This was made abundantly clear from the top at Google when the BeyondCorp project lead told the team it has to work and the users have to love it. In doing so, you can ensure you are delivering real value to those using your product.Ĭonsidering that the Zero Trust model is centered around an access model for corporate resources, the end user experience is crucial to get right. It’s a similar concept to creating user stories for various personas, but the idea is to do so in the context of the end user doing a job. As I often mention in this context, I’m a proponent of the Jobs To Be Done framework for product development, and believe that the principles apply here. We have one more exercise to perform to help define your policy framework. Creating Job Stories to Understand Behavioral Patterns It’s the role of the access policies to enable smarter decision making that factors in dynamic user and device conditions across ever changing landscapes. This model places extra emphasis on the authorization process as we’re no longer making a binary decision based on the network. With Zero Trust, every request must be fully authenticated, authorized, and encrypted, with trust being determined based on dynamic user and device conditions. We know that removing trust from the network eliminates common attack vectors, but one must be careful when deploying sensitive company applications and services to the public Internet. This was no easy task for them, but we can learn from their experience.īefore diving into the policies themselves, it’s a good idea to level set by focusing on the desired outcome - a more secure corporate architecture that doesn’t impact user productivity. To be effective, the policies have to be enforceable company-wide, cover a wide range of environments, and be easy to manage. In their BeyondCorp papers, Google talks extensively about the challenges they faced when forming their own policy framework.
This information will lead you to form the right access policy framework for your organization. From those exercises, you should have a concrete inventory of your users and their devices, a clear picture of your network architecture, and a good look into your traffic patterns.
Beyondcorp papers series#
My previous post in this series focused on the data you should be collecting to gain a better understanding of your current environment to put you in a better position to migrate towards Zero Trust. This is part 3 in a series of blog posts dedicated to helping companies learn what it takes to achieve a Zero Trust security architecture of their own much like Google’s BeyondCorp.
0 kommentar(er)
