Zero Trust Evaluation Guide: Securing the Modern Workforce
We’ve released a new guide to help you understand the different criteria for a zero-trust security model that can secure your workforce - that is, both users and devices as they access your applications.
Here’s an excerpt from the introduction:
Why Zero Trust?
Today, the rise in a cloud-connected, mobile and remote workforce has put the visibility and control of users and devices outside of the enterprise. The perimeter has expanded beyond enterprise walls, making it more difficult for security and IT teams to verify user identities, and the trustworthiness of their devices, before granting both access to enterprise applications and data.
The new workforce model today requires an equally extended security model. The extended perimeter is now centered around user identity and their devices. The extended workforce security model must be able to establish device and user trust, no matter where the user is physically, and no matter what kind of network they're connecting from.
New Identity Perimeter Risk
Compromised credentials are a prime target of attackers, allowing for easy, unprotected access due to phishing, brute-force and other password attacks.
In an analysis of simulated phishing campaigns, Duo's 2018 Trusted Access Report found that more than half (63 percent) successfully captured user credentials.
Zero trust treats every access attempt as if it originates from an untrusted network. A trust-centric model is focused on authenticating every user and device before granting access to any application.
A zero-trust approach doesn’t require a complete reinvention of your infrastructure. The most successful solutions should layer on top of and support a hybrid environment without entirely replacing existing investments.
Zero Trust: For the Workforce
The scope of this guide will focus on zero trust as it relates to securing your workforce - that is, users and the devices they use to access work applications. Users may include employees, partners, vendors, contractors and many others, making it more difficult to maintain control over their devices and access.
A zero-trust approach for the workforce should provide an organization the tools to be able to evaluate and make access decisions based on specific risk-based context.
For example - is the user verified using multi-factor authentication (MFA)? Are their devices trusted and/or managed? Do their devices meet your security requirements?
Security teams need to be able to answer these questions to establish trust in users and devices accessing an organization's assets. They also need to do it using an approach that balances security with usability.
This trust-centric security approach for the extended perimeter makes it much more difficult for attackers or unauthorized users to gain access to applications without meeting certain identity, device and application-based criteria.
What’s Inside the Guide
In this guide, you will learn how to evaluate a solution based on:
- User Trust - Can you verify your users are who they say they are? Are you using a scalable, frictionless MFA solution?
- Device Visibility - Do you have detailed insight into every type of device accessing your applications, across every platform?
- Device Trust - Can you check the security posture and trust of all user devices accessing your applications? Can you securely support all devices and BYOD (bring your own device) - both corporate and personally-owned devices?
- Adaptive Policies - Can you enforce granular, contextual policies based on user, device and location to protect access to specific applications?
- Access to All Apps - Can you give your users a secure and consistent login experience to both on-premises and cloud applications?
You’ll also learn why all of these components are key to securing against threats such as phishing, stolen credentials and out-of-date devices that may be vulnerable to known exploits and malware.
We’ll also break down Duo’s zero-trust security solution for the workforce and how it can help secure user and device access to your work applications.