Don’t Leave it to Your Apps: Why Security Needs to be a Shared Responsibility

Originally published by Lookout.

Written by Hank Schless, Senior Manager, Security Solutions, Lookout.

Here’s a scenario that was unlikely just two years ago: permanently telecommuting from Honolulu to your financial job on Wall Street. Fast forward to today, the world has accepted that productivity is just as feasible from the beach as it is from a skyscraper. In fact, according to Upwork, nearly 5 million people in the U.S. have moved because of remote work since 2020 with another 19 million planning to do so.

Before the pandemic, it was relatively straightforward to create access policies as your users’ locations were usually fixed. For example, let’s say everyone is expected to work out of your office in New York and a connection request comes through from a coffee shop in Hawaii. The decision is easy — simply deny access.

However, with remote and hybrid work becoming standard, your users could be anywhere and a policy like this would get in the way of productivity. This begs the question: as office-based perimeters are no longer relevant, how do you protect your data while supporting your work-from-anywhere employees?

Zero Trust: in who or what do we trust?

Many organizations realize that security needs to adapt to support work-from-anywhere initiatives. The question then becomes: how?

It’s easy to get behind a popular framework like Zero Trust, i.e., that no entity should be granted access until its risk level is verified and accepted, but there’s no clear roadmap on how to achieve it.

The National Institute of Standards and Technology (NIST) defines Zero Trust as the evolving set of paradigms that move cybersecurity from static, network-based parameters to focus on users, assets and resources. This means, to properly assess risk, you need to keep track of not just the user and their endpoints, but also the location and networks used as well as the data and apps they seek to access.

Security needs to be a team effort: the shared responsibility model

In a remote or hybrid environment, it's almost impossible to anticipate what security incident is around the corner. Zero Trust offers an elegant solution to solving this dilemma by assuming that no entity is trustworthy in the first place.

To fully implement this framework, you need to look beyond a user’s ID and credentials to analyze a wide array of contextual data. To gather the large amount of telemetry data needed for conducting this deep analysis, organizations cannot rely on data from just the cloud provider alone.

This creates a “shared responsibility” model, where, for example, your mobile security solution provides context into whether the mobile endpoint is compromised or connected to a risky network. You could also have a Cloud Access Security Broker (CASB) that looks into the end user’s behavior or what types of data is being handled.

Taking a more holistic security approach

With your employees accessing cloud apps from just about any device to stay productive, your network-based legacy tools cannot provide the visibility and control you need to protect corporate data.

Whether you’re building your footprint on-premises, on the cloud or on a hybrid architecture, security needs to be a converged effort, where the cloud app works in lockstep with other solutions. To achieve Zero Trust, you need telemetry from all your apps, users and endpoints, ensuring access decisions protect your data while at the same time enabling productivity.