Making the transition to a Zero Trust Security Strategy can be similar to adopting a new ERP solution. Just about every aspect of how you operate your business must be considered and evaluated. How do you close out the accounting books, what about the supply chain, and does IT have enough infrastructure to support the new system are a few of the questions you will be faced with.
To overcome this, massive waterfall projects are spun up. Executive buy-in is critical. Committees are formed. Budgets created and allocated. Communications are sent in and out of the project team like bees flying in and out of the ERP hive. Zero Trust, because it touches on similar aspects of a business, requires a macroscale approach. Large, sustained, top-down endeavors run like Project Overload, resulting in a modern-day Cyber D-Day landing. After nine months, we achieved breakout; we have zero trust!! This approach requires significant resources consisting of time, technology, and treasure. Must it be this way? Are there alternate approaches to achieving zero trust?
The challenge with the waterfall, top-down approach, outside of the time, resources, and effort required, is this: the modern enterprise’s attention span is too short. Unless there are outsized benefits to the business to be gained, running a large project that does not provide new avenues to revenue or increase sales is going to be scrutinized often and potentially placed on the chopping block once times get hard. But this doesn’t have to be.
A better approach is to leverage small teams that can focus on key problems and provide the business with the outsized gains it craves. How can this be done? I recently did a talk at the Evanta Global CISO conference with Alex Green. Alex is the CISO at DeltaDental. He recommended a different approach. Run your Zero Trust project through the eyes of the employee. Put the user experience first and foremost. Alex provided details on three areas where you can win.
Start Small with ZTNA
The first step is to find use cases that are achievable and provide those outsized gains. For example, is it a security risk to place 3rd party resources directly on your network via remote access VPN for just a handful of applications? The answer here is clear. A better approach is to leverage an agentless ZTNA solution. Proxy a contractor or external developer using a Security Service Edge (SSE) solution to provide least privileged access. Only allow the contractor the applications they need to perform their role, nothing less, nothing more.
SSE uses a global network for Points of Presence (PoPs) to secure and accelerate network traffic based on business policy. Need time-based rules, location restrictions or even better, gain visibility into the traffic running over the network as well as telemetry to uncover what is being requested in a highly granular manner. No more complex VPNs with a chain of pizza box point security solutions that don’t integrate. In its place, you can offer a software “as a service” platform that lowers complexity and enhances the user experience. Once you obtain results, communicate them in detail to leadership and move on to the next project, maybe replacing the entire remote access system for your employees.
Eliminate Authentication Fatigue
Whether it’s multiple VPN gateways, inconsistent MFA, or, worse, multiple authentication solutions, you must know that your employees prefer a frictionless experience. That means anything you can do to simplify while also raising the security posture for your employees is moving the ball in the right direction.
Dive deep into the employee experience. Reach out to them. Launch a survey and ask what can be improved. When the results come back, look for quick wins. For remote access, move to ZTNA. If you have multiple gateways, move to one with SSE. For authentication, put identity at the core of your program. Seek out passwordless methods. If multiple IDPs are required, or you need breathing room to consolidate, this is another area SSE can help you with. Many solutions on the market allow you to utilize multiple IDPs and leverage them on a per-application basis.
Start at the Beginning
The last area Alex mentioned was onboarding. That first day on a new job really sets the tone for many of us. Starting work on “day one” and being given a laptop only to find out the Operations team must execute a complex and long list of tasks due to security requirements puts a damper on an employee’s excitement. The new employee is energized. They want to contribute. The last thing you want is for them to sit in a cube or at home, wondering when you will have access to X, Y, and Z applications.
This is another way ZTNA and SSE can assist. By moving to a common network and security platform, onboarding the new employee becomes significantly simpler. Add them to their group, provide access to only the applications they require in a least privileged manner, and by day one, they are ready to go. The reverse of this is also true. ZTNA and SSE can also assist in the offboarding of an employee (which I used to call “a reset to customer”). Again, this is another area where the user experience can be leveraged to help you win on your journey to Zero Trust with SSE.
As you start your journey to zero trust, always keep a pulse on the needs of your customers–the employees of the company you serve. Their challenges and feedback are critical. See the experience from their eyes. Doing so will uncover multiple “cheat codes” to accelerate your journey. It will also create champions for your security program internally as well as increase the productivity of your company. At the end of the day, merging the employee experience and security will create one of those outsized gains leadership is searching for.
Good luck on your journey!
- Cheat Codes for accelerating your Zero Trust Journey with SSE and ZTNA - October 18, 2023