Zero Trust Security for Remote Work: A Primer

Securing digital resources is a constantly moving target that organizations may struggle to meet.  There are arguably more threats to your data than ever before, especially with the shift to a mainly remote workforce.  Organizations have also shifted to digital tools and connectivity solutions that extend the boundaries and blur the lines of on-premises vs. external.  

A traditional security stance is no longer adequate for protecting business-critical data.  As a result, one framework for safeguarding valuable business systems and securing critical data access – the Zero Trust security model – has become incredibly relevant.  So, what is the Zero Trust security model, and why is it critically important today?  How has the shift to a primarily distributed workforce brought this into focus?

Zero Trust – The modern security model

If you think back over the past few decades of traditional infrastructure and security design, most corporate networks treated anything external to the corporate network as untrusted and anything inside the corporate network as a trusted source.  The traditional corporate firewall has been the “end all be all” of the security for the entire internal network for years now.  It is supposed to keep the bad guys out and protect the internal, trusted network.  However, as new threats such as ransomware and others make their way past firewall technologies and into the internal network with new types of attacks, this traditional security model is no longer sufficient.  How are threats getting past the perimeter?

No matter how good a perimeter firewall is, it cannot stop 100% of the threats today.  There are too many types of malicious code vectors, zero-day attacks, and other threats to prevent them all.  Also, attackers use crafty ways of infecting internal workstations with malware and other malicious code through phishing scams, drive-by website attacks, etc.  

Once cybercriminals infect an internal client, the threats now come from inside the perimeter network.  After the attacker is on the inside of a traditional network perimeter, the safeguards and security boundaries no longer apply. They can generally move laterally across the inside network, exfiltrating and leaking data and compromising other internal systems with little resistance.  The new types of attack vectors used by attackers today are increasingly making the traditional “protect the perimeter approach” obsolete.    

Below is a very simplistic overview of a traditional network design.  Workstations and servers are all found on the internal trusted corporate network.  On the other side of the firewall is the Wide Area Network (WAN) connection to the Internet.  In traditional network design, this is the untrusted network.  All workstations and servers on the trusted corporate network can communicate without any restrictions or limitations to both the types of traffic and the internal source.     

Image describing the traditional network design, showing how it's designed to trust all traffic on the internal corporate network 
Traditional network design trusts all traffic on the internal corporate network

With the threats mentioned above becoming widespread, organizations are undergoing a paradigm shift in how they approach security both externally and internally.  No longer is it safe to view internal resources as trusted and secure for allowing access to business-critical data and services.  The Zero Trust security model is not associated with a specific technology or architecture.  Instead, it is a holistic security approach that centers on the belief that all internal and external resources should not be trusted, and that they should all be automatically validated regardless of the requesting entity’s location.  There is no longer a trusted internal network with the Zero Trust security model where all nodes trust one another by default.

How Zero Trust has evolved

In the early days of Zero Trust, it was all about micro-segmentation.  With micro-segmentation, nodes can only “see” and communicate with nodes they are allowed to communicate with, even if these reside on the same internal network.  Early Zero Trust models were made possible by software-defined networking solutions that allowed creating micro security boundaries between nodes.  

Below is an example of traditional micro-segmentation in establishing Zero Trust policies for network communications.  Virtual machines are only allowed to communicate with specific VMs.  In the conventional 3-tier application, which includes web, app, and DB tiers, only the VMs in each respective tier and logical workflow can communicate.  

Image outlining a zero-trust architecture including micro-segmentation 
Zero Trust architecture including micro-segmentation

The Zero Trust security model has evolved past simple micro-segmentation.  Zero Trust has transitioned to include identity as one of the primary components of determining how and when communication is allowed from a client to an internal resource.  Identity is becoming much more critical to allow or deny access to specific resources.  Based on a particular user, access can be granted to specific resources and denied for others.  This dynamic approach, again, is based on verifying the requesting user or node’s identity.

The Zero Trust security model generally works hand-in-hand with other security best practices, such as the least privilege access model.  Users and systems only have access to those resources and types of network communication required, no more or no less.  To successfully establish a Zero Trust security model, organizations must implement solutions that can confirm the entity’s identity requesting resources and then validate that the entity has the authorization to access the resource.

Why is the Zero Trust security model more crucial than ever before?

Aside from the tremendous number of security threats facing organizations today and the ransomware epidemic that has wildly been growing for the past few years, organizations have faced a global pandemic since the beginning of 2020 that has required most businesses to shift to a remote work model.  The vital question essentially becomes this – where is the network perimeter?  In reality, there is no longer a network perimeter.  

Today’s hybrid architecture and network topologies blur the lines between on-premises and external resources.  Businesses are increasingly making use of modern applications that may have components running in any number of locations.  Now, more than ever more, companies must establish a Zero Trust security posture for access to any business-critical resources.   

Zero Trust for remote work is essential

The Zero Trust access model is not limited to on-premises resources accessed by on-premises or external hosts.  Organizations must provide proper security for resources accessed by legitimate remote end-user clients.  When the global pandemic began, many businesses may have shifted to remote workers using traditional remote access technologies such as VPN to access files and applications.  VPN has many security concerns inherent with the classic “perimeter” network model used for decades.  With a traditional VPN, it is generally assumed that remote VPN clients are trusted.

However, if malware-compromised remote clients connect to the corporate network via VPN, the malware is now directly connected to your corporate network.  Other remote access solutions such as Remote Desktop Session Hosts exposed to the Internet are generally under a constant barrage of brute force login attacks from the outside.  By default, RDS technologies assume all connections from external sources are allowed for connectivity purposes.

These types of traditional remote access technologies assume trust as part of their basic architecture.  When organizations need Zero Trust access to business-critical applications, virtual app delivery solutions like Cameyo allows businesses to provide secure access based on validated identity. Cameyo’s virtual app delivery platform provides a Zero Trust model that allows only validated users to have network-level access to Cameyo virtual app hosts.  

Cameyo helps you ensure that security is designed into the core of your digital workspace by using unique technologies such as Cameyo’s RDP and HTTP/S Port Shield to protect business-critical applications in a Zero Trust solution.  Using this approach, your organization gets the benefit of protection from both brute force attacks and zero-day exploits.  Also, it ensures an identity-based trust model where only those connections from validated identities are allowed for access – the core principle of the modern Zero Trust security model. 

Once validated, end-users only have access to the applications and not the core low-level infrastructure, ensuring data is protected and secure from data leaks and other threats.        

An image illustrating Cameyo's RDP and HTTP/S Port Shield technology 
Cameyo RDP and HTTP/S Port Shield technology

Final Thoughts

Security is one of the core pillars on which organizations build their digital assets.  As threats and new threat vectors have evolved, new security best practices help ensure data is secure from modern threats.  The traditional perimeter security approach is no longer effective against modern malware and other threats.  A Zero Trust model assumes there is no trust between any node, even if it exists on the trusted corporate network.  Businesses must extend the Zero Trust model to secure remote employees distributed across many different geographic locations. Cameyo’s next-generation approach to securing remote applications assumes a Zero Trust posture for remote workers that prevents access unless identity has been validated.