Overcoming obstacles to introduce zero-trust security in established systems
In this Help Net Security interview, Michal Cizek, CEO at GoodAccess, discusses the crucial balance between leveraging distributed resources and maintaining top-notch security measures. With the growing remote work trend, Cizek highlights the importance of implementing a zero-trust security model, emphasizing the complexities and challenges of such an endeavor.
How can organizations make the most of distributed IT resources while simultaneously keeping them secure?
It has become a standard that an organization runs only a small portion of their IT services and infrastructure locally and the rest is offloaded to cloud and SaaS providers. Some go even further, and companies with no local network are not uncommon, something that was unimaginable few years back.
There are several good reasons for that – cost optimization, scalability, reducing management and maintenance complexity, lack of skilled IT professionals. But it also adds complexity to IT security because no matter where the services your employees access are located, you are always responsible for protecting your data in transit and safeguarding access.
Zero-trust is a modern approach that allows you to enjoy the benefits of distributed IT without compromising security. It ensures secure access to resources from anywhere, no matter where they are located. Moreover, it replaces the outdated principle of trusted perimeter with a “zero-trust” approach that allows granular access control so users can access only the resources they need for their work and not the entire network.
What are the complexities of implementing a zero-trust security model for small organizations?
Implementing zero-trust security often means redesigning the access policy from the start. Existing processes need to change, both for the IT security admin and the users.
Zero-trust security works on the principle of least privilege, which presumes the ability to assign access privileges on a very granular basis. This requires an identity and access management (IAM) solution or at least SSO for central management of user accounts, and zero-trust access controls to grant access to individual systems.
All of this can be expensive and may require effort and expertise that small organizations often lack. This can be remedied by adopting SaaS zero-trust security solutions that offer granular access controls and user management at a reduced cost and, generally, with less complexity.
Equally important is employee education. Employees can resist new changes, and organizations should take due care to explain why the new policies have been put in place; i.e. not to make the employees’ lives difficult but to increase security – both the company’s and their own.
Resistance to change can also be encountered from the management. When the new zero-trust security tools don’t fit in with existing security measures, IT admins may have to argue for their replacement. For example, a legacy hardware VPN, formerly used for secure remote access, will be rendered obsolete by a zero-trust security solution, even though it’s worked “perfectly fine” until now.
How can companies balance the need for flexibility with the need for security when managing a remote workforce?
Even small and midsize enterprises have undergone significant changes in recent years. To become more flexible, they embraced trends like remote work, BYOD, decentralized IT, and moved their operations to the cloud. It is not an exception that a business has no private network but naturally still has systems, apps, data and employees that need protection from still growing online threats.
When balancing the security of this new reality with the needs of remote workforce, it is not only about the technology, which should be easy to use, reliable and not disturbing to the user, but also about employee education. Employees should be trained in new policies so that they don’t resist the new security procedures, but actively contribute to them. To give an example, multifactor authentication should not be seen as a nuisance but a standard part of logging in and second nature to all employees. Regular phishing drills should be conducted to train workers in spotting and reporting them.
Can you explain the key features of GoodAccess that make it a reliable cybersecurity platform for businesses?
We are re-designing the traditional perception of VPNs as a traffic encryption tool that can provide static IP addresses if needed. GoodAccess is a comprehensive zero-trust network access platform that allows granular access control alongside additional measures that elevate business security such as SSO, DNS filtering, access logs and online threat protection.
We have a global cloud infrastructure so the customer just subscribes to the service, does basic configuration, invites employees to the platform and that’s it. There are no hitches or added complexity and everything works across different platforms. GoodAccess covers several use cases such as remote access, site-to-site connectivity, and access rights control under one roof.
All of this is affordable for small and medium enterprises which are the customers we focus on.
What sets GoodAccess apart from other cybersecurity solutions in the market?
Apart from the feature set that goes far beyond traditional VPN capabilities, we build GoodAccess to be extremely easy to deploy, manage, and use. Basically any company, even without a dedicated expert, can safeguard remote access to its business systems, clouds, and data in 10 minutes.
Moreover, we provide VPN with “a human touch”. We are not an anonymous corporation delivering cold services, there are real people behind GoodAccess who are always keen to help. So if anyone needs assistance, there is always someone from the team who helps to sort things out. This is why our support gets great feedback from customers and ranks high on review platforms.
You’ve recently been accepted into the Google for Startups Growth Academy for Cybersecurity. What do you expect from this opportunity?
Google’s Growth Academy is a great opportunity to connect with top-notch cybersec companies in our region, to share experience and potentially find synergic technological partnership. So, we take it as an opportunity for networking with similar businesses as GoodAccess.
Another thing is mentoring around global go-to-market strategies. For a company in our growth stage, it is important to learn from the best people in the industry and Startups Growth Academy is surely the right place for us.