How Do You Implement Zero Trust?
Implementing zero trust is about enacting secure transformation. Today, more organizations know why they should pursue a zero trust architecture, but many still aren’t sure where to start—and every security provider seems to have their own definition of zero trust security. True zero trust doesn’t happen in an instant. It’s a journey that begins with empowering and securing your workforce.
Zero trust is a security framework that asserts that no user or application should be trusted by default. A zero trust architecture enforces least-privileged access controls, which establish trust based on context (e.g., user identity and location, the security posture of the endpoint, the app or service being requested) with policy checks at each step. Access requests—even from known individuals—are never granted until they pass strict authentication.
What Are the Basic Principles of Zero Trust?
“Never trust, always verify” is a key maxim of the zero trust security model. To understand why, let’s look at the long-established model of firewall-based network security.
Traditional firewall approaches to cybersecurity assume that access requests from outside the network perimeter aren’t inherently trustworthy, but anything from inside is. This further assumes firewalls can effectively block external threats and that none are already inside the network’s defenses, which is simply not the case.
Cybercriminals take advantage of assumed trust to circumvent defenses and deliver ransomware and other advanced malware, exfiltrate sensitive data, and more. Zero trust counteracts the risk of assumed trust by recognizing that anyone could be compromised. At the core of the model are three tenets:
Terminate every connection. Traditional firewalls use a “passthrough” approach, inspecting files as they’re delivered. A true zero trust solution terminates every connection so an inline proxy architecture can inspect all traffic, including encrypted traffic, before it reaches its destination.
Protect data with granular context-based policies. Zero trust policies verify access requests and rights based on the full context of the request—including identity, device, location, content, and more. Policies are adaptive, so user access privileges are continually reassessed as context changes.
Reduce risk by eliminating the attack surface. With a true zero trust approach, users and entities connect directly to apps and resources, never to networks (see ZTNA), unlike with a VPN. This eliminates the risk of lateral movement, and because users and apps are invisible to the internet, they can’t be discovered or attacked.
What’s the Difference Between Zero Trust Architecture (ZTA) and Zero Trust Network Access (ZTNA)?
Before we look farther into implementing zero trust, let's distinguish between two terms:
A zero trust architecture (ZTA) is a design that supports airtight access management, authentication, and segmentation. It’s distinct from, and in many ways designed to replace, a “castle and moat” architecture, which trusts anything inside by default.
Zero trust network access (ZTNA) is a zero trust use case that offers users secure access to apps and data when the users, workloads, or data may not be inside a traditional perimeter, which is common in the age of the cloud and hybrid work.
Put another way, a zero trust architecture provides the foundation organizations need to deliver ZTNA and make their resources accessible from anywhere, at any time, and from any device. ZTNA is a more agile and responsive security approach, better suited to multicloud configurations and remote work.
Challenges in Implementing Zero Trust
In the face of remote work trends, the rise of IoT devices, and cloud adoption, the task of forming a zero trust strategy can seem overwhelming. Let’s look at some typical hurdles and what you can do to overcome them.
Not Knowing Where to Start
To begin your zero trust journey, try to identify a specific pain point in your ecosystem. Maybe it's a security risk, such as an exposed attack surface or overprivileged access. It could be poor user experience or the costs of technical debt, infrastructure, or connectivity. Starting small gives you a foundation from which to tackle more difficult problems.
Being Tied to Legacy Investments
It’s hard to look beyond past investments, even if they’re not serving your needs anymore. The lead-up to refreshes and renewals is a great time to take a critical look at whether your legacy tools and technologies are still supporting your current business objectives, meeting capex and opex requirements, and keeping you truly secure amid ongoing cloud, mobility, and IoT trends.
Needing Stakeholder Buy-In
Zero trust can touch every corner of your organization, which means getting a lot of stakeholders on board. Be open with them about the benefits and sticking points of a zero trust transformation. Understand their drivers and concerns, including those they may be unaware of (e.g., legal or compliance risks). Pinpoint key use cases. Socializing your small starting use cases can also help with early buy-in.
How to Implement Zero Trust
Zero trust transformation takes time, but for today’s organizations to survive and thrive, it’s a necessity—and successful transformation has three core elements:
Knowledge and conviction—understanding the new, better ways you can use technology to reduce costs, cut complexity, and advance your objectives.
Disruptive technologies—moving on from legacy solutions that don’t hold up after all the ways the internet, threats, and workforces have changed in the last three decades.
Cultural and mindset change—driving success by bringing your teams along. When IT professionals understand the benefits of zero trust, they start driving it, too.
It’s important to recognize that change can be uncomfortable, especially if your architecture and workflows are deeply entrenched. Working in phases helps to overcome this, which is why Zscaler breaks down the journey to zero trust into four steps:
Empower and secure your workforce
Protect your data in cloud workloads
Modernize your IoT/OT security
Engage your customers and suppliers securely
By reaching each of these goals one by one—transforming your network and security along the way—you’ll attain a zero trust architecture that securely connects users, devices, and applications over any network, wherever they are.
Zero Trust Best Practices
Zero trust is more than configuring microsegmentation, multifactor authentication (MFA), permissions, and rethinking your on-premises security. It’s about meeting the realities of today’s networks, workforces, and threats to make your operations safer, more agile, and more competitive.
When it comes to zero trust implementation best practices, there’s more to it than the technical necessities. You must, of course, secure your endpoints, apply the principle of least privilege, and leverage AI, ML, and automation. But before you can do any of that effectively, you need to approach the challenges of implementing your new security strategy with a plan:
Take action to find a starting point. Whether you begin with a risk, a user experience issue, a cost concern, or something else, use that as your springboard. Introduce zero trust gradually instead of trying to “boil the ocean.”
Re-evaluate legacy investments. Look for deficiencies in your network and cloud security, user experience, and vendor relationships across your organization and identify places where zero trust could make the biggest difference.
Get key stakeholders on board. Start by getting a firm grasp of the priorities and needs of key teams. This will surface use cases that can both help you secure buy-in and guide you toward that crucial starting point.
Don’t feel the need to do it alone. Your team may not have the necessary expertise to fully execute on zero trust. Take advantage of expert help such as proven professional services and managed security service providers.
Consider a mutual delivery plan (MDP). This agreement between your organization and your vendor will paint a clear, organized picture of what you need to accomplish and the individual steps you’ll take.
Need Professional Assistance? Zscaler Can Help
Zscaler delivers zero trust with the cloud native Zscaler Zero Trust Exchange™ platform. Built on a proxy architecture, the platform securely connects users, devices, and applications using business policies over any network. The platform does this in four steps:
Terminate every connection and conduct deep, real-time data and threat inspection on all traffic, including encrypted traffic.
Determine identity and device, and verify access rights using business policies based on context, including user, device, application, and content.
Enforce policies to provide user-to-application segmentation through encrypted, one-to-one tunnels.
Directly connect users to applications via the Zero Trust Exchange over the internet without going through your network.
Benefits of the Zero Trust Exchange
Prevents lateral movement of threats: Users connect to apps directly, without network access, ensuring threats can’t move laterally to infect other devices or applications.
Eliminates the internet attack surface: Applications sit behind the exchange, invisible to the internet, eliminating their attack surface and preventing targeted cyberattacks.
Delivers a great user experience: Users enjoy intelligently managed, optimized direct connections to cloud apps, with policies enforced at the edge in 150+ data centers worldwide.
Reduces cost and complexity: Management and deployment are simple, with no need for VPNs, complex firewalls, or any additional hardware.
Scales as your business grows: The platform’s cloud native, multitenant design is fully distributed across 150+ global data centers to give you the secure connectivity you need.
Legacy security models that rely on assumed trust can leave your network and users dangerously exposed as cyberthreats continue to evolve to take advantage of trusted relationships. The zero trust model enforces strict authentication for all requests, no matter who or where they come from, offering more comprehensive protection.
Why Is Zero Trust Important for Business?
Traditional cybersecurity models leave applications exposed to the internet. Today, with applications and data increasingly residing in the cloud, these models make network attack surfaces broader than ever. A true zero trust model connects users directly to resources, not your network, keeping your sensitive traffic invisible to the internet.
Is Zero Trust Replacing VPN?
The modern cyberthreat landscape has exposed the need to replace legacy VPN technology. With a traditional VPN, users are authenticated once, and then placed on the network. With zero trust, users and devices are continuously validated and only granted access to specific, authorized applications.
How Do I Choose a Zero Trust Provider?
Match a zero trust provider to your needs based on the vendor’s track record, comprehensive offerings, and level of tailored support. The right zero trust provider will understand your environment and be able to make targeted recommendations to secure your data and empower your workforce.
Where Do I Start with Zero Trust?
The best way to start with zero trust is to start small. For instance, find an issue related to risk, cost, or user experience and apply a zero trust strategy there. You can point to these small-scale successes when seeking stakeholder buy-in, budget, and future-looking plans. Don’t think you have to do it alone. If your team lacks the expertise to implement zero trust, consider a service provider you can work with as a trusted partner.
How Long Does It Take to Implement Zero Trust?
Successful zero trust transformation takes time, but to ensure long-term success, it’s critical to build your team’s knowledge; understand the ways you can use technology to reduce costs, cut complexity, and advance your objectives; and foster a cultural and mindset change toward zero trust across your organization.
How Do I Create a Zero Trust Network?
The steps to create a zero trust network include:
Define your attack surface: Understand which applications are exposed to threats and will need to be protected.
Implement controls around network traffic: Get to understand the way in which traffic moves around your network to design and implement controls.
Architect your zero trust network: Design an architecture based on the nature of your network and traffic flows.
Create a zero trust policy: Author policies to determine the who, what, when, where, why, and how of people and systems that request connections to areas of your network.