ZTNA: Zero Trust Network Access

How to Implement Zero Trust: 5 Steps and a Deployment Checklist

What is Zero Trust Implementation?

A zero trust security model can help enterprises improve security of data and IT resources while gaining extended visibility into their ecosystem. Zero trust implementation typically includes at least five steps, which include adding microsegmentation to the network, adding multi-factor authentication, and validating endpoint devices.

We’ll describe these implementation steps and provide key considerations for selecting your zero trust technology solutions. Finally, we’ll introduce challenges most organizations encounter when implementing zero trust and how to overcome them.

This is part of our series of articles about zero trust network access (ZTNA).

Implementing Zero Trust in 5 Steps

Here are several principles and technologies that can help you implement zero trust in your organization:

1. Deploy SASE

SASE (Secure access service edge) helps unify SD-WAN and network security point solutions into a centralized cloud native service. You can deploy SASE as part of your zero trust strategy. Here are some aspects to consider when considering a SASE solution:

  • Integration—ideally, the SASE solution you choose should seamlessly integrate with your existing network architecture. For example, organizations that operate critical infrastructure on-premises should opt for a SASE solution offering zero-trust components that can securely connect to cloud resources and legacy infrastructure.
  • Features—your SASE solution should provide capabilities that enable you to stop potential threats and limit the damage caused by a breach. For example, the solution should enable you to implement microsegmentation, patching, sandboxing, and use identity and access management.
  • Containment—nothing can truly guarantee that a breach will not occur. Ideally, your SASE solution of choice should help you ensure that any threat that breached the network is contained to reduce the overall impact.

SASE makes it much easier to implement the technologies below, because it packages all of them in one managed service.

2. Utilize Microsegmentation

Microsegmentation involves splitting security perimeters into smaller zones. It helps define separate access to certain parts of your network. This separation enables you to allow access to some users, applications, or services to certain relevant zones while restricting access to others.

3. Use Multi-Factor Authentication (MFA)

MFA requires users to input two or more authentication factors, including:

  • A knowledge factor—information only the user should know, such as a pattern, password, or PIN.
  • A possession factor—information or objects only the user has, such as a smart card, a mobile phone, or an ATM card.
  • An inherence factor—this factor relies on the biometric characteristics of a user, such as a retina scan, a face scan, or a fingerprint.

The system authenticates only if all factors are validated.

4. Implement the Principle of Least Privilege (PoLP)

PoLP involves limiting user access and permissions to the minimum that enables users to perform their work. For example, you can grant users the least permissions to execute, read, or write only the resources and files.

You can also apply the principle of least privilege to restricting access rights for non-human resources, such as systems, applications, devices, and processes. You can do this by granting these resources only the permissions needed to perform the activities they are authorized to do.

5. Validate All Endpoint Devices

Do not trust devices that have not been verified. Zero trust security can help you validate your endpoints and extend identity-centric controls to the endpoint level. It usually involves ensuring that devices are enrolled before gaining access to your resources. Enrolling devices makes it easier to identify and verify each device. By implementing device verification, you can determine whether the endpoint attempting to access your resources meets your security requirements.

Zero Trust Deployment Checklist

Here are several aspects to consider when implementing a zero-trust solution:

Ease of deployment Can you quickly get the system up and running? 

Does the vendor require you to modify your environment to align with the solution? For example, are you required to open ports in the firewall?

Multi-cloud support Does the solution support integration with multiple public cloud vendors easily and simply? 

Does the solution allow you to secure your workloads on multiple clouds effectively?

Scalability Is the zero trust architecture scalable? 

Does the offered scalability meet the demands of your workloads?

Security What are the security measures the solution provider enforces? 

Does the solution maintain a streamlined security cycle?

Does the solution deploy an intrusion detection system (IPS) and scan all traffic for malware?

Visibility Does the solution allow administrators to visualize current and historical access requests, from any user to any resource, in a central interface? 

Easy access to data about what was allowed and what was blocked is key to monitoring and compliance auditing.

Service and support Can the zero trust solution vendor help troubleshoot issues?
Value Does the solution offer additional value? 

How and where does the solution deliver value, features, and risk reduction measures that go beyond the value of your existing security tools?

Challenges of Implementing Zero Trust

As you implement zero trust in your organization, you will need to consider and overcome the following challenges.

Complex Infrastructure

Modern organizations typically have infrastructure consisting of proxies, servers, business applications, databases, and Software-as-a-Service (SaaS) solutions. Some infrastructure components may be running on-premises while others are in the cloud.

It can be difficult to secure each segment of the network while meeting the requirement of a hybrid environment, with a mix of legacy and new applications and hardware. This complex environment makes it hard for organizations to achieve complete zero-trust implementation.

Operationalizing Zero Trust with Multiple Tools

To support a zero trust model, organizations use a variety of tools including:

  • Zero trust network access (ZTNA) or software defined perimeter (SDP) tools
  • Secure access service edge (SASE) or VPN solutions
  • Microsegmentation tools
  • Multi-factor authentication (MFA)
  • Single sign-on (SSO) solutions
  • Device approval solutions
  • Intrusion prevention systems (IPS)

However, many of these tools are specific to operating systems, devices, and cloud providers. Many organizations do not support a homogenous set of devices. They run some services in on-premise data centers, others in one or more clouds, have users on Windows, Mac, and other network-connected devices, and might run servers on multiple Linux distributions and multiple Windows Server versions.

It is difficult to ensure zero trust tools operate consistently across all tools and environments, especially in a large organization.

Adjusting Mindsets

Creating a zero trust model in a large organization demands buy-in from stakeholders to ensure effective training, planning, and implementation. A zero trust project affects nearly everyone, so all leaders and managers should agree on the approach. Typically, organizations are slow to implement change. Workplace politics alone can threaten the effectiveness of the project.

Cost and Effort

Organizations need to invest time, human and financial resources to implement zero trust. A zero trust model requires defining who can access which areas of their network and create appropriate network segmentation—this requires careful planning and collaboration.

Organizations will need to hire or allocate personnel to implement network segmentation and maintain it on an ongoing basis. The better zero trust systems integrate with the environment, the easier this will become.