COE stands for Common Office Environment. For IT professionals and facility administrators, it is a term that governs the common features, technology, consumables, and security present in an office environment. This can include everything from desks, staplers, printers, cameras, paper, pens, computers, and software. The range of items will vary per company and vertical, but the term is very important as we continue to embark on digital transformations and work from home and work from anywhere initiatives.
When we consider that an office is not the only location to conduct work, we realize very quickly that our COE for desktops and monitors has changed. Many organizations have embraced laptops, notebooks, and tablets as the computing technology of choice to support a COE, but the security and operational software has seen a much more pronounced change. This is simply due to the ability to stay "nearly" always connected and that trusted work and workloads need to operate outside of the traditional office perimeter. That is, our primary security controls of firewalls, intrusion prevention, network segmentation, and wired network security are no longer the primary method to manage technology in a COE. Organizations must adapt their security controls to home networks and even public WiFi. So how does this affect the COE? Probably in ways that you are only now considering as permanent changes.
First, what is the best way to provide technology management for users in our new COE? As COVID-19 continues to impact organizations, many have shifted management technologies to the cloud to facilitate the always-on management of devices. This eliminates the need to utilize VPN for every remote employee, the redesign of security management solutions to make them available via a DMZ, or high-risk internet exposed services like remote access. The simple fact is that our new COE has embraced the cloud for device and identity management, and that gives our first step: management of any resource regardless of its location. A modern COE embraces the cloud and now leaves us with a second consideration: how to make it actually work?
For starters, consider the primary seven tenants of Zero Trust:
- All data sources and computing services are considered as "resources" regardless of location
- All communication is secured (internal or external)
- All access is provided "per-session" and is ephemeral in nature
- Access is provided based on a dynamic risk-based policy
- All devices should be in the most secure state possible. They should be continuously monitored for inappropriate behavior and actions
- Dynamic authentication and authorization are strictly enforced before granting access to any resource
- All activity and environment data, including logs, is collected as often as possible and used for dynamic policy and behavioral monitoring decisions
In our new COE, this translates into a few characteristics our new technology management model should facilitate:
- We have a broad new category called resources; all technology is logically grouped underneath. This follows an ITIL and Asset Management approach by classifying hardware, software, applications, and other technology into appropriate logical groups that can be managed and measured for risk. This hierarchy is important since the risk to software impacts the device and therefore impacts any user operating the device. Risk calculations needed for other portions of Zero Trust honor this inheritance model.
- Regardless of their location, all communications are always secured and encrypted. The model for communications and appropriate networks should always be in a high-security state and not change based on location or network.
- Access to any other resource is granted per session and is not persistent just because it had connected previously. Session access is always continuously evaluated to ensure appropriate intent.
- Devices are hardened, patched, and verified to be in a persistent secure state to resist attacks. Changes in security posture or missing security patches should influence the risk model used for authentication.
- Authentication and authorization are continuously assessed and changes in characteristics should dynamically alter policy, and even session activity, if the results are considered undesirable.
- In order to make all appropriate decisions above, data from accounts, applications, the environment, device, etc. all should be collected and analyzed to help calculate a risk score used for authentication and appropriate behavior. This collection and modeling should be done as real-time as possible to minimize a threat.
Our new COE for technology (and security) management in the cloud is ideal to model after Zero Trust. And, based on the cloud technology and management of resources, some solutions, products, and even tools will adapt more easily than others to this model. For example, a cloud-based solution that does not use local agents on the endpoints will be more difficult to monitor for appropriate behavior, ensure secure communications, and provide authorization at a granular level, and will fall short compared to something implemented with agents that can extend functionality to cover the tenants of Zero Trust. In addition, not all cloud solutions are built with security in mind. Communications, log storage and forwarding, and even honoring least privilege can hinder their ability to meet all of the tenants, as well.
This includes the complete capability to operate on-premise, from the cloud, and support users and workloads wherever they may reside. This adheres to the foundational definition of Zero Trust to remove the perimeter and network security controls from being the primary method used to secure resources.
A COE is a valuable model to establish a baseline for the operations in an office environment and employees working remote. In the last two years, the COE has changed significantly due to COVID-19 and initiatives like digital transformation. Establishing the cloud as a baseline for any new technology to be deployed is a sound decision that can accommodate workers operating anywhere. When coupled with Zero Trust, individual use cases and solutions can excel in security and the management paradigms they provide.