After teleworking, are we heading towards a democratization of flex office? While telework has widely developed in organizations in 2020 due to the Covid-19 pandemic, flex office now appears as the next logical step in the reorganization of workspaces. Regular teleworking (for example one or two days a week) promotes a reorganization of offices: for the same number of employees, fewer workstations are necessary within the organization’s premises. What is the flex office? The flex office concept means that there is no dedicated office for each employee. When they are on their organization’s premises, employees install themselves wherever they want or can, depending on the space available and the program of their day. Flex office also includes the concepts of mobility and teleworking. The objective is to break down all geographical barriers, both outside the company (working from home, on a train, in a co-working area, etc.) and within the company itself, by abolishing the boundaries between different departments within the same company. Why introducing this concept? The first argument is economic and pragmatic: the average occupancy rate of a permanent office is between 50 and 60%, and with the democratization of teleworking, this rate is going to decrease even further. As a result, and given the cost per square meter of office space, many organizations see flex office as a way to reduce their fixed costs without compromising a geographical location that could impact some of their employees. However, the economic aspect is not the only one involved; flex office is beneficial on several levels: It promotes exchanges: by opening up physical spaces, sales representatives will be able to work next to developers or an IT manager next to the Digital Workplace Manager. Their exchanges provide a better understanding of the constraints and challenges of each person and thus promote solutions that take these aspects into account.It provides flexibility: employees can work wherever they want, according to their program, their constraints and the people they want to work with during the day, in spaces that sometimes favor a studious atmosphere, other times a collaborative one.It increases productivity: thanks to this greater flexibility and teleworking, which reduces stress and fatigue, employees become more efficient and are less often absent. Occasional teleworking reduces employee absenteeism by a factor of three. The evidence Zero Trust in the light of this new paradigm Mobile employees access their applications from anywhere, from controlled or uncontrolled networks, and even when they are at the office, intra-organizational mobility is a potential risk insofar as employees do not necessarily know the people around them, who may, in some cases, represent a threat in terms of cybersecurity. The flex office system must therefore be accompanied by a Zero Trust policy. In this flex office context, several links of the Zero Trust chain of trust are particularly important to implement: AuthenticationPrimary or secondary authentication Authentication allows a user to guarantee his or her identity before accessing a resource or service. Primary authentication will give user access to the workstation (Windows login). Several authentication modes can be made available to users: login and password, smart or contactless cards, biometrics, mobile ... To classify an authentication mode it will be enough to rely on the principles of the 3 factors: "What do I have? ", " What do I know? ", " Who am I? ». The answers provided to these questions make it possible to say for a given authentication method whether it is "simple" or "double" factor. Secondary authentication is the access of a user to an application from an open session on a workstation. The application can be of any type: web, client-server, local to the workstation or external......: to consider where the user is located when accessing his applications so that, depending on this context, authentication can be strengthened via different MFA mechanisms (multi-factor authentication, which consists of authenticating with at least two distinct proofs of identity) such as OTP (for example, One-Time Password generated by SMS), smart cards or question-and-answer mechanisms.Network access to the application: to eliminate the “VPN risk”, since the VPNVirtual Private Network. VPN is a technology that simulates a local area network between two trusted networks. In practice this allows two elements (workstations, servers, printers, etc.) to communicate with each other even though they are not physically located in the same computer network. Since communication between these two networks passes through a public network in most cases, VPNs incorporate security mechanisms to ensure that communication between the two networks cannot be intercepted by a third party to ensure confidentiality. This technology is very practical in the context of companies deployed in several locations that need to share computer resources, such as file sharing. For ease of use, this technology has been adopted by IT departments in cases where teleworking is used by considering the remote user's workstation as an extension of the company's computer network even though this workstation is not part of a trusted network.... gives access to a complete network and does not allow to control, within this access, what the user connects to. ZTNAZero Trust Network Access. The ZTNA is a name describing products that apply a "Zero Trust", or lesser privilege, policy in the area of external access. The objective is to provide strictly indispensable access to an external user so that he can carry out the necessary tasks within the framework of his work without giving him superfluous rights or access that could represent a risk for the security of the information system. Access policies are defined according to : the identity of the user, possibly reinforced by two-factor authentication mechanisms, its connection conditions, such as its connection location or the health of the terminal used for the connection. The ZTNA makes it possible to give very fine and granular accesses to the information system differentiated according to the user, whether he is an internal teleworker or a service provider. This approach strongly limits the risks of intrusion or infection of the information system.... allows a selective access to applications and not global network access, to cover access from controlled or uncontrolled networks, in a telework/mobility situation. Guaranteeing identity in real time: to counter the risk induced by the flex office system. Unlike an organization with permanent offices where every new person present on a platform is immediately identified, in a flex office situation, and particularly in large companies, it is common not to know your office neighbor. If a malicious person has managed to penetrate the physical boundaries of the organization, this person can potentially take possession of the workstation of an employee who is temporarily absent and did not lock his session. Deploying a continuous authentication mechanism eliminates this risk by automatically blocking the session, requesting the person to re-authenticate, or alerting the supervisor if there is any doubt about the identity of the person behind the screen.