One of the consumers’ main concerns when it comes to buying and using products is security. Product managers need a strategic approach to cybersecurity that secures both the organization and the consumer. So, how do product managers ensure security? This week, Product Talk host and PayPal Head of Cybersecurity, Dimitry Shvartsman, interviews Google Cloud Director of Product Tim Knudsen who shares insights on how Zero Trust Security helps protect your product.
Subscribe to the Product Talk podcast on Spotify and Apple Podcasts and catch every conversation with leading product executives. New episodes go live every week.
On Building Products at Scale
Scaling is about ensuring that your product is robust enough to survive and then thrive in the market. And the abilities to reach scale and operate at scale are extremely important. It is critical for product managers to understand what “demand at scale” will look like at every stage of the product. There are many things involved in scaling: the scaling of the technology, the fundamentals of getting it rolled out and being able to do a transformation scale, and being able to think in terms of how the product operates on a day-to-day basis. Google offers a number of different zero-trust solutions to scale. Here is what you need to know about scale:
“There is scaling of the technology. But there are also the fundamentals of getting it rolled out and being able to do a transformation at scale. Where you have 10s of 1000s of end-users moving from an old way of doing their work, to a new way of doing work.”
“And then being able to think about that in terms of how it is going to be operated on a day-to-day basis. There can be any number of issues that an end-user might encounter because of the way that policies have been set up.”
“The ability to communicate, leveraging the outcoming, and getting people to understand what they need to contribute to do that are key elements I’ve found necessary to do it at scale.”
On How to Define Zero Trust
Zero trust means exactly what it implies – trust nobody. It is the practice of assuming that everyone and everything is a threat. The zero trust model states that every user and device attempting to access the network must be verified. Zero trust is a strategic approach that eliminates implicit trust and validates at every stage of the digital interaction. The principles of zero trust can be used to ensure security for your product. This is Tim’s definition of zero trust:
“It’s a set of principles that gets you to the outcome of being able to provide very restrictive, least-privileged access for an identity and a device. You can easily swap it out from device to device, machine to machine, or microservice to microservice.”
“It’s default-deny, authorize only on a least-privilege basis using a set of contextual attributes. It can be user identity, machine identity, geolocation, etc.”
“Zero trust is the driver behind what your architecture needs to look like because your architecture needs to enable that. There are a bunch of products called zero-trust. But you can’t have a zero-trust product, you have a product that enables a zero-trust architecture to achieve the principles.”
On How to Create Balance Between Communication and Zero Trust Security
Zero Trust ensures the privacy of the organization and the end-user. And it’s important to know exactly what that protection looks like. There has to be clear communication about the user, the device, the resource route, and the restrictions. Zero trust policies can be complex, and there can be a number of complications related to making zero trust work in the customer’s existing environment. Remember the following things when setting up zero trust security:
“It’s important to ground the conversation and use cases. Starting with, who’s the user? What’s the device? What’s the resource route they want to access? And how do you want to restrict them?”
“This is not one where you can leave it at a high level because zero trust is complicated in terms of the policies you’re talking about. And oftentimes [there] can be a number of complications related to making it work within the customer’s existing environment.”
“Being able to move from use case down to the depth of what that means to actually implement it at a flow level, at a policy level, at a rollout level is another critical factor.”
On How to Account for the Complexities of Zero Trust
Product development is complicated as is, but when you loop in cybersecurity, the complexities can become overwhelming. And consumer needs are always evolving. So, it is important to make sure that you have roadmaps and strategies that take into account those incidents and complexities. Sometimes, the best way to prevent a disaster is to prepare for it. Try out Tim’s method for preparing for the complexities of zero trust:
“This is going to be constantly evolving. So you need to make sure everything you do is extensible for what you may need to accommodate for in the future.”
“I have found it to be very useful to go through your own internal, and go through threat profiling exercises and model out the threats. So, this will help you determine where you have strengths and where you have weaknesses. And you can correlate that against what the markets really looking for in terms of depths.”
“You already have that corpus of work done to explain why the product was built the way it was and how it’s designed to defend against that class of threats. So it becomes both beneficial on the inbound side and on the outbound side.”