At face value, one might not associate words like flexibility and seamless with the term zero-trust architecture. It implies that no one or thing is trusted.
There’s truth to that, but there’s more to the story. “A properly integrated zero-trust approach allows for maximum flexibility and maneuverability with security as a foundation, not an afterthought,” Marsden said.
For many organizations, the rapid shift to a distributed workforce in recent years accelerated zero-trust practices. “This was the ideal use case as agencies struggled to implement bring-your-own- device policies, expand beyond already constrained VPNs [virtual private networks] and maintain continuity of operations outside the perimeter,” Marsden said.
As the workforce continues to become more mobile, access to data and secure resources must move outside the office walls and beyond the VPN. “This approach gives agencies the flexibility needed to support a distributed workforce while offering continuity of operations and access to resources,” he said.
Minimizing Disruptions
Any change — regardless of scale — can feel disruptive. But when users are properly managed and devices correctly profiled, applying dynamic policies to manage access will be seamless.
“In practice, there will be times when a user is delayed in accessing department data while their device is patched, or they are prevented from accessing a critical application while compliance policies are updated, but this should be minimal,” Marsden said. “Reducing configuration drift and improving real-time cyber hygiene is the key to minimizing disruption.”
The 5 Pillars of Zero Trust
To wrap your head around what zero trust entails, it helps to break it down into five pillars offered by the Cybersecurity and Infrastructure Security Agency (CISA): identity, devices, network, applications and data.
User authentication, for example, is an important piece of the puzzle. But just as critical is the endpoint. A user may be legitimate, but what about the device they’re using? Has it been compromised without their knowledge?
Organizations need to have confidence that these endpoints haven’t been hijacked due to poor IT hygiene. That’s the value that Tanium’s Endpoint Identity offering brings to the zero-trust discussion.
Tanium works in the background to continually monitor device health and configuration drift, checking whether it is patched, secure, compliant and managed. When users authenticate to log on to a network, Tanium simultaneously checks their endpoints, so that the whole process is seamless for the end user.
“The key to successful implementation is architecting and executing change in a way that does not disrupt operations,” Marsden said. “Change should be iterative; prioritized, tested and deployed in a way that aligns with business objectives. Education of the workforce is also a key component to a zero-trust approach. People need to understand their role in supporting the security of an organization and recognize that at times there may be a tradeoff of convenience for protection.”
This article is an excerpt from GovLoop’s guide “Why (Zero) Trust Matters at Work: And How to Foster It.”