ZTNA: Zero Trust Network Access

How to Implement Zero Trust: 5 Steps and a Deployment Checklist

What is Zero Trust Implementation?

A zero trust security model can help enterprises improve security of data and IT resources while gaining extended visibility into their ecosystem. Zero trust implementation typically includes at least five steps, which include adding microsegmentation to the network, adding multi-factor authentication, and validating endpoint devices.

We’ll describe these implementation steps and provide key considerations for selecting your zero trust technology solutions. Finally, we’ll introduce challenges most organizations encounter when implementing zero trust and how to overcome them.

This is part of our series of articles about zero trust network access (ZTNA).

Implementing Zero Trust in 5 Steps

Here are several principles and technologies that can help you implement zero trust in your organization:

1. Deploy SASE

Secure access service edge (SASE) helps unify SD-WAN and network security point solutions into a centralized cloud native service. You can deploy SASE as part of your zero trust strategy. Here are some aspects to consider when considering a SASE solution:

  • Integration—ideally, the SASE solution you choose should seamlessly integrate with your existing network architecture. For example, organizations that operate critical infrastructure on-premises should opt for a SASE solution offering zero-trust components that can securely connect to cloud resources and legacy infrastructure.
  • Features—your SASE solution should provide capabilities that enable you to stop potential threats and limit the damage caused by a breach. For example, the solution should enable you to implement microsegmentation, patching, sandboxing, and use identity and access management.
  • Containment—nothing can truly guarantee that a breach will not occur. Ideally, your SASE solution of choice should help you ensure that any threat that breached the network is contained to reduce the overall impact.

SASE makes it much easier to implement the technologies below, because it packages all of them in one managed service.

2. Utilize Microsegmentation

Microsegmentation involves splitting security perimeters into smaller zones. It helps define separate access to certain parts of your network. This separation enables you to allow access to some users, applications, or services to certain relevant zones while restricting access to others.

Related content: Read our guide to zero trust network

3. Use Multi-Factor Authentication (MFA)

MFA requires users to input two or more authentication factors, including:

  • A knowledge factor—information only the user should know, such as a pattern, password, or PIN.
  • A possession factor—information or objects only the user has, such as a smart card, a mobile phone, or an ATM card.
  • An inherence factor—this factor relies on the biometric characteristics of a user, such as a retina scan, a face scan, or a fingerprint.

The system authenticates only if all factors are validated.

4. Implement the Principle of Least Privilege (PoLP)

PoLP involves limiting user access and permissions to the minimum that enables users to perform their work. For example, you can grant users the least permissions to execute, read, or write only the resources and files.

You can also apply the principle of least privilege to restricting access rights for non-human resources, such as systems, applications, devices, and processes. You can do this by granting these resources only the permissions needed to perform the activities they are authorized to do.

5. Validate All Endpoint Devices

Do not trust devices that have not been verified. Zero trust security can help you validate your endpoints and extend identity-centric controls to the endpoint level. It usually involves ensuring that devices are enrolled before gaining access to your resources. Enrolling devices makes it easier to identify and verify each device. By implementing device verification, you can determine whether the endpoint attempting to access your resources meets your security requirements.

Zero Trust Deployment Checklist

Here are several aspects to consider when implementing a zero-trust solution:

Ease of deployment Can you quickly get the system up and running? 

Does the vendor require you to modify your environment to align with the solution? For example, are you required to open ports in the firewall?

Multi-cloud support Does the solution support integration with multiple public cloud vendors easily and simply? 

Does the solution allow you to secure your workloads on multiple clouds effectively?

Scalability Is the zero trust architecture scalable? 

Does the offered scalability meet the demands of your workloads?

Security What are the security measures the solution provider enforces? 

Does the solution maintain a streamlined security cycle?

Does the solution deploy an intrusion detection system (IPS) and scan all traffic for malware?

Visibility Does the solution allow administrators to visualize current and historical access requests, from any user to any resource, in a central interface? 

Easy access to data about what was allowed and what was blocked is key to monitoring and compliance auditing.

Service and support Can the zero trust solution vendor help troubleshoot issues?
Value Does the solution offer additional value? 

How and where does the solution deliver value, features, and risk reduction measures that go beyond the value of your existing security tools?

Challenges of Implementing Zero Trust

As you implement zero trust in your organization, you will need to consider and overcome the following challenges.

Complex Infrastructure

Modern organizations typically have infrastructure consisting of proxies, servers, business applications, databases, and Software-as-a-Service (SaaS) solutions. Some infrastructure components may be running on-premises while others are in the cloud.

It can be difficult to secure each segment of the network while meeting the requirement of a hybrid environment, with a mix of legacy and new applications and hardware. This complex environment makes it hard for organizations to achieve complete zero-trust implementation.

Operationalizing Zero Trust with Multiple Tools

To support a zero trust model, organizations use a variety of tools including:

  • Zero trust network access (ZTNA) or software defined perimeter (SDP) tools
  • Secure access service edge (SASE) or VPN solutions
  • Microsegmentation tools
  • Multi-factor authentication (MFA)
  • Single sign-on (SSO) solutions
  • Device approval solutions
  • Intrusion prevention systems (IPS)

However, many of these tools are specific to operating systems, devices, and cloud providers. Many organizations do not support a homogenous set of devices. They run some services in on-premise data centers, others in one or more clouds, have users on Windows, Mac, and other network-connected devices, and might run servers on multiple Linux distributions and multiple Windows Server versions.

It is difficult to ensure zero trust tools operate consistently across all tools and environments, especially in a large organization.

Related content: Read our guide to zero trust architecture

Adjusting Mindsets

Creating a zero trust model in a large organization demands buy-in from stakeholders to ensure effective training, planning, and implementation. A zero trust project affects nearly everyone, so all leaders and managers should agree on the approach. Typically, organizations are slow to implement change. Workplace politics alone can threaten the effectiveness of the project.

Cost and Effort

Organizations need to invest time, human and financial resources to implement zero trust. A zero trust model requires defining who can access which areas of their network and create appropriate network segmentation—this requires careful planning and collaboration.

Organizations will need to hire or allocate personnel to implement network segmentation and maintain it on an ongoing basis. The better zero trust systems integrate with the environment, the easier this will become.


  • What is Zero Trust Network Access (ZTNA)?

    Zero Trust Network Access is a modern approach to securing access to applications and services. ZTNA denies everyone and everything access to a resource unless explicitly allowed. This approach enables tighter network security and micro-segmentation that can limit lateral movement if a breach occurs.

  • How is ZTNA different from software-defined perimeter (SDP)?

    SDP and ZTNA today are functionally the same. Both describe an architecture that denies everyone and everything access to a resource unless explicitly allowed.

  • Why is ZTNA important?

    ZTNA is not only more secure than legacy network solutions, but it’s designed for today’s business. Users work everywhere — not only in offices — and applications and data are increasingly moving to the cloud. Access solutions need to be able to reflect those changes. With ZTNA, application access can dynamically adjust based on user identity, location, device type, and more.

  • How does ZTNA work?

    ZTNA uses granular application-level access policies set to default-deny for all users and devices. A user connects to and authenticates against a Zero Trust controller, which implements the appropriate security policy and checks device attributes. Once the user and device meet the specified requirements, access is granted to specific applications and network resources based upon the user’s identity. The user’s and device’s status are continuously verified to maintain access.

  • How is ZTNA different from VPN?

    ZTNA uses an identity authentication approach whereby all users and devices are verified and authenticated before being granted access to any network-based asset. Users can only see and access the specific resources allowed to them by policy.

    A VPN is a private network connection based on a virtual secure tunnel between the user and a general terminus point in the network. Access is based on user credentials. Once users connects to the network, they can see all resources on the network with only passwords restricting access.

  • How can I implement ZTNA?

    In client-initiated ZTNA, an agent installed on an authorized device sends information about that device’s security context to a controller. The controller prompts the device’s user for authentication. After both the user and the device are authenticated, the controller provisions connectivity from the device through a gateway such as a next-generation firewall capable of enforcing multiple security policies. The user can only access applications that are explicitly allowed.
    In service-initiated ZTNA, a connector installed in the same network as the application establishes and maintains an outbound connection to the provider’s cloud. A user requesting access to the application is authenticated by a service in the cloud, followed by validation by an identity management product. Application traffic passes through the provider’s cloud, which provides isolation from direct access and attack via a proxy. No agent is needed on the user’s device.

  • Will ZTNA replace SASE?

    ZTNA is only a small part of SASE. Once users are authorized and connected to the network, there is still a need to protect against network-based threats. IT leaders still need the right infrastructure and optimization capabilities in place to protect the user experience. And they still need to manage their overall deployment.
    SASE addresses those challenges by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation.

  • What security capabilities does ZTNA lack?

    ZTNA addresses the need for secure network and application access but it doesn’t perform security functions such as checking for malware, detecting and remediating cyber threats, protecting web-surfing devices from infection, and enforcing company policies on all network traffic. That’s why the full suite of security services in SASE is a complement to ZTNA.

  • How do Zero Trust and SASE work together?

    With SASE, the ZT controller function becomes part of the SASE PoP and there’s no need for a separate connector. Devices connect to the SASE PoP, get validated and users are only given access to those applications (and sites) allowed by the security policy in the SASE Next-Generation Firewall (NGFW) and Secure Web Gateway (SWG).

    SASE addresses other security and networking needs by bundling ZTNA with a complete suite of security services — NGFW, SWG, anti-malware, and MDR — and with network services such as SD-WAN, WAN optimization, and bandwidth aggregation. Enterprises that leverage SASE receive the benefits of Zero Trust Network Access plus a full suite of network and security solutions, all converged together into a package that is simple to manage, optimized, and highly scalable.