The importance of a zero-trust model for hybrid working

A close up of a keyboard with graphics overlaid to represent cyber security and hacking
(Image credit: Getty Images)

Hybrid working is here to stay. The new flexible practices that have been adopted in the wake of the pandemic offer many benefits to workers and employers alike, promising a new work-life balance and a realignment to an outcomes-based model where results are prioritised over where and how the work gets done.

Okta’s The New Workplace Report found that 42% of workers want a mix of home- and office-based working, while 17% want to work from home permanently. 60% of workers also said that they would like to work in an asynchronous environment, where they are able to determine their preferred schedule too. The benefits of flexible working are clear to workers, and employers who want to remain competitive have to take these pressures into account, putting paid to any idea that we might all return to 9-to-5 office work.

But hybrid working brings challenges as well as benefits, and one of the most prominent is the impact that it has on security. Dispersed workforces have put new pressures on IT teams and security professionals, who can no longer exercise the same levels of rigid control and oversight they may have been used to when everyone worked from the office.

Fortunately, new zero-trust principles and identity and access management (IAM) technologies, offered by security specialists like Okta, are powering the shift to a new control plane that can protect your critical systems no matter where or how employees are accessing them.

Beyond the perimeter

Traditional office-based working models favoured a network-centric approach to security. With the majority of employees working on premises, the focus was on protecting the perimeter to prevent access to your network by cyber criminals. On-premises endpoints could conceivably be tracked and monitored, and if there were any issues or configuration problems, IT teams and other workers would likely be based in the same building, enabling easy communication and access to devices.

Hybrid working has changed all that. When the first lockdowns hit, suddenly entire workplaces were emptied, with employees having to access systems remotely through their own personal networks, whose security (or lack thereof) falls outside the control of IT teams. Bring-your-own-device (BYOD) practices, whether official or unsanctioned, meant that some devices were likely to be unsecured, too, and made it much more difficult to keep track of endpoints. With the cementing of hybrid working, these challenges will persist indefinitely.

With the perimeter fraying so drastically, it becomes much easier for cyber criminals to find ways to access business networks. Cyber attacks have boomed since the beginning of the pandemic, and the adage ‘it’s not a matter of if, but when’ applies more firmly than ever. For all these reasons, we are seeing a shift in focus from preventing cyber criminals from accessing networks to limiting what they are able to do once they get inside.

When it comes to accessing mission-critical apps and services, credential theft has become a focus of cyber criminals. The 2021 Verizon Data Breach Investigations Report found that stolen credentials were involved in 61% of breaches, with credentials compromised through various methods including brute force and also phishing attacks, the latter of which have continued to boom in recent years. The report found that 85% of social engineering breaches compromise at least some credentials as part of the attack. In systems with potentially hundreds or thousands of unsecured logins with access to critical data and applications, these are ripe for abuse by cyber criminals.

In this new environment, where endpoints are more difficult to secure, we need to shift away from a network-centric approach to security to a place where identity is the new control plane and criminals are prevented from leveraging credentials and trusted paths within our networks. But how can this be managed?

Identity-based solutions

Zero trust is a framework by which access to systems and resources is carefully monitored and controlled. Gartner defines zero-trust security as “never trust, always verify” – in other words, no one has blanket, permanent access that can be taken advantage of if their login credentials are compromised. Users are given the right access for the right length of time, so that IT teams can identify who is accessing what, and can be sure that bad actors are not able to lurk anonymously and indefinitely in these systems to steal data or in any other way compromise them.

As the importance of identity as a new control plane becomes clearer, solutions are emerging to help organisations enshrine zero trust in their operations. For instance, Okta’s IAM solution offers a centralised control plane where identity is a key component – while also focusing on keeping friction to a minimum. This is key – identity solutions that snarl up your day-to-day processes can end up replacing one issue with another. These will not be welcomed by your workforce, no matter how much they improve overall security, and can lead some workers to adopt counterproductive workarounds.

Okta’s IAM keeps the burden on IT teams to a minimum by centralising operations and oversight, and automating processes. It allows permissions to be granted for a set amount of time, tackling the risk of unsecured logins that could potentially end up granting unfettered access to cyber criminals. For users, it provides single sign-on and adaptive multi-factor authentication that makes the processing of requesting permissions and logging in as simple and secure as possible.

Remote working has put serious pressure on our endpoint security measures. With zero-trust solutions, organisations are able to empower their employees to work anytime, anywhere and from any device while remaining confident that access to critical systems is fully controlled and monitored.

Okta supports thousands of organisations to reduce IT admin, work faster and keep employees secure. Learn how leading companies have transitioned to a new workplace with Okta


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.