Starting Your Zero Trust Journey

A zero trust architecture is one where nothing is inherently trusted inside or outside the organization. It ensures compliance with the principle of least privilege— people and applications only have the bare-minimum rights they need to do their jobs. Zero trust enables organizations to adapt to the modern security landscape, including remote workforces, hybrid infrastructures, multi-cloud deployments, and ransomware attacks. But what does zero trust mean, and how do you start your zero trust journey?  

What are the highest priority zero trust aspects

At the beginning of the discussion, different attendees shared the highest priority aspects of zero trust within their organization. An infrastructure engineer remarked that their primary area of interest is implementing zero trust without compromising user experience. A security architect mentioned that they currently have a network-centric security model, which prevents them from offering BYOD to their workforce. Their goal is to implement a zero trust model that adds flexibility to their authentication and access control policies. A CIO shared that a zero trust implementation will help them enforce granular access control. An IT manager added that their main zero trust objective is to apply modern security controls to the legacy applications in their infrastructure.

Where to start with zero trust

An executive explained that to them, zero trust is all about complying with the principle of least privilege. It’s about applying the required security controls to all your environments, whether on premises or in the cloud.  

A participant told the audience that it’s important to get higher management on board with zero trust, at the very beginning. Explain zero trust to them in a way that resonates with them. Don’t throw technical jargon at them; instead, share the many benefits of zero trust, like data protection, reduced costs, increased productivity, etc.

It is also essential to identify the “low-hanging fruit,” which can help you get some quick wins. For example, you may start by implementing an identity management system, which enables you to enforce stronger authentication and authorization. While choosing tools for zero trust, it’s crucial to evaluate based on several factors, like business needs, interoperability with different internal applications, types of supported users (e.g., employees, customers, and vendors), and ease of use.

What is step zero on the zero trust journey

Multiple speakers agreed that there is a step zero in the zero trust journey. This step focuses on identifying system and user-level requirements and creating an inventory of your environment(s). For example, in step zero, you answer questions like, how many users do we have? What devices and/or applications are they using? Which applications/users are security-critical? Do we have any external users that require short-term access? What unmanaged devices exist on your network? How many environments are your applications spread across? Where does your sensitive data reside?

The three sides of zero trust

An attendee discussed how they look at zero trust in three ways, within their organization. The first one is users, which involves implementing identity, replacing traditional VPN, and revamping access control. The second aspect is applications, which deals with applying security best practices to applications across infrastructures. The third part is infrastructure, which focuses on securing the supply chain, unmanaged infrastructure, IoT (Internet of Things), and all the other entities and processes that are usually hard to secure.  

What are drivers for zero trust

Below are some of the drivers for zero trust that were mentioned during the discussion:

• Compliance. A zero trust implementation can enable businesses to become compliant with various security standards and frameworks.
• Improved security posture, including better data privacy and integrity.
• Enhanced employee productivity and agility, such as the ability to work remotely, or via personal laptops.
• Reduction of the attack surface, which reduces the impact and severity of cyberattacks.  

‍