7 steps for implementing zero trust, with real-life examples
More than a decade since the term's inception, zero-trust security is still much easier said than done. Here's how to get started.
Evidence suggests zero-trust security far outstrips traditional perimeter-based security in its ability to protect enterprises' sensitive data. Organizations with the best cybersecurity outcomes are 137% more likely to have adopted a zero-trust approach than their less successful peers, according to Nemertes' "Secure Cloud Access and Policy Enforcement 2020-2021" study. But while its benefits are clear, implementing zero trust remains complicated.
Zero-trust security is a guilty-until-proven-innocent approach to network security that John Kindervag -- formerly an analyst at Forrester Research and now senior vice president at ON2IT Cybersecurity -- first articulated in 2010. The model assumes active threats exist both inside and outside a network's perimeter, with on-site and remote users alike required to meet stringent authentication and authorization requirements before gaining access to a given resource. Identity-driven, context-based policies predetermine which network entities can communicate and under what conditions. Every user is granted the least amount of access possible, on a strict need-to-know basis, thus limiting the damage a threat actor can accomplish via lateral movement once inside a network.
To illustrate the difference between legacy and zero-trust architectures, independent analyst John Fruehe pointed to the airport security model. Travelers must show their personal identification to gain access to departure areas inside a well-defined perimeter. As in traditional network environments, once they've received authentication, they can put away their credentials and are free to roam the restricted zone. "Ninety-nine-point-nine-nine percent of the time, that model is fine," Fruehe said.
The zero-trust security model, however, tries to account for the calamitous .01% of instances by continually querying traffic both outside and within the network. In the airport scenario, imagine travelers present their IDs and boarding passes at the Transportation Security Administration (TSA) perimeter-based checkpoints as usual, Fruehe said. After this initial authentication, however, they encounter continuous additional screenings as they make their way through the concourse, in and out of shops and restaurants, toward their respective gates and onto their aircrafts.
"The zero-trust model says that, even though you passed through security, I'm not going to assume [TSA] did its job right or that you necessarily deserve another level of clearance," Fruehe said. "I'm still going to stop you and say, 'Hey, do you need to be here? Show me your ID.'"
While the concept is relatively straightforward, figuring out how to implement zero trust is anything but.
"Philosophically, everybody wants to do zero trust," said Tony Velleca, CISO at digital services company UST Global, which began implementing a zero-trust approach to better protect clients' sensitive data. "But, practically, it is very challenging to enable."
Before tackling a zero-trust implementation, get your house in order
John Burke, CTO at Nemertes, said he has seen "a solid uptick" in conversations around the zero-trust approach in the past several years, with many enterprises planning to move in that direction. He added, though, that most organizations have yet to position themselves for such a challenging and substantive transition.
"Zero trust is based on the idea of being able to say in advance who gets to talk to whom," Burke said. "If you don't have that knowledge -- a longstanding problem in IT security planning, generally -- you wind up making your policies very liberal, defeating the purpose of zero trust in the first place."
Velleca agreed, adding that in his experience implementing zero trust on the ground, "good internal housekeeping" is more than half the battle.
"The fundamentals include getting a good handle on your user -- authentication, roles, access, etc.," he said. "Some of it requires a set of tools, but a lot of it is just administration, making sure you're giving people the minimum amount of access required to do their jobs. That goes a long way toward implementing zero trust. It's the foundation."
For organizations wondering where to start, cybersecurity consultant Michael Cobb suggested beginning with a comprehensive data discovery effort.
"At the end of the day, that's what you're trying to protect," he said. "And, if you don't know where the data is, you can't protect it." Don't underestimate the demands of this process, which can prove surprisingly long and painful, Cobb added.
How to start implementing zero trust in 7 steps
Many experts say most -- if not all -- organizations should be exploring how to implement zero trust in their environments as part of their long-term network security strategies. According to Burke, any entity with a data center or substantial operations running on IaaS should start evolving toward a zero-trust security environment if it hasn't already.
But figuring out how to best put zero-trust principles into practice in a legacy environment takes time and patience, Burke said. "You can't buy zero trust out of a box," he added. "There is no zero-trust product. It's an approach, and it isn't easy or quick if you start from a traditional infrastructure."
He also cautioned that while vendors now market a plethora of products and services as "zero trust," organizations should regard that label with a healthy degree of skepticism.
"Many of them are perfectly solid security tools; they're just not related to zero trust," Burke said. "If it doesn't do zero trust -- let you say in advance who gets to talk to who, on either the policy or enforcement side -- then it's not zero trust."
To begin the critical yet complex process of implementing zero trust, experts suggested starting with the following seven steps.
Step 1. Form a dedicated zero-trust team
Zero trust is one of the most important initiatives an enterprise can undertake. Rather than making "move to zero trust" a task that ranks below everyone's top to-do lists, dedicate a small team tasked with planning and implementing the zero-trust migration.
This team should include members from the following three areas, which represent the easiest on-ramps to zero trust:
- application and data security;
- network and infrastructure security; and
- user and device security.
The team should also include members from security operations -- particularly the security operations center -- and risk management.
Step 2. Choose a zero-trust implementation on-ramp
Zero-trust security has three main on-ramps, each with its own technology path. While an enterprise will ultimately connect zero trust to all three on-ramps, starting with the optimal one -- based on the current environment and anticipated zero-trust strategy -- will be key to success.
On-ramp option 1: User and device identity. The user and device identity on-ramp may be most attractive to organizations with a large population of remote users accessing cloud-based applications.
For the user and device identity on-ramp, consider the following practices and technologies:
- Biometrics. Biometrics can serve as a user credential, validating users and tying them to a trust profile. Requiring biometrics as part of the authentication process makes it easier to implement zero trust based on user identity.
- Multifactor authentication. MFA is another way to tie the user to the device to extend trust.
- Identity and access management. IAM provides a platform for single-credential and single-login authentication across multiple cloud platforms and possibly internal systems.
- Device certification. Device certification extends trust to devices based on the configuration of the device. Organizations need to check whether applications and OSes are up to date and properly patched and whether all applications are part of the enterprise's portfolio.
- Zero-trust network access. ZTNA technology integrates with IAM and MFA to control access to applications based on user identity; context clues, such as geographic location and device security posture; and enterprise security policies. ZTNA technology is available in standalone services and as part of broader Secure Access Service Edge (SASE) and security service edge platforms.
Technologists who take a user- and device-centric approach to zero trust will grant access to resources based on who the user is (biometrics and MFA), whether the device poses a threat (certification and context) and the overall IAM policy. They also can monitor user behavior using complementary technologies, such as user and entity behavioral analytics and behavioral threat analytics, which involve revoking user permissions if users or endpoint devices are behaving in a way that constitutes a threat.
On-ramp option 2: Applications and data. An environment heavily focused on applications and data protection -- particularly a cloud environment -- may lend itself to starting from the applications and data on-ramp.
For the applications and data on-ramp, consider the following practices and technologies:
- Data classification. Data classification is the practice of associating security levels with specific types of data, regardless of where that data resides: cloud, endpoints, data centers, etc. Classification provides the critical underpinning for controlling access for zero trust.
- Data loss prevention. DLP refers to tools that track and log access to data, whether cloud-based or on premises. It can provide control points for implementing zero-trust policies.
- Authentication and authorization of microservices. Microservices authentication is foundational for many advanced security initiatives, particularly zero-trust security. It refers to technologies such as Red Hat's Keycloak or others that follow an advanced authentication framework, such as the OAuth framework.
- Container security. Container security provides an automated way to manage and secure groups of containers needed to deliver a service, including orchestration, tracking, launching and shutting down containers, and implementing policy across containers.
- Cross-system integration via APIs. This refers to integrating various components of a cybersecurity infrastructure. It is foundational for many advanced security initiatives, particularly zero-trust security.
Enterprises that choose the applications and data on-ramp to get to zero-trust security should focus on implementing a mix of initiatives (data classification, API integration, microservices authorization) and critical technologies (DLP, container security) that enable securing applications and data at the most granular possible level.
On-ramp option 3: The network. The network on-ramp for zero trust is a good match for enterprises that rely heavily on an established internal network with network-based controls and a substantial number of workloads still processed in an on-premises data center. Also, if the network is the current cybersecurity platform, then upgrading network-based controls to zero trust makes sense.
For the network on-ramp, consider the following practices and technologies:
- Automation. Automating network controls makes them dynamic so it's possible to revoke authorization midsession -- a key principle of zero trust. Technologists can automate network controls by writing their own scripts or by selecting management tools that include embedded automation.
- Microsegmentation. Microsegmentation is foundational for many advanced security initiatives, particularly for zero trust. The concept refers to the approval of data flows based on user and type of resource instead of port, IP address and traffic type. For example, an approved list can determine that accounting can only have access to system X, regardless of where it is located or its current IP address. Most advanced network vendors are now implementing microsegmentation.
- Stateful session management. Stateful session management is the ability to manage sessions individually, tracking them by current state. Like microsegmentation, it's typically a capability found in equipment from advanced network vendors.
- Network encryption and secure routing. These are security capabilities provided by networking devices. In these devices, routing should be controlled and validated, and network sessions should be encrypted.
- Network virtualization, cloud-based firewalls and centrally managed firewalls. While they aren't inherently linked to zero trust, network virtualization, cloud-based firewalls and centrally managed firewalls make the implementation and management of zero-trust processes much easier. If network components are virtualized or cloud-based, automating controls is simpler, faster and easier than if they were to require physical or hands-on management. That, in turn, makes it faster and easier to deploy zero-trust policies, particularly those that are dynamic. Centralized firewall management enables security teams to manage and configure all firewalls in the organization, regardless of where they're located or whether they are physical or virtual.
- Software-defined WAN and SASE. Technologies such as SD-WAN and SASE can help enable network-based zero trust by providing network endpoints where zero-trust policies can be instantiated.
Step 3. Assess the environment
Understanding the controls across the environment will make deploying a zero-trust strategy more straightforward. Ask the following questions:
- Where are the security controls? In a network environment, these controls include firewalls, web application gateways and the like. In a user/identity environment, the controls might be endpoint security -- endpoint detection and response or extended detection and response -- and IAM. In an applications and data environment, these include container security, DLP, microservices authorization and similar controls.
- To what extent do these controls provide dynamic, granular, end-to-end trust frameworks that don't depend on preexisting classifications? For example, firewalls typically aren't granular, end-to-end or dynamic and rely on the simplistic classifications of "outside = bad" and "inside = good."
- What are the knowledge gaps? It's impossible to provide granular access to data if you don't understand the security classification of that data. Unclassified data represents a knowledge gap that will need to be addressed in a zero-trust strategy.
Step 4. Review the available technology
Either at the same time as or following the assessment, review emerging technologies for your zero-trust initiative's on-ramp. Next-generation networking equipment includes capabilities -- such as microsegmentation, virtual routing and stateful session management -- that can turn these devices into key components of a zero-trust architecture. IAM capabilities are quickly becoming more granular and dynamic.
Step 5. Launch key zero-trust initiatives
Compare the results of your technology review with the technologies you need. The comparison informs how to develop, prioritize and launch initiatives, such as upgrading existing network infrastructure to equipment capable of microsegmentation or deploying microservices authentication.
Step 6. Define operational changes
Zero-trust strategies can fundamentally change security operations. For example, as tasks are automated, corresponding manual tasks might need to be modified or automated to keep pace and prevent gaps in security.
Step 7. Implement, rinse and repeat
As your organization deploys new technologies, assess their value according to security KPIs. This includes the mean total time to contain incidents, which should decrease dramatically the closer an organization moves to zero trust.
Easing users into a zero-trust implementation
Transitioning from a legacy perimeter-based architecture to a zero-trust security model can mean significant business interruptions, experts have warned.
"Returning to the airport analogy, you have to add checkpoints throughout the airport -- at every restaurant, store, lounge and gate -- with hundreds of employees constantly asking to see IDs," Fruehe said. Moving to such a framework can initially prove cumbersome for both a network's staff and its "travelers," or end users.
In his experience implementing zero trust at UST Global, Velleca found the on-the-ground realities of the new security approach can indeed make it a tough sell with users. "You end up with a lot of pushback because it slows down the business," he said. "Digital organizations that want to be nimble really struggle with some of those controls."
To minimize user frustration, the CISO said he backed off applying particularly stringent access control measures universally, reserving them for the most sensitive areas of the network.
"You have to think through the possible loss events that you're most keenly worried about -- for us, it's our clients' data -- and spend a little more time and energy designing for those," Velleca said.
In that vein, his team has developed a zero-trust approach it calls the "use case factory," identifying and defining specific attack scenarios and then reverse-engineering controls.
Because Velleca sees the CISO's role as enabling the business, he accepted that -- in some cases -- detection and response sometimes make more sense than prevention. Where strict zero-trust access control policies would unduly restrict users' productivity, the security team compensates with aggressive monitoring efforts, he said.
A zero-trust implementation example
Cloud service provider Akamai Technologies, based in Cambridge, Mass., began exploring zero trust after suffering a data breach in the 2009 Operation Aurora cyber attack.
"There wasn't really a roadmap to follow," said Andy Ellis, former Akamai CISO. "We just said, 'We need to figure out how we can better protect our corporate network and our users.'"
Akamai initially aimed to restrict lateral movement within the enterprise network using microsegmentation. That presented a challenge, however, since lateral movement often happened between applications that had permission to talk to each other.
"It's really difficult to microsegment things when your backup server can talk to everything," Ellis said. "That's where you get compromised."
First, the Akamai team focused on securing domain administrators' accounts, working on authentication protocols and mandating separate passwords for each additional level of access. It also explored using X.509 certificates to enable hardware authentication on a device-by-device basis.
"But we were still thinking in network terms," Ellis said. Then, the team had a breakthrough. "We realized it wasn't about the network; it's really about the application."
It wanted to find a way to let employees securely access internal applications from a login point on the company's content delivery network (CDN), thus keeping end-user devices off the corporate network entirely. Ellis' team opened a hole in the firewall and started manually integrating one application at a time -- a slow and tedious process. "Let me tell you, our system administrators were getting pretty cranky," Ellis said.
But, about halfway through the project, it discovered a small company called Soha Systems that enabled an alternative access model: dropping a VM between Akamai's firewall and application servers to connect apps on one side with the CDN-based single sign-on service on the other. Ellis and his team found the Soha connector supported granular role-based access for employees and third-party contractors on a user-by-user and app-by-app basis, via a browser with no VPN required. If hackers managed to commandeer an employee's credentials, they would theoretically see only the limited applications and services that particular worker was entitled to use.
Akamai deployed Soha's technology, ultimately buying the company and folding the technology into its Enterprise Application Access service, enabling customers to gradually offload VPN traffic as they build their own zero-trust environments. Gartner predicted that, by 2025, 70% of new remote access deployments will rely primarily on zero-trust network access, rather than on VPNs.
"You don't have to do it all at once," Ellis said, pointing out that Akamai's zero-trust journey unfolded over the course of years. "It's step by step. You're going to transform your whole business by the time you're done."