Original technology cloud report.
Bruce Daisley, author of "The Joy of Work," once said: "Our work is undergoing an unprecedented transformation, and this transformation has just begun."
Under the repeated influence of the epidemic, many companies around the world have begun to actively embrace the "hybrid office" working model.
Twitter announced that employees can work remotely forever; Dropbox announced that centralized working office spaces will slowly "exit"; Microsoft, Apple, and Amazon are normalizing hybrid office. In China, Ctrip was the first to announce the launch of the "3+2" hybrid office model, which allows employees to choose their own office location two days a week. The results show that "working from home" improved employee performance by 13% and the turnover rate dropped by 50%.
For enterprises, the hybrid office model can reduce the operating costs of the enterprise on the one hand, and on the other hand it can also improve the happiness of employees and reduce the company's turnover rate.
As the "2022 Hybrid Office Security White Paper" (hereinafter referred to as the "White Paper") jointly released by Tencent Research Institute and Tencent Security points out, hybrid office is a new work model that has come in the future, and is a new corporate survival strategy and competitive strategy. . All companies committed to future competition will migrate to a hybrid office model, and first movers will enjoy first-mover advantages.
Side B of hybrid office: security is the core issue
Although hybrid office has become an unstoppable trend, hidden worries behind it have also surfaced.
The white paper survey data shows that under the hybrid office model, safety and efficiency have become the core issues of most concern. Respondents ranked security (68.3%) as the second most important element of hybrid working, behind efficiency (82.6%).
Image source: Tencent Research Institute, Tencent Security "2022 Hybrid Office Security White Paper"
Under the hybrid office model, remote access has become a must for corporate employees. Compared with the previous corporate intranets protected by various firewalls, remote access is equivalent to opening many doors in a solid castle for remote workers to enter and exit, and to retrieve various files, information, and data to meet work needs, which exposes them to risks. The mouth suddenly enlarged.
From a macro level, the scale of cyber attacks and the lowering of attack thresholds have made hybrid offices a new springboard for threats. In recent years, there have been numerous cases of external security attacks that threaten corporate security.
From a micro level, corporate employees have various security risk behaviors when working in mixed offices, such as: accessing WiFi in public places to work; failing to separate personal files from office files and encrypting important files; using the company for personal reasons equipment; failure to log out of the company system in time when ending hybrid office, etc., all bring new challenges to enterprises in facing security threats and security management.
But what is even more serious is that in the hybrid office model, corporate security awareness and protection are seriously insufficient.
The white paper survey data shows that 64.5% of the respondents’ companies have poor security in hybrid offices. 37.3% of the respondents said that their companies did not provide technical support and security for hybrid offices, and another 27.2% said that their companies did not provide technical support and security for hybrid offices. The interviewees expressed no understanding. This shows that most companies have not yet begun to promote or may not have any security measures in place.
Fortunately, the continuous evolution of security technology provides a feasible path for enterprises to better embrace hybrid office.
The white paper points out that for the hybrid office model to truly achieve long-term sustainable development, it is essential to achieve the five elements of hybrid office security "i-DEAN", including: identity security, data security, device security, application security and network security.
Among them, identity security is the core of hybrid office security. All hybrid office security needs to ensure that the user's identity is safe and reliable. Data is an asset, applications are a key carrier, equipment is an important entrance, and the network is a basic link. The same is true for hybrid office. Safety needs to be protected. It can be said that data security, device security, application security, and network security are different aspects and dimensions surrounding the core of identity security.
Image source: Tencent Research Institute, Tencent Security "2022 Hybrid Office Security White Paper"
Security Maturity for Hybrid Offices
In fact, the hybrid office model is still evolving, and many companies are not sure whether the hybrid office model they are implementing is efficient and safe. They are eager to use a more scientific method to evaluate the security maturity of their hybrid office model.
In response to this problem, Tencent Security took the lead in launching research on the security maturity of hybrid offices. In the white paper, a set of models for assessing the security maturity of hybrid offices is proposed. The model is divided into six areas: architecture design, business fit, rules and regulations, team configuration, technical tools, and operational iteration. Each field is divided into five levels from low to high, namely: original, starting, preliminary forming, post-forming development, and mature optimization.
Image source: Tencent Research Institute, Tencent Security "2022 Hybrid Office Security White Paper"
For example, a private enterprise with 30,000 employees has clarified the basic principles for starting a hybrid office model, and formulated detailed relevant rules and regulations, as well as a specific phased implementation plan. The company has transformed and implemented identity security and data security protection under hybrid office, connected the entire business process under hybrid office mode with the corresponding enterprise security system, and equipped with corresponding operation and maintenance personnel. At the same time, other departments have already followed the security Group docking plan.
Based on the evaluation score of the hybrid office security maturity model, the company's overall hybrid office security maturity is in the preliminary stage, that is, an effective hybrid office security system has been initially formed, and implementation details are available in most areas, but in the overall hybrid office There are still many immature details in the office security system.
For example: Enterprises are still weak in technical tools and operation and maintenance guarantees, and need to continue to focus on improving application security, equipment security, network security and other capabilities. In addition, the company is still in the preliminary stages of business fit and team configuration. In particular, business fit is the backbone of hybrid office security maturity. It also requires the company to further integrate all businesses with its hybrid office security system. .
When an enterprise organically combines its own hybrid office security maturity with the five elements of hybrid office security "i-DEAN", it can more clearly position its development level in the field of hybrid office security, as well as the direction of continued development and optimization.
Zero Trust: The “antidote” for hybrid office security
Hybrid office, which allows you to work anywhere, is precisely a model that places the highest demands on work scenarios. Behind it is the dual guarantee of safety and efficiency. So how should enterprises start the hybrid office security journey?
At present, the security concept represented by "zero trust" is becoming a master, integrating the five elements of "i-DEAN". As a comprehensive security model, zero trust covers all aspects of identity security, data security, application security, network security, device security, etc., and is committed to building an identity-centric policy model to achieve dynamic access control to protect key data or business processes.
With the rise of the hybrid office model, enterprise network boundaries have disappeared, and the security risks faced by people, devices, applications, and data in the enterprise have greatly increased. Zero trust is no longer based on the enterprise network boundary as the demarcation line of trust, and the default enterprise intranet access is trusted. Instead, any person, device, and application inside and outside the enterprise network need to be "continuously verified and never trusted" to ensure the security of enterprise office terminals. , link security and access control security. Because of this, zero trust has become an important technical means to solve hybrid office security issues.
Not only that, for enterprises and employees, the greatest value of zero trust is that it can achieve security and efficiency at the same time, which are also the two wheels that enterprises dream of driving company operations.
As an efficient tool, zero trust allows enterprises to quickly access identity account data, conduct unified and efficient security management of various terminal devices and identity information from an enterprise perspective, and help enterprises improve the efficiency of security management and operation and maintenance; at the same time, End users can also directly connect to networks and applications through a zero-trust client, which is easy and hassle-free to operate and quickly access the company's internal services.
In fact, it has been 12 years since Zero Trust was proposed by the research organization Forrester in 2010. It has gradually matured under the alternate verification of technology and market, and is actively embraced by more and more enterprises.
The white paper survey data shows that among the respondents who understand the concept of zero trust, 22.7% of the respondents’ enterprises have zero trust products in place, 40.2% of the respondents’ enterprises have zero trust projects in progress, and 22.3% of the respondents’ enterprises have zero trust products in place. The zero trust project of the enterprise where the reporter works has been planned.
Image source: Tencent Research Institute, Tencent Security "2022 Hybrid Office Security White Paper"
Zero trust, which has been gaining momentum for a long time, is becoming an antidote to the security and efficiency problems of hybrid offices.
Zero trust implementation presses the accelerator button
Although the concept of zero trust has been very popular in the technology circle in recent years, due to different market environments at home and abroad, zero trust has entered the stage of large-scale development in the United States, but its implementation in China is still not optimistic.
Yang Yubin, General Manager of Tencent Security Zero Trust Products, said in an interview that zero trust currently faces various difficulties in the implementation process: first, how to adapt to diverse terminals; second, how to ensure service stability and security in heterogeneous network environments. ; The third is how to collaborate and authenticate distributed identity accounts; the fourth is how to authorize and manage minimum permissions; and the fifth is how to achieve continuous threat protection. In addition, whether zero trust can form a linkage system with the existing security construction of enterprises to avoid information security islands is also a practical issue.
It is worth noting that the implementation of zero trust has never been achieved overnight. In 2011, Google began to implement zero trust internally, and it took six years to implement zero trust on the corporate network. In China, Tencent is one of the first large manufacturers to implement zero trust. In 2016, Tencent began to implement the overall zero trust system construction within the company. By 2019, Tencent exported its internal practices to the outside world to form a commercial version of iOA zero trust security management system. It also took 4 years.
But it can be seen with the naked eye that the pace of zero trust implementation is accelerating. Take Tencent's zero-trust iOA as an example. Within a few years of its launch, it has been widely used in hundreds of companies in ten major industries including finance, real estate, logistics, education, and industry. Just earlier this year, the number of deployed terminals of Tencent iOA exceeded 1 million, becoming the first zero-trust product in China to reach one million, proving the maturity and large-scale implementation of zero-trust in China from the market demand side.
The remote access scenario represented by hybrid office is the best entry point for the implementation of zero trust in China.
As the millionth customer of Tencent iOA, Gaodeng Technology found that during the 2020 epidemic, the traditional VPN they used could not support the surging demand for remote working, and high-risk vulnerabilities frequently occurred. After deploying Tencent iOA, Gaodeng Technology has integrated terminal security, enhanced compliance baseline detection and data security management and control capabilities, and ensured the stable and efficient conduct of the company's business.
Mo Xiaosheng, vice president and head of security at Gaodeng Technology, said in an interview that if you follow the traditional method, you need to deploy security products from multiple manufacturers, but Tencent iOA, as a comprehensive security platform, brings a complete set of anti-virus and terminal security With functions such as management and control, VPN transfer, and data leakage prevention, "one operation and maintenance personnel can manage multiple platforms and systems, and the protection effect is better than traditional deployment methods."
In fact, there are many government and enterprise institutions facing the same dilemma as Gaodeng Technology. Since the outbreak of the epidemic, hybrid office has become the norm in the business operations of domestic government and enterprise institutions, ushering in a new watershed in the development of zero trust.
In this process, Tencent Security has also been thinking about how to better implement zero trust.
Yang Yubin said that zero trust has entered the 2.0 era. No matter before, during or after the incident, it is necessary to continuously monitor and protect the accessed subjects, objects and the environment, and respond in real time based on risks in various dimensions to achieve continuous automatic control. Adapt to the risk and trust integration mechanism, that is, the "adaptive zero trust stage". Therefore, zero trust solutions need to be integrated at the levels of "access, prevention, management, and control."
In this context, Tencent Security has released a newly upgraded zero-trust security management system - Tencent Zero Trust iOA7. 0 version. It is understood that Tencent Zero Trust iOA7.0 has achieved new upgrades in the dimensions of trusted access, threat protection, security management, risk control and full platform coverage, improved access security and efficiency, and created a three-dimensional defense system , realizing full management and control of multi-platform terminals and full XDR linkage response.
In addition, Tencent Zero Trust iOA7. 0 also improves product adaptability in terms of platform coverage, effectively supporting enterprise equipment and BYOD. This also well solves another key problem in the implementation of zero trust, that is, the heterogeneous products of multiple manufacturers make it difficult for enterprises to link zero trust with existing security equipment and avoid the waste of enterprise IT investment.
To this end, Tencent has taken the lead in joining forces with ecological partners to jointly promote zero trust industry standardization. At present, the interface standards developed by Tencent's Zero Trust Standards Working Group have achieved integration with 18 industry security vendors. Interface standardization promotes the integration of enterprise security office systems, further optimizes the office experience, and makes the implementation of zero trust easier.
Conclusion
In the post-epidemic era, the hybrid office model has become a new source of competitiveness for enterprises. Security and efficiency, as essential capabilities under the hybrid office model, have posed new challenges to corporate IT construction. Zero trust is undoubtedly the solution to hybrid office security and The best antidote to efficiency problems. Today, Zero Trust is crossing the chasm into the mainstream.
[About Technology Cloud Report]
Experts focusing on original enterprise-level content - Technology Cloud Report. Founded in 2015, it is one of the top 10 media in the cutting-edge enterprise IT field. Authoritatively recognized by the Ministry of Industry and Information Technology, it is one of the official communication media for Trusted Cloud and Global Cloud Computing Conference. In-depth original reporting on cloud computing, big data, artificial intelligence, blockchain and other fields.