Implementing Zero Trust may seem daunting, but the good news is that you are probably farther along than you think. In this blog series, Broadcom Software will look at the key factors to consider when implementing a Zero Trust framework.
From the user's perspective, the ability to use applications – and the security to protect them – should be transparent. They should just work. A poor user experience may encourage employees to subvert established security procedures, create shadow IT and, in the long run, put the company at greater risk for cyberattacks.
For example, when users first pivoted to remote work, there was a surge in interest in using Virtual Private Network (VPNs) to secure workflows. Employees didn’t like the added security step; they were used to the ease of accessing office suite applications such as Microsoft Office, Outlook and other productivity tools without a VPN. Today, eliminating the use of VPNs is one of the biggest corporate drivers for Zero Trust.
Zero Trust (“never trust, always verify”) is not a solution. Instead, it’s a modern paradigm for securing all interactions, starting with users, to a set of resources, assets, or servers. By taking the right steps, organizations can successfully implement Zero Trust while maintaining a quality user experience.
Maintain a Quality (and Secure) User Experience
User experience matters. But what is “quality” user experience? Organizations need to define their “quality” user experience – including performance -- and be able to measure it before, during, and after Zero Trust implementation to ensure there is no user experience degradation. Most organizations have already established a baseline for the performance they're used to delivering. Poor performance can result in a measurable drop in productivity as users try to troubleshoot the issue.
Embrace Least Privilege to Create Granular Access
Access is at the heart of Zero Trust. The primary entry point to Zero Trust is to control or manage access to private applications that are necessary to an organization’s business. “Least privilege” management enables organizations to create and enforce security controls to ensure that users only get access to the resources they need; no more and no less. With Zero Trust, users are not granted continuous, guaranteed access forever. Organizations should have in place a governance policy that supports automatic access management so employees can be quickly added or removed as needed.
These granular rules enable you to audit your least privilege security policy and other policies more carefully since there's only one entry into the application and you have a consistent framework to validate the user, the device, and the access policy at that time.
Extend Visibility Across All Environments, including Hybrid and Multi-Cloud
To ensure a quality user experience, visibility is key for a successful Zero Trust implementation. Traditional network monitoring tools only provide visibility inside an enterprise. While critical assets remain on-prem, the integration of hybrid and multi-cloud environments spreads resources out over networks that organizations don't have the ability to directly monitor with traditional tools. Modern network monitoring solutions like AppNeta by Broadcom can extend visibility into the end-user experience of any application. This visibility is particularly important in multi-cloud environments because now you're trying to monitor and gain an in-depth understanding of infrastructure that you don't own.
Network monitoring helps to ensure that everything is running the way it should be. When you start to monitor, look at utilization, sessions and volumes and transactions to make sure that the network is robust and security controls are not interfering with user access and productivity. As we will discuss in the next article in this series, network monitoring can also play a critical role in identity verification.
A scenario CISOs never want to hear: "We just got breached and lost 10 million records, but our end user had a pretty good experience. They had a really simple login and good performance." Throughout your Zero Trust journey, be sure to take steps to maintain quality user performance – with the important caveat that it should not replace security as your top priority.
In terms of Zero Trust adoption, the good news is that most organizations are farther along than expected. Many organizations have been piloting Zero Trust implementations for some time. Organizations with a very complicated network or more regulatory compliance requirements have a longer adoption time. Other organizations that deliver services or do other functions that don't have such a high backend data processing stack are able to adopt Zero Trust much more quickly.
Unsure where you are in your own Zero Trust journey? Zero Trust doesn’t have a finish line – as businesses conditions change, Zero Trust requirements change.
Let Broadcom Software be a trusted software partner to help you navigate throughout this process and your Zero Trust journey.
We encourage you to share your thoughts on your favorite social platform.