A couple of years ago, organizations relied heavily on the traditional perimeter-based security model to protect their systems, networks, and sensitive data. However, that approach can no longer suffice due to the sophisticated nature of modern day attacks through techniques such as advanced persistent threat, application-layer DDoS attacks, and zero-day vulnerabilities. As a result, many organizations are adopting the zero trust approach, a security model based on the principle that trust should never be assumed, regardless of whether a device or user is inside or outside the organization’s network.
While zero trust promises to be a more proactive approach to security, implementing the solution comes with several challenges that can punch holes in an organization’s security before it’s even in place.
The core components of zero trust include least privileged access policies, network segmentation, and access management. While best practices can help improve the behavior of your employees, tools such as the device trust solutions will secure access to protected applications to build a resilient security infrastructure for an organization.
1
NordLayer
Employees per Company Size
Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)
Small (50-249 Employees), Medium (250-999 Employees), Large (1,000-4,999 Employees), Enterprise (5,000+ Employees)
Small, Medium, Large, Enterprise
2
Twingate
Employees per Company Size
Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)
Medium (250-999 Employees), Large (1,000-4,999 Employees), Enterprise (5,000+ Employees)
Medium, Large, Enterprise
3
ManageEngine AD360
Employees per Company Size
Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)
Any Company Size
Any Company Size
Features
Access Management, Active Directory Administration, Activity Dashboard, and more
Understanding zero trust
Zero trust isn’t only a set of tools or a specific technology. It’s a security philosophy that centers around the fundamental idea of not automatically trusting any user or system, whether they’re inside or outside the corporate network. In a zero trust environment, no user or device is trusted until their identity and security posture are verified. So, zero trust aims to enhance security by focusing on continuous verification and strict access controls.
SEE: Recommendations for Implementing Zero Trust Security in a Hybrid Cloud Environment (TechRepublic Forums)
Another key ingredient of the zero trust approach is that it operates on the principle of least privilege, meaning that users and systems are granted the minimum level of access needed to carry out their tasks. This approach cuts down the attack surface and limits the potential damage a compromised user or device can cause.
Core components of zero trust
Below are some key components of zero trust and best practices to make the most out of them.
Access management
Access management revolves around controlling who can access resources within an organization’s network. Here are some best practices for effective access management:
- Implement viable authentication: Implementing viable multifactor authentication mechanisms helps to ensure users are who they claim to be before being granted access to any resources within a network. A viable MFA usually involves a combination of two or more authentication methods, such as a password, facial recognition, mobile authenticator, or biometric checks.
- Leverage OAuth tools: Access management in zero trust can further be enhanced using OAuth (Open Authorization) tools. OAuth is an open standard for access delegation that provides a secure way for users to grant third-party applications and websites limited access to their resources without sharing their credentials.
- Employ device trust solutions: As an extra layer of protection between devices and company applications, device trust solutions integrate with OAuth tools to ensure the identity of the user and security of the device during the authentication flow.
- Implement role-based access control: RBAC is a crucial component of access management that involves assigning permissions to roles rather than individuals. With RBAC, it becomes easier for security teams to manage access across the organization and ensures employees are assigned specific permissions based on their job functions.
- Monitor user activity: User activities should be continuously monitored to detect anomalies and potential security breaches. Adopting user behavior analytics solutions can be beneficial in identifying unusual patterns of behavior that may indicate a security threat.
Least privilege
The principle of least privilege emphasizes that users and systems should have only the minimum level of access required to perform their tasks. Highlighted below are the best ways your organization can go about least privilege:
- Deny access by default: Implement a default-deny policy, where access is denied by default and only approved permissions are granted. This approach reduces the attack surface and ensures that no unnecessary access is given.
- Regularly review and update access permissions: A good least privilege practice involves reviewing and auditing user access to organizational resources to ensure permissions are aligned with job roles and responsibilities. Such practice also includes revoking access once an employee leaves the organization or has no need for access.
- Implement segmentation: Segmenting the network into isolated zones or microsegments can help contain the lateral movement of attackers within the network. Each zone should only allow access to specific resources as needed.
- Least privilege for admins: Admins are no exception to the principle of least privilege. So, efforts must be made to ensure the principle of least privilege cuts through administrative accounts. Doing this can help checkmate the possibility of insider attacks.
Data protection
The zero trust framework also emphasizes the need to secure sensitive data, both at rest and in transit, to prevent unauthorized access and data breaches. Here is how your organization can implement data protection:
- Choose strong encryption: Implement strong encryption protocols using the best encryption tools. Encryption should cover data stored on servers, databases, or devices, and data being transmitted over networks. Use industry-standard encryption algorithms and ensure encryption keys are managed securely with an encryption management tool that provides centralized management.
- Data classification: Data assets should be classified based on how sensitive and important they are to the organization. Apply access controls and encryption based on data classification. Not all data requires the same level of protection, so prioritize resources based on their value.
- Implement data loss prevention: Deploy DLP solutions to monitor and prevent the unauthorized sharing or leakage of sensitive data. So, even if a user manages to gain unauthorized access to your organization’s data, DLP offers a mechanism for identifying and blocking sensitive data transfers, whether intentional or accidental.
- Secure backup and recovery: Critical data should be backed up regularly. Also, ensure backups are securely stored and encrypted at all times. Remember to have a robust data recovery plan in place to mitigate the impact of data breaches or data loss incidents.
Network segmentation
Implementing network segmentation is another way your organization can strengthen zero trust adoption. Network segmentation is the process of breaking an organization’s network into smaller, isolated segments or zones to reduce the attack surface. The tips below can make the process easier:
- Go for microsegmentation: Instead of creating large, broad segments, consider implementing microsegmentation, which involves breaking down the network into smaller, more granular segments. With this approach, each segment is isolated and can have its own security policies and controls. It also gives room for granular control over access and reduces the impact of a breach by containing it within a smaller network segment.
- Deploy zero trust network access: ZTNA solutions enforce strict access controls based on user identity, device posture, and contextual factors. ZTNA ensures users and devices can only access the specific network segments and resources they’re authorized to use.
- Apply segmentation for remote access: Implement segmentation for remote access in a way that grants remote users access to only the resources necessary for their tasks.
How to implement zero trust security in 8 steps
Having understood the core components of zero-trust security, here is a rundown of eight steps you can take for a successful implementation of zero-trust security in your organization.
Step 1. Define the attack surface
The attack surface represents the points through which unauthorized access could occur. Determining the attack surface should be the first item on your zero-trust security approach checklist.
Start by identifying your organization’s most critical data, applications, assets, and services. These are the components most likely to be targeted by attackers and should be prioritized for protection.
I would recommend you start by creating an inventory of the DAAS and classify them based on their sensitivity and criticality to business operations. The most critical element should be the first to receive security protections.
SEE: Zero Trust Access for Dummies (TechRepublic)
Step 2. Map your data flows and transactions
To secure data and applications, you must understand how they interact. Map out the flow of data between applications, services, devices, and users across your network, whether internal or external. This gives you visibility into how data is accessed and where potential vulnerabilities may exist.
Next is to document each pathway by which data moves throughout the network and between users or devices. This process will inform the rules that govern network segmentation and access control.
Step 3. Create a micro-segmentation strategy
Micro-segmentation, in this context, is the process of dividing your network into smaller zones, each with its security controls. If you micro-segment your network, you stand a higher chance of limiting lateral movement within the network. So, in the event attackers gain access, they can’t easily move to other areas.
Use software-defined networking tools and firewalls to create isolated segments within your network, based on the sensitivity of the data and the flow mapped in step 2.
Step 4. Implement strong authentication for access control
To ensure that only legitimate users can access specific resources, use strong authentication methods. MFA is critical in zero trust because it adds verification layers beyond passwords, such as biometrics or one-time passwords.
To be in a safer zone, I suggest deploying MFA across all key systems, and using stronger methods like biometrics or hardware tokens wherever possible. Ensure MFA is required for both internal and external users accessing sensitive DAAS.
SEE: How to Create an Effective Cybersecurity Awareness Program (TechRepublic Premium)
Step 5. Establish least privilege access
Least privilege access means users should only have access to the data and resources they need to perform their jobs — nothing more. A good way to do this is to implement just-in-time access to all resources and reach zero standing privileges in your most sensitive environments.
This reduces the chance of accidental or malicious misuse of data. You can also create role-based access control systems to strictly define and enforce permissions based on users’ roles and job responsibilities. Continuously review and revoke access when it is no longer necessary.
Step 6. Set up monitoring and inspection mechanism
Monitoring is crucial in zero trust because it provides real-time visibility into all traffic within your network, enabling quick detection of anomalous activities. To do this, use continuous network monitoring solutions, such as security information and event management tools or next-generation firewalls, to inspect and log all traffic. Also, set up alerts for unusual behaviors and regularly audit the logs.
Step 7. Assess the effectiveness of your zero-trust strategy
Security is not static. Regular assessments ensure that your zero trust strategy continues to protect your evolving network and technology. This involves testing access controls, reviewing security policies, and auditing DAAS regularly. Start by performing regular audits and security assessments, including penetration testing, to test for weaknesses in your zero trust implementation. You can adapt your policies as your organization grows or introduces new technologies.
Step 8. Provide zero-trust security training for employees
Employees are often the weakest link in security. A well-trained workforce is essential to the success of zero trust, as human errors such as falling for phishing attacks or mishandling sensitive data can lead to breaches. So, develop a comprehensive security training program that educates employees on their roles in maintaining zero trust, covering topics such as proper password hygiene, secure use of personal devices, and how to spot phishing scams.
Best zero trust security solutions in 2024
Many security solutions providers today also offer zero trust as part of their services. Here’s a look at some of the top zero trust security solutions I recommend in 2024, with highlights on their strengths and who they’re best suited for.
Kolide: Best zero-trust solution for end-user privacy
Kolide believes zero trust works well when it respects end-user’s privacy. The solution provides a more nuanced method for managing and enforcing sensitive data policies. With Kolide, administrators can run queries to identify important company data, and then flag devices that violate their policies.
One of the main strengths of Kolide zero-trust solution which I like is its authentication system. Kolide integrates device compliance into the authentication process, so users cannot access cloud applications if their device is non-compliant with the standard.
Also, instead of creating more work for IT, Kolide provides instructions so users can get unblocked on their own.
Zscaler: Best for large enterprises
Zscaler is one of the most comprehensive zero trust security platforms, offering full cloud-native architecture.
Zscaler uses artificial intelligence to verify user identity, determine destination, assess risk, and enforce policy before brokering a secure connection between the user, workload, or device and an application over any network. Zscaler also excels in secure web gateways, cloud firewalls, data loss prevention, sandboxing, and SSL inspection.
Zscaler is ideal for large enterprises with hybrid or multi-cloud infrastructure. However, one thing I don’t like about the solution is that the Zscaler Private Access service is available in fewer locations than the advertised 150 Points of Presence. Also, there is no free trial and pricing requires consultation.
StrongDM: Best for DevOps teams
StrongDM focuses on simplifying secure access to databases, servers, and Kubernetes clusters through a unified platform. StrongDM’s Continuous Zero Trust Authorization establishes adaptive security measures that adjust in real time based on evolving threats.
You can use StrongDM’s single control plane for privileged access across your company’s entire stack, no matter how diverse. The top features of the StrongDM solution include an Advanced Strong Policy Engine and Detailed Control through Contextual Signals. StrongDM is the best if you have DevOps teams or have a company with heavy infrastructure reliance.
I like that the solution provides real-time response to threats, simplified compliance reporting, and a 14-day free trial. StrongDM pricing is way too high, starting at $70 per user per month, but it has support for all resource types. The major downside is that it is a SaaS-only offering and requires continual access to StrongDM API for access to managed resources.
Twingate: Best for SMBs prioritizing remote work
Twingate allows you to keep private resources and internet traffic protected with zero trust without relying on traditional VPNs. The solution uses access filters to enforce least-privilege access policies, ensuring users only have the permissions to perform their specific tasks within applications.
One of the things I like about Twingate is its easy setup. It doesn’t require any changes to your network infrastructure, like IP addresses or firewall rules. It can also integrate with popular identity providers, device management tools, security information and event management systems, and DNS over HTTPS services.
While I don’t like the fact that the command line interface is only for Linux users, it makes up for that with a 14-day free trial in its tiered pricing.
JumpCloud Open Directory Platform: Best for companies with diverse device ecosystem
JumpCloud’s Open Directory Platform allows you to securely give users in your network access to over 800 pre-built connectors. It combines identity and device management under a single zero trust platform. Its cloud-based Open Directory Platform provides a unified interface for managing server, device, and user identities across multiple operating systems. This includes advanced security features like single sign-on, conditional access, and passwordless authentication.
I consider JumpCloud ideal for companies with diverse device ecosystems due to its ability to integrate with popular tools and services, including Microsoft 360, AWS Identity Center, Google Workspace, HRIS platforms, Active Directory, and network infrastructure resources.
While JumpCloud Open Directory pricing is not the cheapest out there, I consider its 30-day free trial to be something that gives the solution some edge over similar products.
Okta Identity Cloud: Best for enterprises prioritizing identity security
Okta’s single sign-on, multi-factor authentication, and adaptive access controls make it a trusted solution for organizations focused on identity-first security.
Okta MFA feature supports modern access and authentication methods like Windows Hello and Apple TouchID. One downside to using Okta Identity Cloud is the pricing, which can go up to $15 per user per month when you decide to add features one by one. It does have a 30-day free trial, and user self-service portal for ease of setup from end-users.
Zero trust approach
In practice, implementing zero trust is not a one-off process. It’s an approach to security that may require a combination of technology, policy, and cultural changes in an organization. While the principles remain consistent, the tools and strategies used to implement zero trust will vary depending on your organization’s infrastructure and needs. Key components of your zero trust approach should include MFA, IAM, micro-segmentation of networks, continuous monitoring, and strict access controls based on the principle of least privilege.
Also, the cultural shift toward zero trust requires that security is not just the responsibility of IT, but integrated into your organization’s overall strategy. All your employees should be trained and made aware of their role in maintaining security, from following password policies to reporting suspicious activity. In the end, collaboration across departments is crucial to the success of a zero-trust model.
Read the full article here
