Listen to this podcast interview between ScaleFT CTO and co-founder, Paul Querna, and industry expert Derrick Harris of ARCHITECHT to learn about the importance of the end user experience when implementing security across an organization, and how ScaleFT helps companies achieve a similar outcome as Google’s BeyondCorp with as few implementation challenges as possible.
In today’s highly competitive enterprise landscape, where delivering continuous innovation is required to stay ahead, companies are doing all they can to enable their employees to work faster. The rise of cloud services and automation tools have provided developers a streamlined environment to ship applications faster and more effectively. Similarly, Enterprise SaaS applications have provided knowledge workers across every department the means to be more productive from any location at any time.
One cost of the speedy enterprise to-date has been security, however. The attack surface of a global workforce using a wide range of cloud services and SaaS apps is much wider than that of the traditional office network on lockdown. Until now, companies have spent a significant amount of time and setting up VPNs to attempt to preserve the feeling of a locked down privileged network, but that has proven to be ineffective on its own as the network is simply a poor determination of trust. Every week we read about a new high profile breach where the network was compromised – by insiders or outsiders masquerading as insiders. Something needs to change.
The same way IT Operations teams have had to step up to the plate with automated tooling, IT Security teams need to step up to the plate with a more effective security framework that doesn’t get in the way of people doing their job. The DevOps movement has been about breaking down organizational silos to craft streamlined, resilient automated environments. IT Security is on the verge of a similar transformation, with Zero Trust leading the way as the right framework to follow.
“Traditionally, CSOs spend a lot of money on a lot of products, and a decent portion of those products (A) just sit on the shelf because they’re hard to deploy, or (B) if they cause pain for their users, those users will work around those products.” - Paul Querna
Google Got It Right With BeyondCorp
To understand Zero Trust, we have to first look back to Google’s BeyondCorp - an internal initiative meant to redesign their corporate security architecture from the ground up. The initiative was the result of a 2009 nation state attack called Operation Aurora that hit a number of large enterprises – Google, Rackspace, Symantec, Yahoo, and Morgan Stanley to name a few. The common response by those affected was to bolster their perimeter security by buying more firewalls and VPNs, which did not result in a better security outcome. Google, on the other hand, recognized that the perimeter was no longer an effective security measure on its own, and designed a system that enables Google employees to work securely from any location without the need for a VPN.
What Google got right with BeyondCorp was implementing effective security controls across the organization that the employees actually loved. The design of the system is just as important as the human element, which the team carefully thought through during the entire initiative. This was because the mandate from the top when the project was getting started was that the new system had to work, and that the users had to love it. No easy task, but Google pulled it off.
“When you have the user on your side, when you’re helping them be successful, it makes the security more effective.” - Paul Querna
Google Security for Everyone Else
While looking at a Zero Trust system purely through the lens of Google may appear daunting, companies can learn from their experiences to come up with their own achievable path. It’s our mission at ScaleFT to offer Zero Trust access management as a platform, simplifying the shift to a BeyondCorp-like architecture. You can learn more by getting in touch with us, or by starting a free trial of the platform.