thoroughly manage who connects to whom and to which device as well as when and how they are setting up those connections. 

    That way, even if a clever user works around other measures you have in place, the policy you have defined within conditional access will act as your best ally and your strongest safeguard. 

    And it goes even further: with Tensor, you also have the choice to activate multi-factor authentication for your accounts and incoming connections.

    It’s important to note also that TeamViewer features like Conditional Access follow strict European as well as national laws. We built our binaries with built-in security and privacy by design. This helps you to be on the safe side from a GDPR (General Data Protection Regulation) perspective. 

    TeamViewer is also HIPAA-certified. Many critical businesses around the world already use Tensor for these very reasons. And because TeamViewer connections are end-to-end encrypted nobody can see the content of your remote sessions — not even TeamViewer.

    Read our new IT remote eBook to learn more about how we can help you deliver the gold standard of IT support.

    Summary

    Embracing zero trust is not just a cybersecurity upgrade: it's a necessary evolution in our interconnected, digital-first world. With remote work now the norm and cyberattacks growing more sophisticated, the traditional ways of working just aren’t cutting it anymore. 

    Implementing zero trust with tools like TeamViewer's Conditional Access ensures robust, flexible security tailored to company's needs — protecting your data, your people, and your business operations. 

    It’s time to rethink security and make sure that your defenses are as dynamic and resilient as the environments they protect. Because with zero trust, you’re not just adapting: you’re staying ahead of the curve.

    Want to get enterprise-grade security for your team?

    The gold standard in secure remote connectivity, TeamViewer Tensor can support you to implement a zero-trust approach across your business.