How Do You Implement Zero Trust?

What Is Zero Trust?

Zero trust is a security framework that asserts that no user or application should be trusted by default. A zero trust architecture enforces least-privileged access controls, which establish trust based on context (e.g., user identity and location, the security posture of the endpoint, the app or service being requested) with policy checks at each step. Access requests—even from known individuals—are never granted until they pass strict authentication.

What Are the Basic Principles of Zero Trust?

“Never trust, always verify” is a key maxim of the zero trust security model. To understand why, let’s look at the long-established model of firewall-based network security.

Traditional firewall approaches to cybersecurity assume that access requests from outside the network perimeter aren’t inherently trustworthy, but anything from inside is. This further assumes firewalls can effectively block external threats and that none are already inside the network’s defenses, which is simply not the case.

Cybercriminals take advantage of assumed trust to circumvent defenses and deliver ransomware and other advanced malware, exfiltrate sensitive data, and more. Zero trust counteracts the risk of assumed trust by recognizing that anyone could be compromised. At the core of the model are three tenets:

1. Terminate every connection. Traditional firewalls use a “passthrough” approach, inspecting files as they’re delivered. A true zero trust solution terminates every connection so an inline proxy architecture can inspect all traffic, including encrypted traffic, before it reaches its destination.
2. Protect data with granular context-based policies. Zero trust policies verify access requests and rights based on the full context of the request—including identity, device, location, content, and more. Policies are adaptive, so user access privileges are continually reassessed as context changes.
3. Reduce risk by eliminating the attack surface. With a true zero trust approach, users and entities connect directly to apps and resources, never to networks (see ZTNA), unlike with a VPN. This eliminates the risk of lateral movement, and because users and apps are invisible to the internet, they can’t be discovered or attacked.

What’s the Difference Between Zero Trust Architecture (ZTA) and Zero Trust Network Access (ZTNA)?

Before we look farther into implementing zero trust, let's distinguish between two terms:

• A zero trust architecture (ZTA) is a design that supports airtight access management, authentication, and segmentation. It’s distinct from, and in many ways designed to replace, a “castle and moat” architecture, which trusts anything inside by default.
• Zero trust network access (ZTNA) is a zero trust use case that offers users secure access to apps and data when the users, workloads, or data may not be inside a traditional perimeter, which is common in the age of the cloud and hybrid work.

Put another way, a zero trust architecture provides the foundation organizations need to deliver ZTNA and make their resources accessible from anywhere, at any time, and from any device. ZTNA is a more agile and responsive security approach, better suited to multicloud configurations and remote work.

Challenges in Implementing Zero Trust

In the face of remote work trends, the rise of IoT devices, and cloud adoption, the task of forming a zero trust strategy can seem overwhelming. Let’s look at some typical hurdles and what you can do to overcome them.

Not Knowing Where to Start

To begin your zero trust journey, try to identify a specific pain point in your ecosystem. Maybe it's a security risk, such as an exposed attack surface or overprivileged access. It could be poor user experience or the costs of technical debt, infrastructure, or connectivity. Starting small gives you a foundation from which to tackle more difficult problems.

Being Tied to Legacy Investments

It’s hard to look beyond past investments, even if they’re not serving your needs anymore. The lead-up to refreshes and renewals is a great time to take a critical look at whether your legacy tools and technologies are still supporting your current business objectives, meeting capex and opex requirements, and keeping you truly secure amid ongoing cloud, mobility, and IoT trends.

Needing Stakeholder Buy-In

Zero trust can touch every corner of your organization, which means getting a lot of stakeholders on board. Be open with them about the benefits and sticking points of a zero trust transformation. Understand their drivers and concerns, including those they may be unaware of (e.g., legal or compliance risks). Pinpoint key use cases. Socializing your small starting use cases can also help with early buy-in.

How to Implement Zero Trust

Zero trust transformation takes time, but for today’s organizations to survive and thrive, it’s a necessity—and successful transformation has three core elements:

• Knowledge and conviction—understanding the new, better ways you can use technology to reduce costs, cut complexity, and advance your objectives.
• Disruptive technologies—moving on from legacy solutions that don’t hold up after all the ways the internet, threats, and workforces have changed in the last three decades.
• Cultural and mindset change—driving success by bringing your teams along. When IT professionals understand the benefits of zero trust, they start driving it, too.

It’s important to recognize that change can be uncomfortable, especially if your architecture and workflows are deeply entrenched. Working in phases helps to overcome this, which is why Zscaler breaks down the journey to zero trust into four steps:

1. Empower and secure your workforce
2. Protect your data in cloud workloads
3. Modernize your IoT/OT security
4. Engage your customers and suppliers securely

By reaching each of these goals one by one—transforming your network and security along the way—you’ll attain a zero trust architecture that securely connects users, devices, and applications over any network, wherever they are.

Zero Trust Best Practices

Zero trust is more than configuring microsegmentation, multifactor authentication (MFA), permissions, and rethinking your on-premises security. It’s about meeting the realities of today’s networks, workforces, and threats to make your operations safer, more agile, and more competitive.

When it comes to zero trust implementation best practices, there’s more to it than the technical necessities. You must, of course, secure your endpoints, apply the principle of least privilege, and leverage AI, ML, and automation. But before you can do any of that effectively, you need to approach the challenges of implementing your new security strategy with a plan:

• Take action to find a starting point. Whether you begin with a risk, a user experience issue, a cost concern, or something else, use that as your springboard. Introduce zero trust gradually instead of trying to “boil the ocean.”
• Re-evaluate legacy investments. Look for deficiencies in your network and cloud security, user experience, and vendor relationships across your organization and identify places where zero trust could make the biggest difference.
• Get key stakeholders on board. Start by getting a firm grasp of the priorities and needs of key teams. This will surface use cases that can both help you secure buy-in and guide you toward that crucial starting point.
• Don’t feel the need to do it alone. Your team may not have the necessary expertise to fully execute on zero trust. Take advantage of expert help such as proven professional services and managed security service providers.
• Consider a mutual delivery plan (MDP). This agreement between your organization and your vendor will paint a clear, organized picture of what you need to accomplish and the individual steps you’ll take.

Need Professional Assistance? Zscaler Can Help

Zscaler delivers zero trust with the cloud native Zscaler Zero Trust Exchange™ platform. Built on a proxy architecture, the platform securely connects users, devices, and applications using business policies over any network. The platform does this in four steps:

1. Terminate every connection and conduct deep, real-time data and threat inspection on all traffic, including encrypted traffic.
2. Determine identity and device, and verify access rights using business policies based on context, including user, device, application, and content.
3. Enforce policies to provide user-to-application segmentation through encrypted, one-to-one tunnels.
4. Directly connect users to applications via the Zero Trust Exchange over the internet without going through your network.

Benefits of the Zero Trust Exchange

• Prevents lateral movement of threats: Users connect to apps directly, without network access, ensuring threats can’t move laterally to infect other devices or applications.
• Eliminates the internet attack surface: Applications sit behind the exchange, invisible to the internet, eliminating their attack surface and preventing targeted cyberattacks.
• Delivers a great user experience: Users enjoy intelligently managed, optimized direct connections to cloud apps, with policies enforced at the edge in 150+ data centers worldwide.
• Reduces cost and complexity: Management and deployment are simple, with no need for VPNs, complex firewalls, or any additional hardware.
• Scales as your business grows: The platform’s cloud native, multitenant design is fully distributed across 150+ global data centers to give you the secure connectivity you need.