How to Implement Zero Trust Architecture

Zero trust is a security model that improves your security posture and reduces your attack surface. It requires you to eliminate implicit trust and authenticate digital identities every step of the way. In the last few years, it has evolved from a security buzzword into an umbrella term that encompasses several ways of protecting your assets from unauthorized access. How do you go about achieving zero trust? What does “achieving zero trust” even mean?

Strongest reasons to implement zero-trust

At the start of the discussion, attendees talked about the biggest drivers of their respective zero-trust journeys.  

• The main driver for zero trust is the reduction of attack surface and prevention of lateral movement -VP of Security Compliance  
• Organizations move towards zero trust because it allows them to enforce the principle of least privilege -IT Executive
• Zero trust allows them to support a hybrid work environment and reduce the threat of ransomware -CISO  
• Zero trust has enabled them to segment their worldwide service provider network -CISO
• Zero trust enables companies to have complete visibility over their systems -Security Specialist  

The evolution of zero trust

During the early days of zero trust, getting the buy-in from the C-suite was a huge implementation obstacle. These days it’s much easier, owing to the rising number of public cyberattacks. The inceptive implementations of zero trust focused on network segmentation and making everything identity-based. Today, zero trust encompasses a lot more. Modern zero trust implementations enforce a mobile perimeter model, which secures the workforce, workplace, and work processes. They allow you to use identity as a control mechanism to determine who can access what, under which circumstances.  

The journey to achieve zero trust

An attendee declared that zero trust is a journey, not a destination. You should begin by implementing identity and access management (IAM) and defining fine-grained access policies for everyone. Another attendee commented that you should start by getting some quick and easy wins, and then find change advocates who can spread your vision across the company. The length of a zero trust journey depends on the size of your company and its attack surface. For smaller companies, it may be a short journey; for larger ones, with legacy systems, it may be a multi-year process. Having clearly defined end-goals enables everyone to stay aligned. E.g. you may have an end goal to stop using VPN, or to implement identity lifecycle management.

The challenges faced while achieving zero trust

An executive mentioned that legacy applications pose the greatest challenges while implementing zero trust. It’s hard to integrate modern tools with legacy applications that run outdated protocols and tech stacks. It can also be difficult to enforce restrictive access policies across different functional units, without causing downtime. Another challenge is tackling change resistance and convincing people to take a radically different approach to security.  

What does “achieving zero trust” even mean?

Multiple participants agreed that zero trust is an abstract idea, which can mean different things for different organizations. It’s important to understand what zero trust means to you, not what it means universally. This will allow you to articulate what you need to be working towards. E.g. you may want to achieve zero trust to have contextual awareness of your digital identities. Or to generate temporary access credentials for different use-cases. Or to have granular visibility of all your cloud assets.

‍