With millions of people working from home at present, and likely into the future, the enterprise perimeter has all but dissolved. In the process, organizations are struggling to ensure security in this "zero-trust" and remote era. The concept of zero trust was introduced by Forrester in 2014, demonstrating that forward-thinking organizations shifed to a zero-trust framework well before the pandemic. Now, with vulnerabilities laid bare for nearly every business with a dispersed workforce, operating under the assumption that one’s network is already comprised is imperative. And it's understandable considering the increase in BOTs, fake social media accounts and the impersonation of privilege accounts, not to mention the fact that employee access and connections have become increasingly dynamic.

Today's enterprise touchpoints include a wide range of SaaS and cloud services, all of which provide opportunities for nefarious actors to take advantage of the network. That's why a holistic strategy should include a "never trust, always verify" approach that requires validation of devices, users, apps and networks, as well as a process for detecting and remediates threats—before access is granted.

At EPAM, where more than 36,000 employees work across 30 countries, our identification strategy includes well-defined policies spanning network and computer security, access and separation control, archiving, awareness and training and sensitive information protection. At the border, for example, a firewall protects local area networks (LANs) and various demilitarized zones (DMZs) such as Wi-Fi access and project VLANs, etc., with policies on the firewall restricting access to internal resources. Further, an intrusion detection system (IDS) is used in each EPAM office, and all network devices are configured to mirror internal and external traffic to IDS servers.

Sensitive data is transmitted via secure protocols (HTTPS, SFTP, IPSec), with a classification framework defining the appropriate security levels and protection controls applied to sensitive information access during the following:

  • Handling
  • Storing
  • Accessing
  • Transmitting
  • Speaking
  • Screen monitoring
  • Archiving
  • Destroying
  • Physical securement

For event management, we use a centralized log management center. The IT security team is dedicated to continuous monitoring of the IDS logs and applies the following industry best practices and recommendations for enhancing the protection of its systems:

  • Standard software images are implemented by local IT
  • To ensure only authorized software is installed, OS patching is performed in a managed fashion
  • Software is scanned regularly
  • Windows firewall is enabled
  • Centrally managed antivirus software is installed on all Windows-based workstations and servers. When a newer version is available, the scanning engine and virus definition files are updated immediately
  • Virus scanning is performed in real time, with new updates forced to all computers
  • Session time-out is 10 minutes
  • The computer names are generated according to company resource naming convention


To ensure separation control, every project has its own repository in the version control system (SVN, Git) to store and control program sources, documents and such. With this arrangement, the data of each project is separated, qne only the project team possesses access to the repository. This feature is based on an internal system granting data access according to project participation. EPAM also has an active IT Security Awareness Training Program, which each employee must complete on an annual basis. It is the responsibility of management to continuously follow up on the status of such training.

When it comes to physical access control, EPAM takes stringent measures to prevent unauthorized access to data processing systems. For instance, our data center is accessible only to authorized persons, according to their job duties, with multi-factor authentication (MFA), such as a proxy card and PIN code, required before access is granted. These access rights are reviewed by the management on a monthly basis and are revoked immediately if an employee is dismissed or his/her position changes. Information access is shared with users on the "minimum necessary" and "need-to-know" basis.

Today, enterprises must think across an entire ecosystem, including employees, customers, partners, vendors and supply chains. Deploying MFA is an important component to securing and managing identities, but it's essential to make the process user friendly. Help employees understand its value, to them and the enterprise. As much as possible, simplify and modernize systems and applications to unify them rather than just layer and abstract and assume everything will work out in the long term. Finally, nothing replaces a well-defined governance program, one that’s flexible enough to evolve with the enterprise, as well as challenges of the day. Above all, ensure that your employees are educated and supported. Many are under the impression they’re operating on their own. When they feel both connected and protected, it's a win or everyone—except the bad actors.