Trust is a foundational element of society. When engaging in any social or commercial interaction, we need to be able to trust the people we deal with. And yet, one of today’s most intensely discussed IT security concepts is zero trust network architecture. It might seem like a paradox, but zero trust is the path to a more secure and a more employee-friendly way of interacting with corporate apps and data.
Think about how you get a taxicab ride. When you hail a cab, you do a quick inspection (and that’s all you can do) before you get in. Does it look like a taxi? Does it have the typical taxi sign? Does it have a registration number? Is the company name on the side of the car? Then, you need to have trust that the driver will get you to your destination without driving recklessly. There’s always uncertainty, but we deal with it.
Now think about an IT team, tasked with securing their company’s network. Employees’ endpoint devices are the “vehicles” they use to navigate the company’s data highways, and their user profile and the associated access password are their “taxi license”. And while companies used to be content with a quick inspection (are you an employee, do you have the right permissions, where are you located), today’s IT and network security teams cannot simply assume that these “vehicles“ are safe and will be driven safely and responsibly – they must be certain.
There are two main drivers (no pun intended) for this change. First, practically all business processes depend on a reliable, secure IT infrastructure. The IT security team must look closely at who is using this infrastructure and how. Second, today’s user base is far more heterogeneous than it used to be. While 20 – or even only 10 – years ago, most users would probably access company resources by using company devices from within the company network, the current situation is vastly different, and much more complex.
Even before the COVID-19 pandemic, with its lockdowns and the boom in remote work scenarios, employees were increasingly accessing apps and data from anywhere – their home, a hotel on business travels, a train or plane, or their favorite café. They had long before started the BYOD trend of using privately-owned devices instead of company equipment.
Also, more of the apps and data they accessed weren’t just in the company datacenter, but in the cloud – and usually in a variety of public clouds. Today’s digital work is shaped by increasing mobility and flexibility, and recent Citrix surveys suggest that even after the current crisis subsides, this trend towards more flexible remote work will continue.
The challenge is to guarantee the required level of security in an increasingly complex environment. A zero-trust approach replaces the initial “at a glance” security control with the “never trust, always verify” rule. With zero trust network access (ZTNA), security software based on AI algorithms continuously monitors user (more specifically, the user account) and endpoint device behavior, checking for deviations from defined rules and historical behavior patterns.
The first step in zero trust network access is to continually verify the user’s identity, ideally by applying multi-factor authentication via hardware tokens or soft-token apps. The second step is endpoint device monitoring, from the devices’ ownership status (company-owned, privately owned) to their patch level.
This always-on vigilance enables the ZTNA infrastructure to immediately react to suspicious activities. For example, if a login request comes from London, but one minute later the next request from the same user account comes from, say, Singapore, it is a clear sign of user account takeover. In this case, the ZTNA software can alert the security team or even, if permitted to do so, automatically block user access. In cases that are not quite as clear, the software might ask users to provide additional proof of their identity, perhaps by using a second authentication factor.
For information security, users’ access to resources can also be limited to what they need to access in their respective roles. This is complemented by customizable rules that restrict user access based on their current context: user X is allowed access any kind of apps or data, from anywhere, with any device; user Y can only use email and the web remotely; and user Z may only access sensitive business intelligence data using two-factor authentication and a corporate device.
It is important to note that when implementing zero trust network access, organizations need to focus on employee experience. Access policies should give users all the flexibility they need in their usual working day. Once this set of policies is established, the software uses AI to determine a baseline of regular behavior and will only intervene if there is a reason to be suspicious.
This means that, most of the time, users won’t notice the AI algorithms working in the background at all. This makes zero-trust networking more employee-friendly than traditional IT security solutions. It strikes a perfect balance between resilient security and hassle-free usability, so employees can work without distractions or interruptions but with the knowledge their digital workspace is secure.
In other words, a zero-trust network architecture – either as an integrated component of a digital workspace environment or as a stand-alone solution – will always keep a close watch on the taxi driver, throughout the entire trip. Zero trust gives employees a safe journey through today’s complex hybrid multi-cloud world and continuously establishes the trust needed for an efficient, secure work environment with a great employee experience.