Why is Zero Trust security so hard to implement?

With Google’s recent announcement of the general availability of BeyondCorp Enterprise, Zero Trust (ZT) security has taken another important step toward mainstream market awareness. With the continued support of leading cybersecurity standards bodies like NIST, analyst firms such as Forrester, and global technology vendors including Google and Microsoft, it’s clear that Zero Trust is the way forward and to modernize information security.

If that’s the case, then why do so few organizations have ZT security production deployments? Why is Zero Trust so hard?

Like any digital transformation project, successfully implementing ZT security requires an integrated approach. If your company is all-in with Google Cloud, then adopting Google’s ZT architecture (BeyondCorp) is realistic. But what if, like most organizations, your IT suite is an amalgamation of offerings from different vendors (productivity suite from Microsoft, CRM from Salesforce, collaboration from Slack and Zoom, etc.)? This all too common reality breaks Google’s cloud-native platform approach to ZT.

Because our own zero trust journey at Google has been ongoing for a decade, we realize customers can’t merely flip a switch to make zero trust a reality in their own organizations, especially given varying resources and computing environments that might look different than ours. Nonetheless, these enterprises understand the zero trust journey is an imperative.

This leads to the other extreme – a do-it-yourself (DiY) model based on best-of-breed point solutions from numerous vendors. With this approach, organizations generally build out their ZT architecture from a beachhead solution, for example, a Cloud Access Security Broker (CASB) or a Mobile Device Management (MDM) product. This design often produces a solution that is imbalanced, protecting certain types of applications and scenarios but leaving others vulnerable (CASB protects SaaS apps but not mobile ones, MDM protects mobile apps but not ones that run on the desktop). Even a server-based computing approach (VDI, DaaS, etc.), where most of an organization’s apps are centralized on a hosted desktop or server, leaves security gaps and most importantly penalizes the end-user and their experience.

So what’s the answer? Here at OS33, we have taken an integrated approach to protecting business applications and data from the start. We designed Workplace as a holistic solution that addresses user identity, device compliance and application, data, and network containerization/segmentation. The team has become intimately familiar with the limitations of RDS/VDI solutions after spending decades hosting these technologies for hundreds of financial services customers. As a result, we intentionally built Workplace using a completely different approach and architecture. That’s not to say that server-based solutions don’t still have a place, it’s just that we primarily leverage them as a fallback in the event that we can’t securely deliver a particular application locally to a user’s devices.

As we start to share more of our approach to Zero Trust security, we encourage you to learn more about Workplace and what it can do for your business.

Comments are closed.