Zero Trust is one of the biggest trends in cybersecurity today, with analyst firm Gartner predicting that by next year, 60% of organizations will have moved toward a “Zero Trust” security model. The US federal government has also embraced Zero Trust; President Joe Biden signed an executive order in May 2021 mandating that the “Federal Government must adopt security best practices [and] advance toward Zero Trust Architecture.”
But what exactly is Zero Trust? It’s a broad concept, encompassing a vast range of security technologies which can make it difficult to define. First coined by Forrester analyst John Kindervag in 2010, movement toward Zero Trust has exploded in popularity in recent years, driven by the exponential increase the world has seen in data breaches and identity-related threats.
As one of the world’s biggest technology platforms, Google Cloud has been a driving force for Zero Trust adoption. To find out more about how Google Cloud is defining and embracing Zero Trust, Expert Insights interviewed Tim Knudsen, the Director of Product Management for Zero Trust at Google Cloud.
Knudsen is the chief product lead for Zero Trust for Google Cloud, which includes responsibilities for Google Cloud’s BeyondCorp Enterprise product and overall Zero Trust portfolio, as well as other platform, solution and GTM initiatives that are part of Google Cloud’s Zero Trust strategy. Prior to joining Google in 2021, he led the Zero Trust portfolio at Akamai Technologies.
Our interview covered how Google defines the concept of Zero Trust, how Google Cloud is evolving Zero Trust Principles, and Knudsen’s advice for how organizations should move toward a Zero Trust future.
How does Google define the concept of Zero Trust, and how does BeyondCorp Enterprise fit into what is quickly becoming a crowded marketplace of solutions claiming the Zero Trust mantle?
When we think about the concept of Zero Trust, at its core it’s simple – trust nothing, verify everything. The idea that implicit trust in any single component of a complex, interconnected system creates significant, existential security risks. Instead, trust needs to be established via multiple mechanisms and then continuously verified.
In terms of our product and the market, you are very right that it is an incredibly crowded space; it seems like everyone is claiming they can “do” Zero Trust. But I think an important nuance here is that Zero Trust is a set of principles – not a product itself. Of course, products can help enable the principles and Google has applied a Zero Trust approach to most aspects of our operations.
Early on in our security journey, we understood that despite our best efforts, user credentials would periodically fall into the hands of malicious actors. We needed additional layers of defense against unauthorized access that would not impede user productivity. This is why we implemented our BeyondCorp framework and delivered BeyondCorp Enterprise.
Our product is differentiated for two reasons: one, the ease of deployment, especially given our delivery through the Chrome browser, so we can support managed and unmanaged devices, and two, our integrated threat and data protection capabilities so that we can protect a range of users and devices across the workforce.
What are the big challenges your customers are facing today in terms of authenticating and securing users, and how can these Zero Trust principles help mitigate against them?
When it comes to securing users, organizations today struggle to protect their extended workforce (contractors, vendors, temporary and seasonal workers, partners, etc.). Not surprisingly, we’ve seen a surge of security incidents recently targeting end users and their devices (such as ransomware) and many breaches frequently occur due to giving too much privileged access to third parties.
Third parties and the extended workforce are, unfortunately, often more vulnerable to attacks and more susceptible to leaking corporate information, and many organizations don’t properly assess the security practices of third parties before granting them access to sensitive and confidential data. Not to mention, many times these groups of workers are using personal or unmanaged devices and the primary organization is unable to control or enforce certain security measures (or it is too cost-prohibitive to do so).
By taking a Zero Trust approach, organizations are able to shift access controls from the network perimeter to individual users and devices, thereby allowing the entire workforce to work more securely from any location and limiting access to only the apps and resources workers need, rather than granting them full access to the network. A Zero Trust approach also ensures requests for access are evaluated in real-time, at a per request level, against access policies to ensure users are — and remain — authorized.
The ability to dynamically craft access policies means this approach can also evolve to protect against new threats in the future. The BeyondCorp Enterprise solution offers a browser-based mode that enables users and the extended workforce to securely access corporate resources from unmanaged devices (without the need for a VPN).
In addition, with Chrome browser, BeyondCorp Enterprise protects users against malware and other threats, including preventing leakage of sensitive data and corporate information. It also gives administrators visibility into risky activities and behaviors, even when users are on unmanaged devices, making it an ideal solution for protecting all types of employees.
Is the concept of Zero Trust here to stay, and how does Google Cloud plan on continuing to evolve on these principles to improve user security?
While both the threats and the technology are constantly evolving, I do believe that the core Zero Trust principles are here to stay. At Google, we’ve been adhering to this approach for over a decade, which is a long time in the tech world.
Of course, our products will grow and change to support the latest landscape, but the fundamental tenets of Zero Trust should prevail. Furthermore, I think if we look at the work the current Administration [in the United States] is doing to mandate Zero Trust, we can see this approach will set the strategy for years to come.
At Google, we’ve already started to evolve this approach to production workload environments, encompassing the way software is conceived, produced, managed, and interacts with other software. While end-user access is a domain to which the Zero Trust model can be applied to gain significant security improvements, it can just as readily be applied to domains such as the end-to-end process of running production systems and protecting workloads on cloud-native infrastructure.
Just as a user’s credentials can be captured by bad actors, software that interacts with the larger world needs protection on many levels. At Google, we call this approach “BeyondProd.” We don’t have a productized version, but we published a white paper to explain how we protect our cloud-native architecture and how organizations can learn to apply the security principles that we established internally.
Finally, what is your advice to organizations struggling with the challenges around managing authentication and access management who want to move towards a Zero Trust approach?
It’s no secret that Zero Trust can be a journey and there is no magic switch to “turn it on” overnight. That being said, we recommend customers build a thoughtful plan before getting started with their Zero Trust approach.
Planning is paramount. If you’re going to run a marathon, you need a training plan – it’s not just about how many miles you’re going to run, but you need to be thoughtful with your nutrition, your stretching, your recovery and sleep, etc.
Similarly, implementing Zero Trust is not just about a product roadmap; it’s also about identifying use cases and prioritizing your deployment. For instance, we recommend customers first take stock of what is currently being accessed so they can identify what needs to be secured most urgently.
This way, you can choose and prioritize sets of user groups and applications. Once you have this list, you can deploy sequentially – there is no need to try and boil the ocean at once. A phased approach like this – specific sets of users and applications across your core use cases – can also help you break down the change management aspect that is crucial to any large-scale IT project.
You can find out more about Google Cloud BeyondCorp Enterprise here: https://cloud.google.com/beyondcorp