Moving to a Zero Trust approach does not have to be overly complex. Organizations can start by implementing MFA, closing unnecessary ports, and a few other simple steps.
After reading this article you will be able to:
Copy article link
Zero Trust is a security approach built on the assumption that threats are already present within an organization. In a Zero Trust approach, no user, device, or application is automatically "trusted" — instead, strict identity verification is applied to every request anywhere in a corporate network, even for users and devices already connected to that network.
A Zero Trust security architecture is constructed on the following principles:
To learn more about these principles and how they combine and reinforce each other, see What is a Zero Trust network?
Implementing comprehensive Zero Trust security can take some time and requires quite a bit of cross-team collaboration. The more complex an organization's digital environment is — i.e. the wider variety of applications, users, offices, clouds, and data centers it has to protect — the more effort will be required to enforce Zero Trust principle for every request moving between those points.
For this reason, the most successful Zero Trust implemenations begin with simpler steps that require less effort and buy-in. By taking these steps, organizations can significantly reduce their exposure to a variety of threats and build buy-in for larger, more systemic improvements.
Here are five such steps:
Multi-factor authentication (MFA) requires two or more authentication factors from users who log in to an application, instead of just one (like a username and password). MFA is significantly more secure than single-factor authentication, due to the difficulty, from the attackers' perspective, of stealing two factors that belong together.
Rolling out MFA is a good way to start tightening security for crucial services, in addition to gently introducing users to a more stringent security approach.
Zero Trust considers device activity and posture in addition to identity. Putting Zero Trust policies in front of all applications is the end goal, but the first step is to do so in front of mission-critical applications.
There are several ways to put a Zero Trust policy between device and application, including via encrypted tunnel, proxy, or single sign-on (SSO) provider. This article has more details on configuration.
Email is a major attack vector. Malicious emails can come even from trusted sources (via account takeover or email spoofing), so applying an email security solution is a huge step towards Zero Trust.
Users today check email via traditional self-hosted email applications, browser-based web applications, mobile device applications, and more. For this reason, email security and phishing detection is more effective when cloud-hosted — it can then easily filter emails from any source and for any destination, without tromboning email traffic.
In networking, a port is a virtual point where a computer can receive inbound traffic. Open ports are like unlocked doors that attackers can use to penetrate inside a network. There are thousands of ports, but most are not used regularly. Organizations can close unnecessary ports in order to protect themselves from malicious web traffic.
From phishing websites to drive-by downloads, insecure web applications are a major source for threats. DNS filtering is a method for preventing untrusted websites from resolving to an IP address — which means anyone behind the filter cannot connect to such websites at all.
These five steps will get an organization well on its way to a full Zero Trust security framework. Cloudflare offers a white paper that breaks down these steps in more detail. Download: "A Roadmap to Zero Trust Architecture."