Cloud apps and services don't just change the way you work; they also change the way you need to approach data security. In this blog post, we'll discuss "zero-trust" security, how it differs from traditional approaches to workplace data security, and how you can adopt zero-trust security practices without giving yourself a headache.
According to Adam Rosenzweig, program manager for nonprofit success at Okta, traditional IT data security revolved around the notion of network access. That meant that if someone had access to your organization's network, you assumed that this person could be trusted to access your computer systems, your file servers, your printers, and so on. This applied whether the person was in the office or accessed the network via a virtual private network (VPN) connection.
In addition, other security practices, such as firewalls and restrictions on the devices that could connect to a network, could add another layer of data security. You knew, to a reasonable degree, which devices were connecting to your network, who possessed those devices, and where they were. And since everything was within one network, you could keep a little tighter control over things.
Cloud applications and services change things a bit. While cloud apps and services allow for more flexibility and collaboration, they generally don't exist within an internal network that you can tightly control. You can't control which devices can access those apps and services — and the data stored in them — quite as readily. As Rosenzweig puts it, with the cloud, "there is no perimeter."
At its core, according to Rosenzweig, a zero-trust approach to security is exactly what its name implies. "Never trust anything unless you can verify someone is who they say [they are]," Rosenzweig says, regardless of whether someone has access to an app or network.
But there is no one way to do zero-trust. "Zero-trust is just a mindset," Rosenzweig says, and so there are different ways to approach it. But one common example of a zero-trust security practice is two-factor authentication.
With two-factor authentication, you need to provide an additional piece of information alongside your username and password in order to log in. Most often, this takes the form of an alphanumeric authentication code that's sent to your phone via text message or through an authenticator app that you install on your device.
The idea here is that the system doesn't automatically trust you just because you know a username and password. Usernames can be guessed. Passwords can be stolen. And since you can't physically control access to most cloud apps, a password alone isn't enough to ensure that the person who's trying to log in to an app is who they say they are.
In theory, zero-trust is a simple concept. In practice, things can get messy. For example, while two-factor authentication adds an extra level of trust and security, it's yet another step to logging in. This is fine when you have just one login to manage, but it can be a hassle when you have several accounts to sort out.
In addition, not all cloud apps require two-factor authentication. You may even encounter some that don't offer it as an option, which results in inconsistent levels of security from one app to the next.
Multiple user accounts across multiple apps and services present other challenges. For example, when you're working across a variety of cloud apps and services, you may forget to disable some accounts for an employee who is no longer with your organization. This in turn can leave your data more vulnerable to theft. It can also cost you more money if you're paying for a cloud service on a per-user basis.
Fortunately, there is a solution to the madness of multiple accounts across multiple platforms.
With single sign-on, each member of your staff uses one username and password to access all the apps and services that you use, from email to document storage to productivity apps. Think of it as a modern spin on traditional one-network-to-rule-them-all approaches, except it's built to support multiple cloud apps and solutions.
"So often in the security world, it feels like security makes life harder," Rosenzweig says. But single sign-on is one case where security can actually make life a little easier.
In addition to simplifying things for your staff members, single sign-on can simplify things for your IT department. With Okta's Universal Directory, for example, your IT staff can easily provision and deprovision accounts for staff members and ensure that they can access the apps that they need to access — and nothing else.
If an employee leaves your organization or if an account is compromised, your IT staff can revoke access to your cloud services in one step. There is no need for them to disable accounts across several different cloud providers. And you can set consistent security rules across all accounts. You can set minimum requirements for passwords, for example, or require all your staff to use two-factor authentication.
In other words, single sign-on lets you reestablish a security perimeter around the cloud apps and services you use.
Not every cloud service supports single sign-on, but many popular ones do. For example, Okta works with popular services like Office 365, Google Workspace, and AWS, to name a few.
Okta is a TechSoup partner, and TechSoup member organizations can get up to 25 free Okta licenses thanks to its Okta for Good program, with special discounts on additional licenses. To learn more about Okta, visit the Okta for Good website.