Prioritizing Distributed Work
There are many benefits that come with working with distributed teams. To start with, they accelerate the creation of high-quality software and they also lower team attrition helping create a better working experience.
At the same time, with this methodology security often arises as a concern. But contrary to popular belief, I consider that even better security standards can be achieved by prioritizing distributed teams. This, in combination with zero trust authentication, can ultimately harden organizations against security threats.
Choosing distributed teams
There are many benefits for both employees and employers who successfully implement distributed teams within their organizations, but rarely is security considered to be one of them. It is usually considered to be a potential red flag, and with good reason: using the free wifi at a local Starbucks is often hailed as a prime example of what not to do if you are concerned about securing your data in transit.
I would argue that this is really the only good example in which the employee may be putting the company at risk using remote access, assuming the company has a device policy in place and is following best practices for multi-authentication, principle of least privilege and auditing, amongst others. I would also argue that if I wanted to hack a company, the last place I would start would be monitoring random traffic at my local Starbucks. After all, it is so much easier to just walk in the front door.
This is not to minimize the importance of using secure, encrypted networks while working remotely. This is a very solvable problem. But good security is not based on limiting what employees can and cannot do but rather it is assuming that people will ultimately make mistakes. As this article points out, once someone gains access to both a personal email and a device, all bets are off – and that includes privileged access to any information assets.
Why zero-trust authentication can help
This is why zero-trust authentication takes the principle of least privilege even further: not only do I allow access only to the requested information, but the manner in which I perform the access is also very granular and specific to a context. The concept of zero trust assumes that every time a resource receives an access request, it is coming from an untrusted source.
A characteristic of the open Internet and the IP address system of identification is that it is intentionally “weak” – its value depends upon free-flowing access to and distribution of information. Zero trust does not depend on having an IP address as an identifier, but rather a combination of device and authentication variables. Depending upon how this is implemented, this could even mean access from devices that are not managed directly by an IT organization. For example, Google’s BeyondCorp is based on a service-initiated architecture that does not require an agent running on a particular device.
Software-defined perimeters are at the heart of zero-trust authentication, which was first introduced at the Cloud Security Alliance Summit in 2014. This was originally for web-based applications only, but the principles have been used to apply to any network or scenario in which a user must gain access to a network resource. Another zero trust vendor is Cloudflare, and a good summary of the concept can be found on their website.
Tools Will Continue to Evolve
The arsenal of tools available to secure company information assets continues to grow, just as the communication technology enabling fluid team collaboration continues to evolve, and I do not think we will see any reversal to these trends in the near future. Combining the best security with best collaboration practices for teams can bring productivity gains, faster time to market and more enjoyable working life without incurring risk.
BairesDev is a pioneer and leader in creating highly skilled and effective distributed teams, delivering top-notch and effective results.