How to Get Started with Zero Trust

Even though the term “zero trust” has been widely used for more than a decade, it’s also widely misconstrued. The meaning seems to depend on who you ask. One vendor claims it has nothing to do with networks. Another says it’s all about identity management. And yet another asserts that you only need it for accessing cloud-based applications.

The problem is that zero trust isn’t a single product that you simply turn on. And zero-trust acronym soup only adds to the confusion. Zero trust access (ZTA) and zero-trust network access (ZTNA) aren’t the same thing, yet the terms are often used interchangeably.

At its core, zero trust is a security model based on a deceptively simple premise: “never trust; always verify.” Instead of assuming that anything that has made it past security checkpoints can be trusted, zero trust assumes the opposite. Anything on your network could be infected, and any user is capable of compromising critical resources. In other words, don’t assume you can trust anything, no matter where it may be located inside or outside of the network.

In the face of all the confusing terminology, acronyms, and vendor approaches, it’s not a big surprise that more than one survey has indicated that organizations are struggling with zero-trust implementation. In the Global State of Zero Trust Survey from Fortinet, more than 80% of those surveyed felt that implementing a zero-trust strategy across an extended network “wasn’t going to be easy.” In another survey performed by Dimensional Research, only 21 percent of respondents say they are “very confident” in their organization’s understanding of zero trust, and 94 percent report challenges with implementation.

Why Bother?

Although it may be tempting to throw up your hands and say never mind, coming up with a zero-trust strategy is crucial. Today’s networks are more complex than ever, and threats like ransomware are more severe, with an almost 11x increase in the 12 months between July 2020 and June 2021.

Because networks have so many edges, the traditional network perimeter is dissolving. In the past, security defenses were applied at the boundary of the network, but now with so many edges, cloud, mobile, remote workers, and countless Internet of Things (IoT) devices, it’s difficult or even impossible to tell who and what can be trusted based on their location.

Implementing zero-trust requires changing how you think about security within the organization. In the Global State of Zero Trust Survey, even though 94% of organizations reported having a zero-trust strategy, more than half aren’t able to authenticate users and devices on an ongoing basis and are struggling to monitor users post-authentication. These two functions are core tenets of the zero-trust philosophy, so their deployments are undoubtedly incomplete.

Where to Start?

Given the confusion around zero-trust, figuring out where to start can be difficult. Because zero-trust is a different approach, at the most basic level, it’s essential to understand the systems, users, and devices on your network. By doing an inventory, organizations can develop a strategy to close security gaps and improve visibility where it’s lacking.

Because user identity is a cornerstone of zero trust, every user needs to be identified along with the role they play within an organization. The zero-trust model focuses on a “least access policy” that only grants a user access to the resources that are necessary for their role or job. And access to additional resources is only provided on a case-by-case basis.

At this point, every organization should have multifactor authentication (MFA) in place. Authentication, authorization, and account (AAA) services, access management, and single sign-on (SSO) are used to identify and apply appropriate access policies to users based on their role within the organization. User identity can be further authenticated through certificates and then tied to role-based access control (RBAC) to match an authenticated user to specific access rights and services.

User identity controls who is on the network and MFA is a key technology. If you don’t have user identity set up, consider that the first task on your zero-trust journey.

Controlling Device Access

The next step is to determine what devices are on the network. Network access control (NAC) can be used to discover and identify each device that is on or seeking access to the network and ensure that it hasn’t already been compromised.

Microsegmentation is another key component of zero-trust. With network micro-segmentation, each device is assigned to an appropriate network zone based on several factors, including device type, function, and purpose within the network. Microsegmentation also can be set up to segment traffic based on workflow.

Another key element of zero-trust is the concept of “least privilege.” Users and devices that are allowed on the network are only provided the minimum level of access for them to do their job. And any resources they need should only be accessed on a “need-to-know” basis, regardless of their person’s location or job function.

Extending Zero Trust

Access management and segmentation are important elements, and if you want to go farther on the zero-trust journey, you can apply the zero-trust model to application access as well. Zero Trust Network Access (ZTNA) provides seamless access to applications no matter where the user or the application may be located.

Depending on how your network is structured, it can be difficult to apply application control when applications are located in different locations, such as cloud, on-premises, and SaaS. A firewall-based client-initiated ZTNA solution can be a better option for hybrid networks because it works whether users are accessing cloud-based or on-premises resources. The ZTNA experience works the same way no matter where the application or the user is located. Users launch the app they want to access, and a client-based agent works in the background to connect securely.

Zero Trust Is Worth It

Although implementing zero-trust strategies may not be as quick and easy as some vendors might have you believe, it’s worth it. Zero trust is getting so much attention because understanding who and what is on the network gives you a better chance of detecting problems quickly and preventing devastating cyberattacks. And that’s what cybersecurity is all about.

Discover how Fortinet’s Zero-Trust Access framework allows organizations to identify, authenticate, and monitor users and devices on and off the network.