What is a Zero Trust COE?
A Common Office Environment (COE) is a term used by information technology (IT) pros and facility administrators to encompass the common features, technology, consumables, and security present in an office environment. A COE can include desks, staplers, printers, cameras, paper, pens, computers, software, and more. The COE asset inventory varies across verticals and from company to company to achieve a desired mission for the business and ensure success for employees and their roles. This is all based on standardized and consistent tooling for purchasing, finance, security, maintenance, and auditing.
In recent years, work-from-home (WFH) and work-from-anywhere (WFA) initiatives, and accelerated digital transformation journeys, have radically impacted traditional COEs. Organizations must adapt their COE security controls to home networks, and even public WiFi that could be in a retail establishment, public location, or provided by an apartment building for all residents. Moreover, security for a modern COE should adhere to the foundational principles of zero trust to affect a shift away from the perimeter and network security controls as being the primary method used to secure resources.
Read on to explore how the modern COE should evolve to reflect a zero trust and identity-centric posture.
The Modern Common Office Environment Embraces the Cloud
Today, an office is often not the sole – or even primary – place to conduct work for many enterprises. The era of work-from-anywhere and hybrid work environments changes the traditional COE for desktops, laptops, tablets, printers, and external monitors—they could even be tablets with shared screen functionality.
Public, private, and governmental organizations alike have embraced mobile devices as the computing technology of choice to support this next generation of COE. Yet, the security and operational software has experienced a more pronounced change due to the ability to stay “nearly” always connected and the reality that trusted work and workloads need to operate outside of the traditional office perimeter. Thus, the traditional first lines of security defense, such as firewalls, intrusion prevention, network segmentation, and wired network security are no longer represent the primary methods to safeguard technology in a COE.
Organizations must clearly adapt their security controls to home networks and even public WiFi. So, how does this affect the COE?
First, consider what is the best way to provide technology management for users in our new COE. The pandemic’s impact compelled organizations to shift management technologies to the cloud to better facilitate always-on management of devices. This eliminates the need to rely on VPN (virtual private networks) for every remote employee, and the accompanying redesign of security management solutions to make them available in the DMZ, or high-risk, Internet-exposed services like remote access.
How Do You Make a Modern COE Work? – Zero Trust
A modern COE should embrace the cloud for device and identity management—regardless of location. But how do we make it actually work?
For starters, consider the seven primary tenets of zero trust (according to NIST SP 800-207):
- All data sources and computing services are considered as ‘resources’ (assets) regardless of location.
- All communication is secured (internal or external).
- All access is provided ‘per-session’ and is ephemeral in nature.
- Access is provided based on a dynamic risk-based policy.
- All devices should be in the most secure state possible. They should be continuously monitored for inappropriate behavior and actions.
- Dynamic authentication and authorization is strictly enforced before granting access to any resource.
- All activity and environment data, including logs, is collected as often as possible and used for dynamic policy and behavioral monitoring decisions.
In our new COE, this translates into a few characteristics our new endpoint technology management model should facilitate:
- We have a broad new category called ‘resources.’ All technology is logically grouped underneath. This follows an ITIL and Asset Management approach by classifying hardware, software, applications, and other technology into appropriate logical groups that can be managed and measured for risk. This hierarchy is important since the risk to software impacts the device and, therefore, impacts any user operating the device. Risk calculations needed for other portions of zero trust honor this inheritance model.
- Regardless of their location, all communication is always secured and encrypted. The model for communications and appropriate network security should always exist in a high security state and not change based on location or network.
- Access to any other resource is granted per session. There is no persistent access—even if previous connections had been made by the requestor to the asset. Session access is continuously evaluated to ensure appropriate intent and context.
- Devices are hardened, patched, and verified to be in a constant secure state to resist attacks. Changes in security posture or missing security patches should influence the risk model used for authentication.
- Authentication and authorization are continuously assessed. Changes in characteristics should dynamically alter policy, and even session activity, if the results are considered undesirable.
- To make appropriate decisions for each of the cases above, data from accounts, applications, the environment, device, etc. all should be collected and analyzed to help calculate a risk score used for authentication and appropriate behavior. This collection and modeling should be done as instantaneously as possible to minimize a threat.
Our next-generation COE for technology (and security) management in the cloud is ideal to model after zero trust. And, based on the cloud technology and management of resources, some solutions, products, and even tools, will fit better with this model. For example, a cloud-based solution that does not use local agents on the endpoints will prove more challenging to monitor for appropriate behavior and ensure secure communications. Moreover, the ability of such an agentless to provide authorization at a granular level will fall short compared to something implemented with agents that can extend functionality to meet the core zero trust principles. As an example, agents can inherently go deeper into a resource than using external APIs, but agents require more maintenance and overhead to implement. This is a tradeoff when deciding on your zero trust design, implementation, and the granularity you need to successfully manage your assets.
Finally, not all cloud solutions are built with security in mind. Communications, log storage and forwarding, etc. can hinder their ability to meet all the tenets. Therefore, for all your components, measure them against all the tenets of zero trust and ensure your environment has as much coverage as possible.
Key Benefits of Zero Trust Security for your COE
Zero trust environments deny access by default--his type of locked down access is also what is known as a closed security model. Most end-user OS’s today operate on an open security model. In a Zero Trust COE, authentication and authorization are dynamically provisioned based on many contextual triggers and data sources. Moreover, user access is only given on a per session basis. Any access granted is finite--not open-ended. Session activity is continuously monitored and analyzed, allowing the abrupt suspension or termination of suspicious behaviors.
Within a zero trust environment, trust is no longer binary, but requires input from multiple trust sources to make a grant/or deny access determination. Segmentation and microsegmentation are also applied to further restrict lateral movement and prevent data bleed from one resource into another.
Thus, some important benefits conferred by a zero trust COE will include:
- Enhanced remote access security to securely enable work-from-anywhere and BYOD-heavy environments.
- Minimized attack surfaces and threat windows due to broad and granular enforcement of least privilege—restricting access by both amount and duration.
- Reduced risk from ransomware, malware, insider threats, and other attack vectors by limiting privileges and access.
- Attempted access into unknown resources is easier to identify and block since the behavior is new and the security model is fully closed by default.
- Cleaner audit trails and an easier path to satisfying compliance and forensic requirements.
How BeyondTrust Meets Zero Trust Security Principles & Supports a Modern COE
BeyondTrust Privileged Access Management (PAM) and Cloud Security Management solutions can be deployed using a Zero Trust Architecture (ZTA) in the cloud or on-premises and meet or exceed the seven core tenets of zero trust as shown in the table below.
- (PPM) Privileged Password Management - Enables automated discovery and onboarding of all privileged accounts, secure access to privileged credentials and secrets, and auditing of all privileged activities.
- (SRA) Secure Remote Access - Applies least privilege and robust audit controls to all remote access required by employees, vendors, and service desks.
- (EPM) Endpoint Privilege Management - Combines privilege management and application control to efficiently manage admin rights on Windows, Mac, Unix, Linux, and network devices, without hindering productivity.
- (CSM) Cloud Security Management – Pinpoints and mitigates risks associated with cloud access permissions and entitlements across cloud / multi-cloud environments.
| Zero Trust Tenets | Privileged Password Management | Endpoint Privilege Management | Secure Remote Access | Cloud Security Management |
|---|---|---|---|---|
| Resources | All accounts and assets are discovered and managed as resources | Managed devices and accounts are enumerated with inventory information classified as resources | All sessions, assets, and accounts are managed as a collection of resources | All users, entitlements, and roles, across supported cloud platforms are discovered and managed as resources |
| Secure Communications | All communications and sessions are encrypted regardless of location and secured for auditing | All management of policy and events is encrypted regardless of location | All session activity is encrypted, recorded for auditing, and monitored in real-time for appropriate behavior | All communication is secured regardless of source and destination locations |
| Session-based | All sessions are established based on policy | All privileged elevation is based on application sessions | All remote access sessions are established based on policy | All elevated permissions are ephemeral, just in time, and do not have standing privileges |
| Risk-based policy | Policy is dynamically evaluated based on risk for each session | Application elevation is based on dynamic policy and attribute evaluation | Remote access sessions are based on a risk policy model for authentication | Policies are dynamic-based attributes and follow models like zero trust |
| Secure State Devices | The security of the source and target can be used to evaluate session activity | The security posture of the asset can be used as an attribute to determine the health within the policy | The state of a target, in terms of security, is isolated from the source in case security has been compromised | Continuous assessments monitor all assets’ permissions and entitlements |
| Authentication & Authorization | Management credentials can follow the model of least privilege to enforce different roles for authentication and authorization | Authentication follows the model of least privilege and authorization allows the elevation of individual applications, not the user | Authentication and authorization are bound by roles within the configuration and sessions for the solution | Authentication and authorization are based on best practices for identity governance and applicable policies |
| Log & Event Monitoring | Detailed logging is available from the solution and API access allows for feedback into the solutions runtime and policy | All policy, application, and elevation events can be forwarded for complete visibility | All remote access sessions and configuration changes are logged and can be forwarded to a centralized monitoring solution | All privileged activity in the cloud is audited, indexed, and documented for auditors and change control |
Modernizing your COE with Zero Trust – Next Steps
A COE is a valuable model to establish an operations baseline for an office environment and employees working remote. Over the past couple years, the COE has changed significantly due to COVID, the increased proportion of remote workers, initiatives like digital transformation, and the need to qualify for cyber insurance and reduce premiums.
By establishing the cloud as a baseline for any new technology to be deployed, and adhering to zero trust principles, you are better able to securely accommodate remote and hybrid work across your enterprise. Privileged Access Management (PAM) is one of the most powerful and foundational technologies to lean into during this journey. PAM inherently supports zero trust and enables a digital transformation across many use cases. BeyondTrust solutions can support users and workloads wherever they may reside and helps secure a modern COE according to zero trust principles.
Contact BeyondTrust today, to learn more about how we can support your zero trust journey and the modernization of your COE.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.
