With Zero Trust as a significant marketing motion in the industry, everyone’s fighting for your budget. Everyone’s pitching hard to get you to buy into their solution. Before you start buying anything, let’s get down to what’s truly important: where we see the business value of Zero Trust.
In my previous post, I discussed some of the concepts which help define the often-nebulous world of Zero Trust. We started with the basics of “Don’t talk to strangers!” and delved into how that applies to resources and network infrastructure.
Let’s talk about four critical concepts to unlocking the business value of Zero Trust for your organization.
User Experience
Users are the hardest to convince, and often the last ones to have input and the first to experience the pain. We feel that the user experience is vital to a successful Zero Trust architecture. Making the experience simple, intuitive, and consistent continues to be crucial, and this is what we’re hearing from users regarding security and access, especially now in the New Normal.
Simplifying the user experience leads to greater adoption, less confusion, and far better control over what resources are accessible and how they are accessed. We all know that there is a careful balance to be maintained between security and usability, and Zero Trust removes much of the noise of user security in exchange for clear policy and effective access control.
Focusing on the user as the edge “device” of zero trust-based architectures means potentially fewer disparate inspection points, which can reduce your overall spend, free up resources, and lower the volume of support calls into your IT team. Spend time with your users and get to know what they’re expecting so you don’t lose them on your journey to Zero Trust!
Identity and Policy
Identity is the new perimeter. It’s essential to understand who your users are, to empathize with their daily experience, and how to best to work with them to maintain a level of identity assurance. The complexities of identity often include such components as single sign-on, multi-factor authentication, certificates, device fingerprinting, and even biometrics where available. Matched with the additional information of time-of-day, location, and which other resources they may be accessing, the resulting identity can help to validate that your users are whom you believe them to be.
Policy is the other key element. Policy without identity is just a set of unapplied rules. Identity isn’t an actionable element of the network without policy. Associating the two creates a powerful network edge experience. Traditionally, Network Access Control (NAC) has been about a port-based authentication point for devices and users. VPNs have been about aggregating those connections and applying policy at that aggregation point. Now that both users and resources no longer reside strictly within the confines of the enterprise environment, identity and policy need to move even closer to the user instead of at a single infrastructure edge.
Architecting with Identity and Policy as key drivers will free your users to connect from anywhere, and to have a consistent experience, no matter what infrastructure may be in place. Your infrastructure will become more efficient; you can leverage tools designed for a cloud world and remove the overhead of trying to port policies and rules designed for the infrastructure edge to each user, simplifying your policy design. Your network will be more focused on service delivery for your users, the main goal of zero trust architectures.
Auditing
If you’ve ever been a part of compliance auditing, you know just how terrifying surprises can be. Identifying data assets and strictly managing access from the user to the resource simplifies compliance auditing. Having full control over that access and the ability to visualize the connection and validate the user identity makes auditing a much clearer, far less invasive experience.
Digitally accompany the user or IoT device on its journey through your network to and from a resource is vital to maintaining that trust. You can only reap the benefits of proper identity management if you understand your users and their relationship to your data gravity and critical data assets. While data gravity isn’t explicitly Zero Trust, understanding it and where it lies within your centres of data is a vital component of your path to Zero Trust. Mapping your centres of data and associating them with your user Identity and policy will give you the start and endpoint of your zero trust segments. Those segments are going to be the key to your auditing process.
Auditing what is secured by nature is more manageable than auditing what isn’t. When the assumption is that everything else is noise, you can make easier decisions concerning how your secured data meets different compliance frameworks, which simplifies the process, lowers cost, and increases your reputational currency with your customers.
Visibility
Zero Trust requires a new paradigm of visibility for the network. Accepting that the user experience is vital, users’ identity and policy connect them with resources, and auditable frameworks and encryption protect that communication, then visualizing network traffic as flows of packets throughout the network doesn’t provide much value.
Permit me an analogy here: a 5,000-foot view of a city will show you traffic patterns and congestion points. What it won’t show you is the full context of the user’s journey. The journey provides more in-depth insight into how to provide services more effectively. With Zero Trust-enabled visibility, seeing the context of the user’s experience from anywhere to anywhere changes the nature of how you deliver services. A business has a more significant opportunity to optimize for service delivery than a city, so taking advantage of that context and visibility will increase the value of your investment.
We believe that enabling our customers to see where and how users gain access to applications changes the game. Without that visibility, it becomes a daunting task to trace user connections to services, to identify where drift has impacted your security and access policies, and to audit your application and service delivery.
Visibility provides context, and context is key to optimizing your investment and your service delivery and, ultimately, Zero Trust – with all its security and architectural components – is about service delivery.
Take a Deep Breath
It’s important to understand how Zero Trust impacts your business. Letting hype carry the day, drain your budget, and infuriate your users will not deliver the type of value you need. Spend the time up front to filter your needs, clearly understand your users and your data, and to be sure of what you’re buying before making an investment.