If you have a secure office or school network where you trust machines plugged into it, you need to change that now.
Just to be clear, the 1980s and 1990s way of securing a company or school’s computer systems was to have a network, put a firewall in front of it between the users and the internet, then scan anything going in or out of the firewall. That’s been described as the castle and moat strategy.
The idea with the moat is that anything outside is bad, and anything inside is good.
Then people started putting good files onto outside (bad) services like dropbox, or reading outside emails from hotmail/yahoo/etc (remember them?) from inside machines. The answer was simple and draconian – block everything outside, deny anything outside, keep outside and inside separate.
Then people started having things like iphones that could access email from outside, while they sat inside. Using facebook or web browsing on your phone while at work was a nightmare for HR departments, and therefore the IT departments that had to enforce their rules. I was a senior engineer at a bank in the 90’s and it was my job to enforce these policies… like approving or denying emails with baby photos but denying cat photos and jokes. So instead of call centre people wasting work time, the IT department staff were wasting that time instead. (remember having to ask IT to release an email that was blocked?)
Time and IT kept marching on and people needed to work from home – outside so “bad”, but working on work files (good). Even if it was on a work laptop, it was still difficult as you needed a VPN installed. Forget using a home machine connecting to the work network.
Then you had to have people using a home machine to connect to the work network after all…!
Working remotely became a special, optional extra that cost more. Every time you had system access the work network, you either had to make the moat bigger to include the remote machine (creating site to site VPNs with private networks for work laptops) or you had to punch a whole in the castle walls and put a bridge over the moat.
I remember reading about early security paradigms around 2010-2013 where people didn’t do castle and moat. In 2014 I was working in Sweden for Ericsson, helping them build an internal Amazon EC2 cloud and datacentre for their 60,000 global developers. We were building the next big thing, but still using the 1990s security model of castle and moat.
As a fairly senior enterprise architect on the project, I found the security team in Finland and designed a new security protocol for them. At the time, the description in the research articles was calling it “Security at Source”. The idea was that any machine was considered untrusted and coming from an untrusted network – basically any machine could connect from Starbucks, but the authentication happened at the application layer on the server. There was a combination of trusted machine and trusted user. The global security team liked it and wanted it implemented, but we couldn’t get traction in the division funding it – too many legacy applications to redesign it. This was 2014 and it was still a new idea at the time.
Fast forward to 2021 and the computing world is very different.
We now have a term for it – Zero Trust – and there are many, many applications and security solutions that allow you to plug it in and make it work.
But what is Zero Trust and why should you do it?
If you do it right, from the ground up, you can have remote working by default. Your whole school or business can work from anywhere, any time.
You don’t need to give people work or school laptops or phones – they can use any machine… remember that old acronym BYOD (bring your own device)? That comes by default.
If you go a bit further than just Zero Touch, you can have complete protection from RansomWare, full backups automatically, virus and malware protection, all without needing a corporate IT department.
Here are two links talking about Zero Trust; the first from Google with their version of it called “Beyond Corp“; the second is from a Wired article describing what it is and how it works.
In short, if you still think you have a secure business or school network, you don’t. I’ve done too many security audits where I’ve shown their owners their trusted network is swiss cheese to trust any. Secondly, if you want to work remotely, or use any cloud services like MS Office 365/Google/Dropbox/etc, then you need to protect your network from the 2020s, not from the 1990s. If all you have is a firewall, that’s not enough any more.