From Zero Trust to Zero Touch IT: Management Reality?
Last week I wrote about how the environment created by the COVID-19 crisis was forcing CIOs and CISOs to embrace Zero Trust when the entire workforce is suddenly remote. The flip side of Zero Trust is what I call “Zero Touch IT.” Few organizations have it. Most of them would benefit from it. And now we have the impetus to put the pieces in place to make it happen and make it stick.
The IT Status Quo Is Physical, Manual
Consider the average laptop purchase by a large or mid-sized corporation. Most likely, it comes from one of their two preferred resellers. An order goes to the reseller who drop-ships the item to the procurement receiving team for the corporation. That team scans the relevant ID numbers for the laptop including serial number, MAC address, etc, and enters them (probably manually) into their IT Asset Management (ITAM) system .
The laptop is then shipped to an IT desk member’s cube or another receiving member for imaging of the drive and addition of the necessary software agents for compliance, security and device management. (Or it may be moved to a closet to sit for a while, depending on the backlog). The IT asset management team member then manually enters the information from the imaging process into their ITAM. If the IT department is on top of it, the imaged machine is then shipped to the end user’s desk with peripherals. (Those may or may not be scanned and entered - depending on the sophistication of the IT team).
The user then pulls the laptop out of the box, connects it to a monitor or fires it up, and starts adding software that they feel they need to use which the IT team did not add. They also start subscribing to SaaS services which may or may not be in the accepted catalog. Or they may be in the catalog but the user wants to have both a personal instance (of online storage, for example) and a company instance on the same machine.
Hours, Errors and Risk
In this process, hours of time are spent, multiple manual processes are undertaken, and opportunities for error and risk are everywhere. When humans set up machines things are much more likely to go wrong, since the process is both complicated, repetitive, personalized and standardized. You can also assume a high likelihood of errors, since people tend to make minor mistakes when keying in data.
This explains why, to date, the biggest security and compliance risks come not from Zero Days or cyberattackers penetrating networks but from social engineering and attacks like phishing, spearphishing, and drive-by-downloads that all result from lapses when humans let down their guard. And it hints at how both enterprises and their employees might gain as a side effect of dealing with the ongoing pandemic.
The Zero Touch IT Future
I am surely not the first person to paint this picture but the best way to create an IT management system that works no matter what is to design it to be nearly Zero Touch. By that I mean that from the moment the PO is placed to the requisition order to the first time the employee logs on, no other human being touches the laptop. It’s an entirely closed process. Here’s how it might work.
The company purchasing department and IT department are both linked to the laptop reseller (or even better, the laptop maker). When a PO is filed, it is immediately mapped to a specific serial number and MAC address (or MAC addresses, depending on the type of machine). With that PO also comes a disk image and orders for what agents should be installed. The IT team should be able to remotely verify that the proper imaging was instituted, the right agents were installed and additional software that the employee needs is pre-configured on the device. This would include a password manager containing login credentials for all the SaaS products that the employee would need.
The box arrives at the employees desk or house and they receive a text message with a link to the company’s scanning app which installs in its own container on Android and iOS devices. With the scanning app installed, the employee can then take an image of the serial number and MAC addresses on the bottom of their device (where the sticker is affixed at the factory). When they fire up the machine, it will generate a QR code that maps to the hash generated to match that machine’s particular disk image and all the other preconfigured software and SaaS to verify that they are one and the same.
When the laptop goes live, it will automatically log onto the corporate network via VPN and transmit verification information that the image is correct, agents are running and software is installed. For employees, this would be a radically improved experience. For IT staff, they would avoid drudgery and errors. For things like SOC2 compliance, that depend on employees actually verifying agents are installed on their machines, Zero Touch IT would simplify and improve the process - and make it constant rather than a snapshot in time.
This may sound like a pipe dream. But, in reality, we are already 75% of the way there. Now, with what looks like an extended period of remote work that will likely be repeated with the next round of COVID-19 outbreaks, we may have a golden opportunity to create a true Zero Touch IT experience that will make us more secure, more productive, and more compliant. And probably happier. This scenario, as well, is also Zero Trust - because verification is automated, consistent and configurable. We could do nifty things like add additional authentication factors or “things you know” questions to make the process more bulletproof.
Best of all, while this would work in a remote work world, it would function just as well when we return to the old ways of face-to-face office time. Zero Touch. Zero Trust. Machines managing machines to make work better.
Arthur Lozinski CEO