What It Takes to Implement Zero Trust With Employees Working From Home

The pandemic has changed the focus for zero trust to locking down endpoints, wherever they may be. Cloud-based services can help.

Security concerns

With cyberthreats continuing to grow at the same time enterprises are undergoing digital transformations that increase reliance on digital technology, more of these businesses are opting for a zero-trust approach to security – often using service providers to help.

As the name implies, “zero trust” basically assumes every user or device that wants to connect to a corporate network or resources is untrustworthy until proven otherwise. It means all users and devices must be authenticated and authorized before accessing whatever resources they are after.

Traditionally, the way IT dealt with ensuring identity was by forcing users to access the network via a virtual private network (VPN). However, with the global pandemic forcing many users to work from home, VPNs quickly proved to be unscalable and caused performance issues.

At the same time, the heavy use of cloud-based services eroded what was once the network perimeter, creating additional challenges in implementing zero trust.

Focus on endpoints

Today, implementing zero trust means focusing on user devices, says Ian Pratt, Global Head of Security for Personal Systems at HP. “Seventy percent of breaches start with an endpoint compromise,” he says. “A user clicks on something that lets a hacker take control of the machine and use it as a beachhead. Their goal is to get to a machine of someone who has privilege, then log into high-value services.”

To thwart such attacks, organizations need to focus on enabling security at the lowest level of a device and build up trust from there. For example, every HP computer has an embedded security controller that validates all code signatures in the firmware, BIOS, and elsewhere before it lets the main CPU start executing code, Pratt says. The idea is to validate the machine hasn’t been tampered with and is booting in a secure state.

Isolation technology keeps malware in check

Once the machine is up and running, HP makes use of isolation technology to further protect the machine and the network to which it’s connected. Whenever a user opens any file ­– including email attachments – or a new browser tab, it is opened inside a micro-virtual machine (VM) container. The container is isolated from the rest of the machine so that even if the file contained malicious code, the malware is confined to that micro-VM and cannot infect the rest of the machine. Once the user closes the file, the micro-VM is erased – along with the malicious code. (There is an option to retain the micro-VM for forensics.)

“The most dangerous thing you can do today is open a Microsoft Word document received via email,” Pratt says, because of the threat of launching malware. With isolation technology, “it’s as though I’m reading the Word document in a demilitarized zone. There’s no ability to connect to other machines.”

If all high-risk activities such as opening email attachments and browsing the internet happen in isolated micro-VMs, you can opt to prevent the underlying operating system from accessing the internet at all, he says.

“You’re disconnecting your host OS from the internet,” Pratt says. “All external accesses are taking place in the virtual machine.”

Zero trust as a service

Perhaps best of all, this technology is available as part of HP’s Security Services.

To learn more about what it takes to implement a true zero-trust environment that covers endpoints even for employees working from home, explore HP’s Sure Click Enterprise resources page.


Copyright © 2021 IDG Communications, Inc.