Cyberattacks are rampant in the wake of the pandemic, with ransomware attacks and social engineering risks increasing by 53%. And naïve and underprepared employees are proving to be the biggest cybersecurity risk for businesses.

With the rise of hybrid working models, employees are becoming more accustomed to working from anywhere, on any device, at any time. Some are even inadvisably (and against corporate edict) attempting to connect to corporate resources via unsecured networks or using non-approved, shadow apps to stay productive. The result? 90% of security leaders believe their organisations are falling short when it comes to their cybersecurity posture.

It didn’t help that attacks are increasing in sophistication and frequency, says Elton Chew, Senior Director, Networking, Security, and Automation, APJ of VMware. “Organisations are struggling to keep pace with adversaries in a distributed world as alerts from siloed, disparate systems lack context and hence delay remediation time. The market is still filled with too many point solutions and too little well-rounded, full security stacks that provide end-to-end protection.”

Minimising risks through zero trust

A zero-trust security posture is critical to mitigating the risks that come with hybrid working and the influx of devices as it is built upon the assumption that no user, device, application, or transaction can—or should—be trusted by default without explicit verification. Joe Baguley, Vice President & Chief Technology Officer, EMEA of VMware went as far as to say that anyone not looking at the world with a zero-trust lens right now needs to wake up.

“Anyone not looking at the world with a zero-trust lens needs to wake up.”


Unlike most security approaches, a zero-trust strategy can deliver multi-layered protection against threats, because every access request is treated as potentially fraudulent, with trust needing to be verified at every step. To gain access to the network, requests are typically validated against the five pillars that make up a typical zero-trust architecture:

  • Device trust: Made up of features such as device management, device inventory, device compliance, and device authentication, this allows businesses to minimise the risk of unauthorised access to any device.
  • User trust: This comprises identity management, such as password authentication, multi-factor authentication, conditional access, and dynamic scoring, which can validate a request as coming from an authorised user.
  • Transport or session trust: This limits access rights to users, granting them only the very minimum permissions necessary for them to perform their tasks.
  • Application trust: Ensuring that only valid applications can access corporate resources, through capabilities such as single sign-on and app isolation combined with ‘any device’ access.
  • Data trust: This includes capabilities protecting data at rest via encryption or immutability, data integrity and data loss prevention tools, and data classification.

Securing the future of hybrid working

Even as more organisations implement zero-trust architectures to secure their hybrid working models, challenges still lie ahead. Firstly, a piecemeal approach to zero-trust can result in siloes and increased operational complexity: it is vital that businesses ensure their departments, processes, and technology are aligned. A zero-trust architecture also needs continuous maintenance, a requirement many organisations often struggle to grasp.

At the same time, users may resist efforts to deploy zero-trust security, for fear that it will interrupt workflows and interfere with their jobs. This is typically the result of security teams deploying new security protocols without understanding how they can affect other users and failing to communicate widely and transparently with stakeholders.

Consider the following when implementing your zero-trust strategies:

1. How can you improve communication across teams? 
Think about how to better convey the needs and benefits of a zero-trust security environment while easing the onboarding of new users.

2. Have you considered new automation technologies such as compliance engines and real-time policy enforcement? 
As cybersecurity threats continue to grow exponentially, both in number and sophistication, manual provisioning, patching, and remediation of risks can no longer keep up.

3. When designing your security policies, did you keep in mind the end-user experience and employee use cases?
It’s crucial to unify security, experience, visibility, and management, so as to deliver the appropriate policies and security postures.

4. Is your zero-trust security a collaborative activity? 
Your security and IT teams (along with other non-traditional stakeholders) should work closely together to better align their security goals through zero trust.

5. Are you scaling your security response based on data from zero-trust practices? 
Tap into these insights to monitor network patterns and improve your trust and access decisions.

“Multi-cloud often means a stretched perimeter and an expanding attack surface.”


Hybrid working will only continue creating new entry points for attackers to exploit. Chew highlighted that “the move towards multi-cloud also means a stretched perimeter and an expanding attack surface.” Having a zero-trust-based security architecture—one that is easy to manage—is key to address the different control points effectively.

Yet it is also equally important to update the businesses’ understanding of what is possible with technology.

“Cybersecurity has already evolved to catch up with the threat landscape. It is people’s perception of what they can achieve with technology that remains dated. Conversations with customers highlighted that they don’t understand what SD-WAN and SASE are, and how these can redefine their idea of hybrid working. It’s the same with zero-trust. The faster people realise what’s possible, the faster they can leverage it to start evolving their hybrid work models,” explains Baguley.

Find out how VMware is helping companies establish their zero-trust security strategy.