Move On Up: Applying Zero Trust Design to the OfficeDownload Case Study
Moving to a new home is listed as one of the main stressors in life. When organizations switch offices to accommodate business needs, moving can also be a major stressor for IT teams — but it doesn’t need to be.
Not too long ago we moved our Boston office to a new location, one of our major engineering hubs, where many of our engineers and IT members work. That said, you might be surprised to learn that we made this move relatively quickly without the need to install a corporate network — the ones that many organizations have where users that reside within it have privileged access to corporate resources.
While this may sound uneventful, this was actually a step that was years in the making and a natural next step. Rather than rely on access management tools or virtual private networks (VPNs), we have implemented our own Secure Access Service Edge (SASE) solution to monitor and enforce policies across our users, devices, apps, and data.
I did a Q&A about the Lookout SASE journey where I talked about how implementing SASE is a journey. But from a broader perspective, the real journey organizations are undertaking is zero trust, the framework by which only entities with acceptable risk postures are given access, and SASE is one tool for achieving that.
For this blog, I want to describe how we’ve traversed our path towards zero trust and how we evolved our IT infrastructure to accommodate a work-from-anywhere model, even before SASE. These are the steps we took:
Implement zero trust in the early days
For as long as I’ve worked in IT, I’ve always prioritized purchasing solutions that would provide centralized insights. The model for centralizing has changed along with the technology we use to work and the overall workplace culture.
When I started at Lookout in 2016, much like everyone else, we were able to achieve this by having everything reside within the perimeter of our San Francisco headquarters.
Over time, our business scaled and we opened offices in Boston, Toronto and Amsterdam, and started onboarding a remote workforce across Europe and India along the way. These new changes, along with the continued onboarding of SaaS apps, forced us to bring our security approach back to the drawing board.
Unlike when all activities occurred within a defined space, I now had to do all my monitoring of cloud services from the cloud services themselves. Let’s not forget that bring your own device (BYOD) also became increasingly popular, which means I had even less visibility into how Lookout data was being handled. To see my Google Workspace logs, for example, I needed to access Google Workplace manually.
In theory, much of the telemetry data I needed existed, but it was scattered across all the different services that are now being used. This created competing priorities for my team’s time and resources: we had to split time between building tools that automated monitoring, and consolidated reports, and improving the end-user experience for employees.
Advantages of single-platform approach
When we incorporated our SASE solution within our Lookout Cloud Security Platform, this all changed. I now have a single, cloud-delivered platform that provides the visibility and control I need to support our work-from-anywhere users in a way that protects our sensitive data.
With everything I needed in one spot, it was no longer necessary to spend my team’s time building tools for monitoring my apps. Once I put an app behind a component of our SASE platform, I have one set of logs and one set of policies that protects all my data in one place. And even better, once I write one policy, it can automatically apply to any new apps I onboard.
This not only cuts down on the workload for the security team but also enables the entire business. No matter where employees are sitting, they can access data securely across our SaaS apps, infrastructure as a service (IaaS) instances, on-premises, and on the internet. SASE ensures that I can empower users to do their job remotely without losing any visibility into our cloud environments.
The workplace of the future does not have a corporate network
Securing data while supporting work from anywhere requires zero trust. If implemented properly, you don’t need any “privileged” networks. In fact, you shouldn’t have a corporate network because no trust should be given to any entity without continuous verification of its risk level. We still have “corporate” Wi-Fi and Guest Wi-Fi in our Boston office, but neither sit in a privileged location in the overall Lookout environment.
In a nutshell, SASE grants you visibility and control in an environment that is no longer your environment. Providing access is something that’s already been solved. What organizations need is a holistic picture of their users, endpoints and apps so that their sensitive data is protected.
By combining endpoint and cloud security posture into a single, cloud-native platform, you are equipped to be more granular and intentional with who and what you grant access to and automatically determine the appropriate level of access for the lifeblood of your business — your data.