People often talk about zero-trust security in severe terms: “The perimeter is gone,” “Trust no one and no device,” “Accept that passwords are useless,” and so on. But zero trust is a lot less scary than you might think.
In a recent interview, Brandon Shopp, Group Vice President of Product Management at SolarWinds, talked about some of the myths or misperceptions surrounding zero trust.
Myth: Zero Trust Makes It More Difficult to Get on a Network
People who are shifting to a hybrid work environment would say otherwise.
For years, employees working outside the office have put up with problems with virtual private networks: dropped connections, traffic congestion, and misconfigurations. Zero trust provides one simple way to access the network no matter where employees are working.
“It’s really about convenience,” Shopp said. “They can access what they need to do their job no matter where they are, without having to have any special configurations or having to ping the IT team.”
Myth: Multi-Factor Authentication (MFA) Will Be a Pain
On principle, it sounds annoying to sign on to applications using not just a password but a PIN code from a phone app or some sort of token. But even if your agency hasn’t adopted MFA yet, you’ve probably come across it in your personal life, using online banking or other services.
Though it’s awkward at first, over time, it just becomes part of your normal routine, Shopp said.
Myth: Zero Trust Is an All-or-Nothing Proposition
In an ideal environment, an agency would apply zero trust across the enterprise. But practically speaking, this isn’t likely to happen in many agencies — at least not for a while.
Shopp recommends agencies begin the journey to zero trust by getting a better understanding of their environment. Where are they most vulnerable? What resources are most valuable? What pain points need to be addressed?
For example, an agency might prioritize taking a zero-trust approach with sensitive information that is a likely target for ransomware. Or they might prioritize a handful of widely used applications creating performance problems on the VPN.
A Case in Point
For SolarWinds, which helps organizations manage their networks and IT infrastructure, the security of its source code is of paramount importance. With this in mind, the company has applied zero-trust security to its development environment.
From the security team’s perspective, a zero-trust approach dramatically reduces the environment’s attack surface, making it difficult for a malicious actor to get into the environment or to move from one part of the environment to another.
But there are real benefits from a developer’s perspective as well, Shopp said. One of the tenets of zero trust is people should have access only to the resources they need to do their job. In practice, this makes it easier to streamline and automate work processes, he said.
This article is an excerpt from GovLoop’s guide “Why Zero Trust Matters at Work (and How to Foster It).”