Zero Trust as a security strategy
Beyond the Patch
Even if you don't want to hear it, European IT is not necessarily known for being hyper-innovative – for a variety of reasons. Successful startups, for example, are far less likely to be launched in Europe than in the US, and not because no bright minds with smart ideas are on the east side of the Atlantic, but because of the structures of the industry as such. The much-quoted bon mot "we've always done things this way" contains more than a shred of truth. Anyone who has ever experienced a European IT company from the inside will know what I mean when I say that the impression is more of an archeological excavation site than a technology company.
Wrapped up in this dilemma is enterprise devotion to endpoint security in a local network, which encounters problems when administering clients outside that network and necessarily feeds the VPN revenue stream. However, rebuilding your infrastructure to implement a zero trust concept will pay off in the long run with less complexity and higher effectiveness, especially for employees outside the local network, which in today's environment, can easily be the majority of a work force.
Standards from the Last Century
One area in which this can be seen more clearly than in almost any other is security. Partners from the US or Israel who regularly work with large German corporations (my milieu) are amazed at the standards of security and compliance that are still commonplace in this country.
Stating that access to your own email on a smartphone is supposed to be linked to a mobile VPN "because of security" often leads to bewilderment among observers. Likewise, that many large European corporations still force employees to change their passwords on a regular basis raises an eyebrow among others. This confusion is understandable, because it has long been shown that users simply change their existing password by just one character if worst comes to worst.
Supposedly progressive companies have started the next round in the fight against such passwords and check the password against a dictionary or for certain character strings. For example, although "2021" is not allowed in a password and the password manager will protest, it will still accept "2o21" as an entry without any complaints. External observers will start looking for the candid camera when they see all these security measures from the last millennium and realize that two-factor authentication is not mandatory.
We Have Always Done It This Way
Many security and compliance measures in today's companies are more apparent than real, and this phenomenon can be seen, for example, in the idea of the "secure local network," which continues to be used unwaveringly by many corporations up and down the continent – even if the representative of an insurance company at the customer's location cannot issue a contract because the software that communicates with the central systems in the enterprise cannot establish a VPN connection. VPN connections don't need thick wires, but they do need reliable ones. You can't win a pot of gold with a connection hampered by a poor enhanced data GSM environment (EDGE) or because of a completely overloaded 4G network.
Nevertheless, many companies are forcing their employees to use these and other technical measures of dubious benefit. As if things weren't bad enough, some managers are not afraid to cite data protection blatantly as the cause of the malaise. In the given context, it is not uncommon to hear that the European Union General Data Protection Regulation (GDPR) is to blame because it mandates secure communication in line with "state-of-the-art principles" and "especially because of COVID." Even before COVID and long before the GDPR, it was simply ignored if 2,500 colleagues had to make their way through the same, way too narrow VPN gateway. The nonsense that is sometimes heard in the corporate security context would often be euphemistically described as "discouraging."
Endpoint as the Central Building Block
While reading this article, you might be wondering what the rant about large corporations and their sometimes absurd security theater has to do with endpoint security. The answer to this question may be somewhat surprising to some, because it is very relevant. Consistently and correctly implemented security on end devices is a huge building block on the way to a modern security architecture in your company.
However, for endpoint security to work effectively, it needs various other factors. Anyone who considers endpoint security to be the only factor in the fight against attackers and follows the maxim that only the most secure client possible is the last word of wisdom is fatally mistaken. To explain this in more detail, however, I need to briefly digress into the subject of secure networks and explain why this concept has long since become obsolete.
Buy this article as PDF
(incl. VAT)