NEW: Recognized by Analysts. Chosen by Customers. Read the Report from Gartner®

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Videos
    • Glossary
    • Infographics
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
  • Watch Demo
  • Contact Sales

A Zero Trust Approach to Modernize the Common Office Environment (COE)

August 4, 2022

  • Blog
  • Archive
  1. Home
  2. Blog
  3. A Zero Trust Approach to Modernize the Common Office Environment (COE)

What is a Zero Trust COE?

A Common Office Environment (COE) is a term used by information technology (IT) pros and facility administrators to encompass the common features, technology, consumables, and security present in an office environment. A COE can include desks, staplers, printers, cameras, paper, pens, computers, software, and more. The COE asset inventory varies across verticals and from company to company to achieve a desired mission for the business and ensure success for employees and their roles. This is all based on standardized and consistent tooling for purchasing, finance, security, maintenance, and auditing.

In recent years, work-from-home (WFH) and work-from-anywhere (WFA) initiatives, and accelerated digital transformation journeys, have radically impacted traditional COEs. Organizations must adapt their COE security controls to home networks, and even public WiFi that could be in a retail establishment, public location, or provided by an apartment building for all residents. Moreover, security for a modern COE should adhere to the foundational principles of zero trust to affect a shift away from the perimeter and network security controls as being the primary method used to secure resources.

Read on to explore how the modern COE should evolve to reflect a zero trust and identity-centric posture.

The Modern Common Office Environment Embraces the Cloud

Today, an office is often not the sole – or even primary – place to conduct work for many enterprises. The era of work-from-anywhere and hybrid work environments changes the traditional COE for desktops, laptops, tablets, printers, and external monitors—they could even be tablets with shared screen functionality.

Public, private, and governmental organizations alike have embraced mobile devices as the computing technology of choice to support this next generation of COE. Yet, the security and operational software has experienced a more pronounced change due to the ability to stay “nearly” always connected and the reality that trusted work and workloads need to operate outside of the traditional office perimeter. Thus, the traditional first lines of security defense, such as firewalls, intrusion prevention, network segmentation, and wired network security are no longer represent the primary methods to safeguard technology in a COE.

Organizations must clearly adapt their security controls to home networks and even public WiFi. So, how does this affect the COE?

First, consider what is the best way to provide technology management for users in our new COE. The pandemic’s impact compelled organizations to shift management technologies to the cloud to better facilitate always-on management of devices. This eliminates the need to rely on VPN (virtual private networks) for every remote employee, and the accompanying redesign of security management solutions to make them available in the DMZ, or high-risk, Internet-exposed services like remote access.

How Do You Make a Modern COE Work? – Zero Trust

A modern COE should embrace the cloud for device and identity management—regardless of location. But how do we make it actually work?

For starters, consider the seven primary tenets of zero trust (according to NIST SP 800-207):

  1. All data sources and computing services are considered as ‘resources’ (assets) regardless of location.
  2. All communication is secured (internal or external).
  3. All access is provided ‘per-session’ and is ephemeral in nature.
  4. Access is provided based on a dynamic risk-based policy.
  5. All devices should be in the most secure state possible. They should be continuously monitored for inappropriate behavior and actions.
  6. Dynamic authentication and authorization is strictly enforced before granting access to any resource.
  7. All activity and environment data, including logs, is collected as often as possible and used for dynamic policy and behavioral monitoring decisions.

In our new COE, this translates into a few characteristics our new endpoint technology management model should facilitate:

  • We have a broad new category called ‘resources.’ All technology is logically grouped underneath. This follows an ITIL and Asset Management approach by classifying hardware, software, applications, and other technology into appropriate logical groups that can be managed and measured for risk. This hierarchy is important since the risk to software impacts the device and, therefore, impacts any user operating the device. Risk calculations needed for other portions of zero trust honor this inheritance model.
  • Regardless of their location, all communication is always secured and encrypted. The model for communications and appropriate network security should always exist in a high security state and not change based on location or network.
  • Access to any other resource is granted per session. There is no persistent access—even if previous connections had been made by the requestor to the asset. Session access is continuously evaluated to ensure appropriate intent and context.
  • Devices are hardened, patched, and verified to be in a constant secure state to resist attacks. Changes in security posture or missing security patches should influence the risk model used for authentication.
  • Authentication and authorization are continuously assessed. Changes in characteristics should dynamically alter policy, and even session activity, if the results are considered undesirable.
  • To make appropriate decisions for each of the cases above, data from accounts, applications, the environment, device, etc. all should be collected and analyzed to help calculate a risk score used for authentication and appropriate behavior. This collection and modeling should be done as instantaneously as possible to minimize a threat.

Our next-generation COE for technology (and security) management in the cloud is ideal to model after zero trust. And, based on the cloud technology and management of resources, some solutions, products, and even tools, will fit better with this model. For example, a cloud-based solution that does not use local agents on the endpoints will prove more challenging to monitor for appropriate behavior and ensure secure communications. Moreover, the ability of such an agentless to provide authorization at a granular level will fall short compared to something implemented with agents that can extend functionality to meet the core zero trust principles. As an example, agents can inherently go deeper into a resource than using external APIs, but agents require more maintenance and overhead to implement. This is a tradeoff when deciding on your zero trust design, implementation, and the granularity you need to successfully manage your assets.

Finally, not all cloud solutions are built with security in mind. Communications, log storage and forwarding, etc. can hinder their ability to meet all the tenets. Therefore, for all your components, measure them against all the tenets of zero trust and ensure your environment has as much coverage as possible.

Key Benefits of Zero Trust Security for your COE

Zero trust environments deny access by default--his type of locked down access is also what is known as a closed security model. Most end-user OS’s today operate on an open security model. In a Zero Trust COE, authentication and authorization are dynamically provisioned based on many contextual triggers and data sources. Moreover, user access is only given on a per session basis. Any access granted is finite--not open-ended. Session activity is continuously monitored and analyzed, allowing the abrupt suspension or termination of suspicious behaviors.

Within a zero trust environment, trust is no longer binary, but requires input from multiple trust sources to make a grant/or deny access determination. Segmentation and microsegmentation are also applied to further restrict lateral movement and prevent data bleed from one resource into another.

Thus, some important benefits conferred by a zero trust COE will include:

  • Enhanced remote access security to securely enable work-from-anywhere and BYOD-heavy environments.
  • Minimized attack surfaces and threat windows due to broad and granular enforcement of least privilege—restricting access by both amount and duration.
  • Reduced risk from ransomware, malware, insider threats, and other attack vectors by limiting privileges and access.
  • Attempted access into unknown resources is easier to identify and block since the behavior is new and the security model is fully closed by default.
  • Cleaner audit trails and an easier path to satisfying compliance and forensic requirements.

How BeyondTrust Meets Zero Trust Security Principles & Supports a Modern COE

BeyondTrust Privileged Access Management (PAM) and Cloud Security Management solutions can be deployed using a Zero Trust Architecture (ZTA) in the cloud or on-premises and meet or exceed the seven core tenets of zero trust as shown in the table below.

  • (PPM) Privileged Password Management - Enables automated discovery and onboarding of all privileged accounts, secure access to privileged credentials and secrets, and auditing of all privileged activities.
  • (SRA) Secure Remote Access - Applies least privilege and robust audit controls to all remote access required by employees, vendors, and service desks.
  • (EPM) Endpoint Privilege Management - Combines privilege management and application control to efficiently manage admin rights on Windows, Mac, Unix, Linux, and network devices, without hindering productivity.
  • (CSM) Cloud Security Management – Pinpoints and mitigates risks associated with cloud access permissions and entitlements across cloud / multi-cloud environments.


Modernizing your COE with Zero Trust – Next Steps

A COE is a valuable model to establish an operations baseline for an office environment and employees working remote. Over the past couple years, the COE has changed significantly due to COVID, the increased proportion of remote workers, initiatives like digital transformation, and the need to qualify for cyber insurance and reduce premiums.

By establishing the cloud as a baseline for any new technology to be deployed, and adhering to zero trust principles, you are better able to securely accommodate remote and hybrid work across your enterprise. Privileged Access Management (PAM) is one of the most powerful and foundational technologies to lean into during this journey. PAM inherently supports zero trust and enables a digital transformation across many use cases. BeyondTrust solutions can support users and workloads wherever they may reside and helps secure a modern COE according to zero trust principles.

Contact BeyondTrust today, to learn more about how we can support your zero trust journey and the modernization of your COE.


Mapping BeyondTrust Capabilities to NIST Zero Trust (SP 800-207)

Whitepapers

Mapping BeyondTrust Capabilities to NIST Zero Trust (SP 800-207)

2022 Cybersecurity Survival Guide

Infographics

2022 Cybersecurity Survival Guide

Photograph of Morey J. Haber

Morey J. Haber, Chief Security Officer, BeyondTrust

Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From July 28, 2022:
The Power of Good Server and Endpoint Naming Conventions
From August 5, 2022:
10 Must-Have Certifications for IT Support Professionals

You May Also Be Interested In:

IDSA Report: 2022 Trends in Securing Digital Identities

Whitepapers

IDSA Report: 2022 Trends in Securing Digital Identities

Microsoft Vulnerabilities Report 2022

Whitepapers

Microsoft Vulnerabilities Report 2022

Cybersecurity Insurance Checklist

Whitepapers

Cybersecurity Insurance Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Infographics
  • Podcast
  • Videos
  • Webinars
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.