Implementing a Zero Trust policy: best practices and use cases

Zero trust policy

Implementing a zero trust policy means your systems will deny access by default. To gain access to a system, a user must be authenticated and authorized with every connection request. What's more, a user's access is restricted to the specific resources denoted by security policies, thereby limiting their privileges only to what is absolutely necessary. 

For the zero trust model to work, an organization needs to go beyond writing up a zero trust policy. They must also enforce zero trust network access by utilizing protections like multifactor authentication (MFA) and micro-segmentation to enforce the right restrictions for any given scenario.

A good example of zero trust architecture is auditing your users and assets to determine who needs to access what, along with the potential liabilities associated with that access. From there, an organization has to identify various endpoints and determine how access will be managed, placing priority on endpoints that house the most sensitive information. Ultimately, this process requires careful planning and investment in organization-wide visibility and monitoring. 

The term "Zero Trust" was first used in 2010 when John Kindervag, an analyst from Forrester Research and now Cerby advisor, presented the concept's first model. Google was one of the first major companies to adopt the model a few years later, and the framework has seen widespread acceptance ever since. Up next? A more thorough explanation of how to create a zero trust policy and the leading zero trust use cases that showcase the best of what this framework can offer. 

What is Zero Trust?

Zero trust architecture assumes every user, device, and network is a threat until properly authenticated and verified. Additionally, in a zero trust network, authentication and authorization are continuously checked each time a new request is sent. This is in stark contrast to security methods like a virtual private network (VPN) in which everyone within the network is considered trustworthy, since they have successfully passed the "security perimeter." When examining what zero trust network access looks like, users and devices are always treated the same, regardless of whether they are inside or outside the network. 

To uphold such strict security standards, an organization must implement a strong zero trust identity and access management (IAM) policy. Without one, security tools will not have the critical insight they need to know who is moving through the network, which makes it impossible to uphold the access controls and least privilege principles that zero trust identity management is built around.

While the zero trust concept is actively implemented across industries, the National Institute of Standards and Technology (NIST) set out in 2021 to help standardize guidelines for use of the framework, especially among federal agencies. In its effort, NIST began a collaboration with 18 tech companies, including Amazon Web Services, Cisco Systems, IBM, McAfee, and Okta. 

Of those 18 companies, one of the best examples of zero trust security is Microsoft's four-phase model, as follows:

• Microsoft requires remote users to implement two-factor authentication (2FA), which uses the Azure Authenticator app on the user's mobile phone. Microsoft plans to move to full biometric authentication in the future, likely requiring a fingerprint scan.
• After a user's identity has been verified, the second phase of Microsoft's model focuses on ensuring that the remote user's device is not compromised or vulnerable. To do so, the company enrolls all devices into the Intune MDM service and ensures they meet the device-health standards, which include requirements for a device to be frequently patched and tested for malware. Unmanaged devices are sometimes allowed, in which case Microsoft provides virtual desktops and applications.
• The third phase in Microsoft's zero trust policy is to verify access. The company has taken strides to strictly control access to corporate resources. They are in the process of transitioning away from allowing direct access to the corporate network and implementing an internet-only approach.
• Lastly, Microsoft's not-yet-implemented stage of its zero trust policy will verify service health, ensuring that the service itself is in good standing before users can interact with it. While this phase is currently only a proof-of-concept, it demonstrates the company's continued adoption of a true zero trust architecture.

Following its research, NIST published a complete whitepaper on zero trust architecture in 2022, which encapsulates core practices, processes, and principles.

How to identify a protect surface

Implementing a zero trust security framework requires the adoption of three core principles: assuming a breach, granting least-privilege access, and explicitly verifying all users and devices.

Assume the breach

One of the core zero trust security principles is adopting the assumption that your network has already been breached. Given the scale of today's cyberattacks, it's never safe to assume your network is secure. Especially with social engineering being used to gain access to the credentials of your employees, the best way to keep your network secure is to treat every connection request as a potential threat. 

• Deny access by default
• Continuously defend your assets as though a hacker has already breached your network
• Heavily scrutinize all users and devices already inside the network 
• Treat every new request for access as if it's coming from outside the network
• Log and inspect changes to configurations, access levels, and network traffic

Least Privilege 

When employees have too many permissions, they become a liability. Not only can a disgruntled employee exploit their privileges, but negligence and/or targeted social engineering attacks can also expose their credentials, in which case those extra permissions provide a direct route to your company's assets. 

The more permissions you give your users, the easier it is for a hacker to move laterally through your network, which greatly reduces the time you have to detect a breach and stop it from escalating. As such, zero trust authorization prioritizes "least privilege," which means a user is only given access to the resources they absolutely need. This access may also be further limited based on dynamic security policies, which may change based on factors like the device they're using. 

Implementing least privilege zero trust cyber security standards means:

• Restricting users to the fewest permissions necessary to carry out their daily duties
• When users need additional access, as in a particular project, those permissions should be assigned temporarily, not permanently
• To avoid privilege creep, user permissions should be reviewed periodically and privileges should be limited in favor of security, rather than granted in an attempt to reduce user friction.

Explicit Verification

Explicit verification is the final principle of zero trust security, and it is rooted in the concept that verification is an ongoing activity, not a one-time event. A user's system can be compromised at any point, so just because their privileges were reviewed and granted a week ago, that doesn't mean the user or their device is still safe.

Each new request needs to be carefully scrutinized and verified to minimize risks. This requires:

• Treating every attempt to access resources as a brand new request
• Considering a user's identity, device posture, and contextual factors
• Integrating advanced detection and real-time threat response initiatives 

How To Implement Zero Trust

When trying to figure out how to implement a zero trust network architecture, one of the key challenges companies face is securing nonfederated applications. 

Cerby is one of the top zero trust solutions that seamlessly solves this problem by extending a company's MFA and lifecycle management capabilities to any app they use. 

Using Cerby, you can implement zero trust security by extending the services of the zero trust vendors you're already using — like Azure AD and Okta — to any application your company interfaces with, including those that don't support SAML and SCIM.

Cerby isn't a password manager. Rather, it eliminates the need for an enterprise password manager and replaces it with a passwordless authentication system for all the apps your team uses. Additionally, Cerby allows you to automate manual tasks, like 2FA enrollment, saving your team time while helping you uphold a robust security framework. 

Zero Trust Best Practices
On paper, the three zero trust architecture principles might sound easy enough to implement, but many security solutions are difficult to deploy and run. While zero trust is widely accepted by IT and security leaders, it is often met with frustration from end users because most security solutions rely on heavy-handed enforcement-based approaches. However, implementing the zero trust best practices doesn't have to result in friction for your users. 

With Cerby, you can integrate zero trust as a long-term security solution without compromising productivity. Cerby allows you to:

• Ensure all applications are included in your zero trust framework
• Provide secure access to any employee for any application
• Automatically revoke privileges when they are no longer needed 
• Gain wider visibility into your users and applications

With a focus on the end user, Cerby enables comprehensive access management across all your applications without standing in the way of the work your users need to get done. If you're interested in learning more about Cerby, request a demo and see it in action for yourself.