Tiempo Implements Zero Trust Network and Quickly Migrates All Agile Developers to Home Offices

No Loss in Productivity or Data Security for Leading Nearshore Developer

To deliver outstanding client outcomes, every sprint counts.  So, when Covid19 mandated social distancing, it was no surprise that Tiempo, who is in the business of developing and managing distributed teams, was able to mobilize and meet the challenge.  Critically important to Tiempo’s workforce migration is security of their client’s data.  “Conventional security models operate on the outdated assumption that everything on the inside of an organization’s network can be trusted, but with increased sophistication of attacks, that simply isn’t true, “stated Carlos Vega, Director of IT at Tiempo.

Traditional security models are designed to protect the perimeter, leaving threats inside the network invisible, uninspected and free to morph, move and extract valuable business data.  Zero Trust, rooted in the principle of “never trust, always verify,” is designed to address lateral threat movement within the network by leveraging micro-segmentation and granular perimeter enforcement, based on user, data and location. Lateral movement addresses the various techniques that attackers use to move through a network in search of data.

According to Vega, “the main premise is not trusting anything inside or outside a network’s perimeter.  It’s important that you verify anything and everything trying to connect, before granting access.”

In this article, we will cover the concepts, prerequisites, risks and controls that drove the success implementation of a Zero Trust network at Tiempo.

Gartner in 2019 published the Market Guide for Zero Trust Network Access, which stated: Zero trust network access replaces traditional technologies, which require companies to extend excessive trust to employees and partners to connect and collaborate. Security and risk management leaders should plan pilot ZTNA projects for employee/partner-facing applications.

Zero Trust Network Relies on Three Critical Concepts

When Tiempo Development moved to Zero Trust, there were several critical concepts for the company to follow

Concept No. 1: Ensure all resources are accessed securely regardless of location

Zero Trust assumes that all traffic is a threat until determined otherwise. Traffic must be verified, authorized, inspected, and secured, even when sessions are confined to internal (trust) networks. Only devices with the right status and settings can access corporate resources.

Concept No. 2: Adopt a least privilege strategy and strictly enforce access control.

When we properly implement and enforce access control, by default we help eliminate the human temptation to access restricted resources. Zero Trust believes in the concept of minimal privileges and strict access control. Employees that have administrative access to sensitive applications and systems must be reduced, monitored and controlled through privileged identity management protocols.

Concept No. 3: Inspect and log all traffic.

Instead of trusting users to do the right thing, we verify that they are doing the right thing. Zero Trust advocates two methods of gaining network traffic visibility: Inspection and logging.

Meeting Prerequisites Around Data

Prior to creating the Zero Trust network, Tiempo Development was using a hybrid architecture that interconnected premise services, cloud services and SaaS solutions.  Moving to a Zero Trust architecture required a set of prerequisites to define the future mode of operation.

  • Identify Critical Data:  Tiempo took a comprehensive inventory of data assets, where they reside, who uses them and their level of sensitivity.
  • Identify Movement of Data:  Tiempo mapped how sensitive data moves across the network, gaining an understanding how information flows between users, applications, and resources.
  • Define Governing Access:  Tiempo wrote a set of strict rules based on “least privilege” or “need to know”, restricting access based on the job requirements and clearance levels of users.

Understanding how data flows across the network and how users and applications currently access sensitive information assisted Tiempo in determining how the network should be segmented.  The protection and access controls were positioned using virtual mechanisms and/or physical devices between the borders of different network segments.

Risks to Consider and Address

There are a variety of risks that Tiempo considered when architecting their Zero Trust network

Insider Threats:  Employees can intentionally or unintentionally inflict harm to the organization by stealing intellectual property, causing system outages or deleting/modifying sensitive documents. Losses could be enormous if trade secrets, patents, intellectual capital, and other corporate-sensitive data are stolen.

Compromised Accounts: Individuals that obtain an employee’s corporate credentials can use the stolen credentials to gain access to the cloud services that the employee is authorized to use. The size of this risk depends on the role and privileges of the credentials stolen.

  • Stolen Device: Due to the high usage levels of mobility at Tiempo, a stolen mobile device emerges as a high risk due to both the information stored on and the information accessed by the device.
  • Disruption to Business:  Any disruption to the cloud environment would have a direct impact on the overall business. Such disruptions can result in significant loss of revenue, customers and partners.
  • Brand Damage:   Brand damage occurs when news of a breach or loss of sensitive data is publicized and customers lose trust.

At Tiempo, as in most companies, the highest risk came from users in strategic roles, including executives, sales and strategy teams.  Most business data was located in SaaS applications, collaboration tools, emails, internal repositories and end user devices, including mobile devices.

Applying Controls is Essential for a Zero Trust Network

Tiempo applied the following controls to their Zero Trust environment:

Identity and Access Management

Users authorization and validation is supported with Active Directory.  Verification is enhanced with multi factor authentication based on hardware or software tokens. Single sign on was implemented so users will have Active Directory credentials (user and password) to get access to corporate resources, such as local machines, Office 365, and SaaS applications for accounting, sales, marketing and HR.  Roles and profiles were implemented based on the segregation of duties concept. Users were given access to resources based on their role and position.

Conditional Access

Tiempo uses tools to enforce organizational policies, so if a user wants to access a resource, then they must complete an action that means only authorized devices and users will be allowed.  For example, if a user connects to one of the SaaS applications from a public computer, they will not be allowed to copy, print or download company files.

Information Protection

A set of policies to classify, label, and protect data based on its sensitivity was written. Actions can only be executed based on information classification.

Cloud Access Security Broker (CASB)

A security policy enforcement point was put in place between cloud service consumers and cloud service providers.  This allows Tiempo to interject enterprise security policies as cloud-based resources are accessed.  The main benefits of a CASB solution are:

  • Visibility to cloud service usage.
  • Consolidated view of all cloud services being used and the users who access them
  • Controlled access to cloud services
  • Organizational compliance with all relevant regulations and standards
  • Enforcement of security policies on cloud usage and corporate data
  • Application security policies through audit, alert, block, quarantine and delete
  • Enablement to encrypt or tokenize data stored in the cloud
  • Data loss prevention (DLP) capabilities
  • Controls to prevent unauthorized employees, devices or applications from using cloud services
  • Threat prevention methods such as behavioral analytics, anti-malware scanning and threat intelligence
  • Enablement of all security logs to a centralized SIEM.
  • Security monitoring and traffic inspection between zones to identify anomalies

According to Vega, “by implementing Zero Trust at Tiempo, we now have the visibility and IT controls needed to secure, manage and monitor every device, user, app and network being used to access business data.”

If Tiempo can help you ensure that your remote work environments are safe and optimized, please contact your Tiempo account manager today.