Bobby Varma Nov 8, 2021 2:43:54 PM 8 min read

Extend zero-trust principles beyond the local network into the home

It wouldn’t take long for someone scanning job posts on LinkedIn, Indeed or ZipRecruiter to find a role that was either fully remote or hybrid. A recent study found that about 62 percent of working adults ages 22 to 65 claim to work remotely at least occasionally. Working from home is convenient for the employee, but maintaining a strong security posture can be difficult for the employer. The greatest challenge in this era of disrupted workforces is that employees must access customers’ sensitive data to complete work. But how are they to do this securely? Businesses turned to the zero-trust model, otherwise known as the principle of “never trust, always verify.” By always confirming that the person accessing the network is who they say they are, companies can protect against data breaches and prevent exposing their customer’s sensitive data.

Nevertheless, how can a business extend those zero-trust practices beyond the local network and into the physical world, right to the remote employee’s chair? In other words, how can an organization prevent unauthorized people from looking over their remote employee’s shoulders? When accessing sensitive data such as personally identifiable information (PII), protected health information (PHI), and any form of financial information in the home environment rather than an office, there is a possibility that someone could see the employee’s screen and the displayed information, compromising the client’s data.



Identity confirmation solution


Unauthorized people could be anyone, from the plumber and the babysitter to the housekeeper and children carelessly filming a video for social media. These people are much harder to control as they are physically separate from any security protocols built into a network. Perhaps the best solution to this challenge is a method that adds a new layer of zero-trust to the home environment by confirming that the person in front of the computer is an authorized user. By utilizing an identity confirmation solution that combines biometrics, object recognition, and AI, businesses will ensure only approved employees view sensitive data.

An identity confirmation solution conveniently adds a layer of verification on top of an existing virtual desktop infrastructure which leverages biometrics, dedicated hardware and workforce process capabilities to extend zero-trust to remote environments. The solution seamlessly verifies the employee’s identity via face biometrics and deep learning algorithms. If the system detects an anomaly, it will use a camera to take photos of the employee’s workplace and then have the images processed by an AI proctor. Examples of suspicious behavior include unknown people in the camera view area, no one in the camera view area, multiple persons in the camera view area, or a phone in the camera view area. Should the AI notice any misconduct in the images, it would take a snapshot of the situation and alert a panel of human operators to evaluate the situation further and take appropriate action.

If the identity confirmation solution detects a concerning irregularity, it will automatically lock the user’s session, preventing unauthorized people from viewing sensitive data on the employee’s screen. Moreover, should the user commit the violation, it is best practice for the system to restrict access to the corporate infrastructure, block attempts at screen sharing or taking screenshots and inhibit access to USB and data storage. These solutions also allow for real-time email notifications and can be integrated with third-party monitoring systems.


How is this not Big Brother?

A valid criticism some might levy against these identity confirmation security systems is that they violate the employee’s privacy. Although this is a very reasonable concern, it assumes that the solution is always watching like Big Brother when, in fact, the system is only operating when it must. These solutions leverage an advanced algorithm that is only active when the user accesses confidential information. Additionally, it only takes pictures when a violation or security risk occurs. Likewise, the system won’t be “on” all the time, so employees do not have to worry about their computer watching them outside of work hours. Think of it as a watchdog who only perks up his ears when someone enters a certain room – otherwise, he is asleep when the person is walking about the rest of the house.

These zero-trust security systems never get installed without the employee’s knowledge. The solution wouldn’t even work without the employee’s consent as it requires the user to enroll a facial scan into the system. This identification information is not collected surreptitiously as the whole purpose of the technology is security, not surveillance. Consider that it is not a human watching the employee but an algorithm designed to flag irregularities when the user accesses the customer’s sensitive information. Furthermore, similar security practices already exist. Numerous organizations that handle private customer information forbid their employees from screen-sharing or taking photos in their offices. Some might even prevent employees from bringing their phones into certain rooms, meetings or buildings for various security and privacy purposes.


Preparing for violate future

By mitigating the risk of having sensitive data viewed or accessed by the wrong people in the home or remote setting, businesses can gain a greater level of flexibility with their workforce and better peace of mind as well. Though previously unfeasible, industries like healthcare, insurance and financial services can have their employees work remotely. Having the security infrastructure to allow employees to work from home will be an essential recruitment tool for today and in the future, as even more people seek the freedom to work remotely or in hybrid models. Similarly, companies need the resiliency to have all their staff work from anywhere because there is always the possibility of a natural disaster, another lockdown or any unforeseen emergency disrupting business.

Reproduced from an article in:

Cybersecurity in a Remote Work World

by BORIS KHAZIN AND BOBBY S. VARMA·NOVEMBER 4, 2021

How identity confirmation solutions can extend zero-trust principles beyond the local network and into the home

Bobby Varma

Bobby Varma is the CEO of Princeton Identity.