At Utmost, the industry’s first extended workforce system, a single, global platform built to manage and engage all classifications of workers, we...
Zero Trust Security at Utmost
At Utmost, the world’s first extended workforce management system, we are strong believers in our approach as industry disruptors, always changing the status quo to do things better for our customers. As such, we’re proud to announce another milestone in our security posture with Zero Trust networking for Middleware, Infrastructure, and now the Application for our customers.
This, along with our recent SOC 2 Type II attestation and our ISO 27001 certification, demonstrates Utmost’s core commitment to security and data privacy as core values of our business.
What is Zero Trust Networking?
First, let's take a quick history detour for some context.
To oversimplify traditional network security architecture, networks are broken down or categorised into different zones such as DMZ, Trusted, and PCI (to name a few). Each contains one or more firewalls granting it a level of protection and trust.
This older model doesn’t work well in this day and age, which causes organisations to inherently trust anything in these zones, giving a false sense of security. For this reason, the zero-trust model is far better suited. Think of it as a methodology, which we will touch on a bit later.
The zero-trust model turns the previous model inside out by not placing different levels of trust for the various networks. It assumes that all networks are hostile and that threats exist on the network at all times. Thus, in a zero-trust network, every packet needs to be analysed and authorised on a continuous basis.
Why is this important?
Keeping up with the news on the latest security breaches shows us how some of these traditional models have failed in the modern age of cybersecurity. For a business that has experienced such a security crisis, exposing data and losing their customers' trust is a downward slope no business can afford.
A common theme in this article is that you don’t know where an attack, leak, or breach is going to come from. Maybe your “trusted” office network, 3rd-party integration, ISP, cloud provider -- the list goes on. The point is, you don’t know, and with new and creative ways to breach your company’s network, it is just not worth the risk. Adopting a zero-trust methodology to question, analyse, validate, and authorise everything is the most secure method with no expectation or assumptions of trust.
When evaluating a partner or integrator, it is important to ensure it will not undermine your existing security posture, and this is true no matter what business or industry you are in.
How we achieved Zero Trust Networking
Focusing on the aspect of zero-trust networking on our Kubernetes ecosystem, keeping in mind that most of our infrastructure is containerised. We opted to replace our existing CNI (Container Network Interface) with Cilium to take advantage of eBPF (Extended Berkeley Packet Filter), supported inside the Linux Kernel. In short, it makes the Linux kernel programmable, which allows you to write BPF programs to run inside the kernel, rather than pushing upstream changes to the code base or loading modules into the kernel.
Cilium itself is a high-level abstraction of eBPF, it is here to address networking, security and visibility to container workloads. This is critical if you are running Kubernetes in production, as by default it's open.
To give some numbers from our Kubernetes infrastructure, we are processing 1207 flows per second, each getting validated against a multitude of network policies to approve or deny access.
Lastly, we cannot do enough justice to Cilium/eBPF in this short article, so please follow the links in the article to find out more.
How can your organisation move toward this approach?
While this short article focuses on the major milestone of zero-trust networking, it doesn't suffice to practice only one aspect. Zero Trust as a whole is not something you can buy in one product or have a contractor implement. It must be an organisation-wide approach that isn’t limited to just IT teams.
Zero Trust is a methodology, a way of thinking that can be applied to all aspects of your technology ecosystem for it to be successfully implemented. For example, identity management, even though a user has successfully authenticated, can you fully trust that account and will your network security prevent them from accessing network resources they shouldn’t need to access? Or, do you trust the account to move around freely because it is in the trusted zone?
Security should be layered. Each layer should implement a zero-trust approach. Just because you got through the front door shouldn’t mean you have access.
In the end, this benefits us all.
Utmost Extended Workforce System is the talent-focused, next evolution of vendor management software. With Utmost, enterprises gain full visibility into their extended workforce. This enables data-driven talent decisions across HR, Procurement, Finance, and IT. The software enhances the productivity of workers, hiring managers, HR partners, and staffing firms while ensuring compliance. Utmost was founded in 2018 by industry leaders Annrai O’Toole, Dan Beck, and Paddy Benson, and is backed by Greylock Partners, Workday Ventures, and Mosaic Ventures.