Lessons Learned for a User-First Approach to Zero Trust

Author: Tim Knudsen, Director, Google Cloud Zero Trust Product Management

When I ask someone about identity, chances are good they’ll mention passwords (and the reasons to kill them) or authentication (and the merits for the different forms of it). Often, this evolves into a conversation about access and security. And then to no surprise, how zero trust fits into all of this. From there, in many cases, these conversations go directly to the question of how to put zero trust into practice.

If I have successfully kept your attention as far as the second paragraph, then you are likely one of the many looking at rolling out zero trust access. You may have even already passed through getting strategy and budget approval and possibly even made your vendor selection. And now you need to figure out how to deliver on the promise. So, for your benefit, here are five tips for implementing zero trust from lessons learned – some through good planning and others the hard way.

First, planning is key on multiple dimensions. Clearly, you need to have an end state goal measured in terms of the number of apps, users and environments to secure, as well as a step-by-step approach to get there. But it is also important to think about who you are planning for. Remember, for many users, a zero-trust access approach can feel like a big departure from that with which they are familiar. To this point, build time into your plan to account for how to thoughtfully bring users through the journey as the change may be significant.

As you consider these items, my second tip is to include key executives in your first adopters wave and use this to signal and reinforce the strategic importance of moving to zero trust. Plus, having this group of stakeholders “put their money where their mouth is” so to speak, also provides a top-down endorsement that they are fully onboard with any changes necessary in their own behaviors to adopt a new model.

Next, find a string of quick and easy wins to gain durable momentum. With some positive traction visible across an organization, it’s easier to get more users onboard and comfortable with the approach. When I think about myself and how our users at Google spend their day, the majority of our time is spent in the browser. Planning around how users already work is a great starting point for your zero-trust approach, so perhaps you’d consider securing key internal web apps and SaaS apps as a great place to begin.

However, I’d be remiss to acknowledge that any large-scale IT implementation won’t be without some challenges. In that case, my fourth tip is to prepare as best you can for issues and complaints. It will happen. Not only is it important to try to learn from your peers to anticipate any issues and proactively get in front of them, but it’s equally as important to make sure you understand any frustration expressed by your employees and take action to remediate those. After all, users need to be at the center of the experience.

Last but not least, over-communicate. Make sure your workforce is aware and engaged. Tell them the plan, but most importantly, tell them the why. Don’t be shy about spinning up the internal marketing machine. Publish your status against the plan. Highlight end-user quotes and success stories to amplify incremental success across key user groups, especially the heavy influencers. And also highlight the metrics that validate sustained user adoption by quantifying things such as of the users deployed, how many no longer feel the need to use legacy access methods like remote user VPN.

Why are exercises like this important? How will they help your users? Ideally, zero trust needs to be a good experience for ALL users. They want to see the value and know the worth, so it’s not something they associate with bogging down their day.

Our mission at Google is “to make the world’s information more accessible to all” and we strive every day to think about all users. Our team looks forward to sharing even more thoughts on how to provide a better user experience with a modern zero-trust approach during our sessions at the conference later month, so be sure to turn in. We look forward to engaging with you at Identiverse!