Six steps for implementing zero trust access

Modern organizations are no longer governed by fixed perimeters. In fact, the perimeter-based security model is disintegrating in a world where users work on their own devices from anywhere, and sensitive company data is stored in multiple cloud services.

Organizations can no longer rely on binary security models that focus on letting good guys in and keeping bad guys out. Their big challenge is figuring out how to give users the access they need while reducing set-up and maintenance costs, and not compromising security.

To meet that challenge, savvy organizations are abandoning the traditional network access approach of “trust but verify” and adopting zero trust access, which is rooted in the principle of “never trust, always verify”.

A zero trust architecture eliminates the idea for a trusted network inside a defined corporate perimeter, according to Forrester Research. Instead, the firm recommends creating micro-perimeters of control around sensitive data assets.

Here are six steps for implementing a zero trust access architecture.

Use Multi-Factor Authentication (MFA)

MFA is the basic building block of an intelligent approach to network security. Properly used, it reflects the guiding principle of zero trust: “never trust, always verify and verify again.”

MFA requires the presentation of two or more authentication factors: a knowledge factor (something only the user knows such as a password, PIN, or a pattern), a possession factor (something only the user has such as an ATM card, smart card, or mobile phone), and an inherence factor (something which contains a biometric characteristic such as a fingerprint, retina scan or face scan). Upon presentation, each factor must be validated for authentication to occur.

Verify all endpoint devices

Verifying users without verifying their devices is a recipe for potential disaster, as attackers often use compromised machines to breach corporate networks.

Device verification should enable an organization to determine whether the endpoint seeking to access internal resources meets its security requirements. The best solutions contain the capabilities to track and enforce the status of all devices, while delivering easy user onboarding and offboarding.

Implement Principle of Least Privilege (PoLP)

Every zero trust architecture should include PoLP, which is based on the concept that individual users should only be granted sufficient privileges to allow them to complete specific tasks. For example, an application developer should not be allowed to access financial records.

For maximum effectiveness, PoLP should be extended to “just-in-time” access, which restricts users’ privileges to specific time periods.

Monitor and audit everything

In addition to authenticating and assigning privileges, it is vital to monitor and review all user activity across the network. This helps organizations to identify any suspicious activity in real-time. Deep visibility is especially important for administrator accounts which have rights to access a wide spectrum of sensitive data.

Adopt attribute-based controls

Based on policy-based access, these controls authorize access through policies that combine attributes. The policies can combine any number of user attributes, resource attributes, object attributes, and so on.

The controls can function across the entire security stack — from on-premise to cloud, to APIs, to data, and network infrastructure. They enable network and security administrators to automate and enforce access policies that can block suspicious events in real-time.

Involve the entire end-user community

A top-down approach is doomed to fail. Success depends on organizations seeking input from all users and departments to implement security policies and processes that are as frictionless as possible.

Implementing zero trust access provides several important security benefits. It improves control since access is actively managed on a continuous basis. This also reduces an organization’s attack surface and prevents lateral attacks by making unauthorized resources unreachable or even invisible. Finally, a zero trust access architecture increases visibility through activity monitoring, which is essential for incident response, auditing and forensic analysis.