“Zero Trust” is everywhere in the cybersecurity world. While it’s fair to say that the term is a bit over-used by over-zealous marketers, the security paradigm it describes is real. Broad categories of security exploits can be significantly reduced – if not eliminated – by implementing a zero trust security model that continuously validates user identity, device posture, and resource access. One area that’s often overlooked in zero trust implementations is the last mile: extending the principle of least privilege all the way to end-users of information systems.
To understand the last mile of zero trust, let’s first review the first mile. A user wants to access a protected resource, such as a customer record stored in their SaaS CRM platform. The user’s identity is verified against the enterprise identity provider (IdP), the security posture of her laptop is validated to conform with enterprise standards, and her access privileges for the CRM platform are verified. Once this level of trust is established, a secure connection is established between her laptop and the CRM platform and the customer record is displayed. In an ideal scenario, everything just mentioned happens in milliseconds and is transparent to the user.
At this point in our scenario, a customer record is displayed on screen. Now let’s consider the last mile: what can the user do with that data?
This deeper level of granularity in data protection is critically important – but it’s left largely unaddressed by legacy ZTNA vendors. The principle of least privilege is a foundational tenant of zero trust: a user should be given only those privileges necessary to complete their job. Returning to the example above, her job requires access to customer records from the SaaS CRM platform; her job does not require her to make new copies (printed or digital), move customer data to a personal email, or share customer records to a Zoom meeting. Most of the time, she doesn’t need to view credit card data, but there are some exceptions when she needs that information to resolve a customer issue.
An ideal last-mile security policy would look like this:
This vision for embracing zero trust principles for end-to-end security of modern web apps and data inspired the development of Island, The Enterprise Browser. It’s the browser that’s designed for the enterprise that makes work fluid, frictionless, and fundamentally secure. Instead of layering security tools on top of a consumer-focused browser, Island applies security controls within the browser itself. It’s the perfect on-ramp for putting zero trust principles into practice, both at the network layer and at the last mile. Because it’s built around Chromium technology, users enjoy the fast, familiar experience they expect. It’s work as it was meant to be, where security is native to all users, applications, and the data between them.
Tad Johnson is the product marketing manager at Island and joined in 2022. He previously led product marketing and product management groups at Jamf, building the leading Apple Enterprise Management platform.