Interested in Zero Trust security, but overwhelmed by the idea of starting from scratch? Many IT professionals feel this way when it comes to Zero Trust. Fortunately, they’re usually farther along than they realize.
Several Zero Trust implementations come with the territory of shifting to distributed, cloud-based environments. Organizations that have begun making this shift often have Zero Trust implementations in place, even if they don’t realize it.
Even partial implementations can move companies significantly closer to achieving Zero Trust. And fortunately, they’re often easy to expand upon as a quick way to improve your Zero Trust posture. Read on to discover the seven ways you may have already implemented Zero Trust, and how to expand on those implementations for quick and effective Zero Trust wins.
1. Authentication at the Resource Level
Zero Trust was developed as a direct response to perimeter security’s inability to reliably secure modern IT environments. Perimeter security creates a firewall-based perimeter around the organization’s central network and requires authentication at the perimeter level for users to access the resources on the network.
However, organizations’ shift away from centralized infrastructure in favor of cloud computing makes maintaining a perimeter difficult, because the physical infrastructure it’s meant to encompass is dissipating. Perimeter-based security no longer makes sense for the modern organization.
Zero Trust addresses this problem by taking authentication to the resource level: instead of requiring authentication upon entry to the infrastructure, Zero Trust prescribes authentication upon access of any resource. This replaces the outdated 0-perimeter concept with more reliable security that reduces the chances for lateral movement and meets the needs of modern, distributed networks.
Many organizations make this shift to resource-level authentication without realizing it’s a key part of the Zero Trust methodology. If your organization uses SaaS applications that require users to log in before using them, you’re on your way! There are a few ways you may be able to expand on this practice to improve your Zero Trust security posture.
How to expand upon resource-level authentication:
Apply it to more resources.
The more resources you can apply this practice to, the better your security posture will be. Eventually, this practice should apply to all the resources in your corporate stack.
Consolidate it with SSO.
Resource-level authentication everywhere can be a lot of sign-ins. To reduce the user burden of memorizing and inputting credentials over and over again, consolidate your access transactions with a single sign-on (SSO) tool. Learn more about SSO in tip #3.
Back it up with MFA.
Multi-factor authentication (MFA) drastically improves authentication security. Apply MFA to your resource-layer security and your SSO instance to further improve your Zero Trust security posture. Read on to learn more about MFA.
2. Multi-Factor Authentication
Multi-factor authentication (MFA) is one of the most common Zero Trust implementations; in fact, 88.9% of small and medium enterprises (SMEs) have implemented it in at least some places.
MFA supports Zero Trust by improving the security of the traditional username/password authentication model. Zero Trust security acknowledges the critical shortcomings of the traditional password and requires that passwords be supplemented with a more rigorous authentication method like MFA.
How to expand your MFA instance:
Put it everywhere.
In a true Zero Trust architecture, MFA is everywhere — that is, at every access transaction — unless another Zero Trust-powered action, like conditional access or passwordless authentication, overrides it. If you’ve implemented MFA to protect a few applications, consider expanding it to cover more of your architecture.
Often, it’s possible to do this without upping your MFA license — and some tools, like JumpCloud, provide free MFA, so you can implement it everywhere without paying for separate MFA licensing.
Make it more user-friendly.
While this may not offer a direct Zero Trust benefit, user-friendliness improves adoption and encourages correct usage; a user-friendly MFA tool like push notifications or biometrics can significantly improve users’ Zero Trust adoption while reducing human error and workarounds. Ultimately, that means better security for the business.
3. Single Sign-On
Single sign-on (SSO) is another method of securing authentication. SSO relieves some of the user burden of MFA by facilitating secure authentication to all the user’s applications with a single set of login credentials (ideally backed up with MFA).
SSO uses secure protocols like SAML and SCIM to bypass the user’s need to input credentials for every application without compromising security. It both reduces password usage and uses secure authentication protocols for every application, both of which are significant Zero Trust wins.
How to expand your SSO capabilities:
Apply it to more applications.
True SSO combines all the applications in an organization’s infrastructure; users only have to input their credentials once to access everything they need to do their work. Bringing more applications into your SSO instance only increases security — even moving slowly and adding one at a time can yield significant security benefits.
If adding SSO capabilities to all your applications is too expensive, spread the costs over time by starting with the most critical applications. While these may vary from organization to organization, applications that handle the following should generally be secured first:
- Core business operations.
- Customer data.
- Personal identifiable information (PII) and IP data.
4. Device Visibility and Management
Organizations should have visibility into the devices on their network — and many do. However, as more devices make their way onto increasingly distributed networks, the device management can’t stop there.
For example, organizations should have some level of control over devices. While the level of control should vary based on whether the devices are corporate and employee-owned, IT teams should be able to execute the following tasks regardless of device ownership:
- Require a passcode.
- Custom configuration for policies, applications, and profiles.
- Allow users to opt in or out.
- Lock the device remotely.
These functions drastically improve the security of employee-owned devices accessing corporate resources. In addition, these capabilities can be extended significantly for employee-owned devices; because privacy is less of a concern on company devices, mobile device management (MDM) tools for corporate devices should be able to:
- Require a password/passcode and set password requirements.
- Enforce restrictions on the device, like disabling analytics and crash reporting.
- Put web shortcuts on the home screen.
- Customize configuration for policies, applications, and profiles.
- Lock and wipe the device remotely.
Some MDM tools expand on these capabilities to streamline both the employee and admin experience. For example, some MDM tools allow users to onboard their device by simply scanning a QR code.
To take things a step further, MDM data and capabilities can combine with identity and access management (IAM) capabilities for more thorough and nuanced management and reporting. Learn more about the possibilities for device management in our blog, What Does It Take to Manage Your Devices?
How to expand your device visibility and management:
Make all devices accessing corporate resources visible.
This should include employee-owned and guest devices. Visibility into device status, activity, and events should be clear and accessible.
Increase controls as appropriate.
While it’s important not to overstep privacy boundaries in terms of control over employee-owned devices, many companies don’t have adequate control over their devices — especially over their corporate owned ones.
If your MDM practice can’t currently achieve the above recommendations for employee-owned and personal devices, work on adding the missing functionality.
Combine device and identity management.
Combining device and identity management not only prevents data siloing, but it allows for more nuanced policies and controls. The combination of IAM and MDM, called UEM, allows organizations to assign devices to users, create nuanced policies, and unify their device and identity telemetry.
5. Patch Management
Keeping devices and software up to date is critical to maintaining security. Fortunately, many organizations have some form of patch management in place; however, in many cases, it could stand to be improved. Organizations should have a patch management system that applies to all their devices and doesn’t rely on manual management.
How to expand your patch management practice:
Manually monitoring for new patches, tracking completed and incomplete patches, and implementing patches racks up time and effort for the IT team. Automating even one of those steps can be a significant burden off of your IT team, and it can shore up security.
Manually tracking updates is prone to error and often ends up taking a back seat to other priorities, allowing patching to fall behind. Look for a tool that provides visibility into completed patches, can push patch notifications to endpoints, and can enforce automatic updates.
Include all your operating systems.
Some patch management tools only work for one system. Organizations with a diverse OS environment should make sure their patch management system applies to all their devices. JumpCloud, for example, offers patch management that spans Windows, macOS, and Linux.
6. Principle of Least Privilege
The principle of least privilege (PoLP) — the idea that people should only be assigned access to what they need — is a cornerstone of Zero Trust. Fortunately, this principle has been around as a best practice for a long time, and many organizations follow its guidelines today.
This helps them form a strong foundation for a Zero Trust architecture. However, it’s easy for assigned privileges to fall out of line with PoLP if not carefully maintained and updated; many organizations could afford to realign their assigned privileges with PoLP.
How to expand upon PoLP:
Conduct access inventory.
Sometimes, automatically applied policies, nesting groups, and movement within a company can cause assigned permissions to misalign with what a person needs to do their job. Conduct an inventory of your users and their access to bring their privileges back up to date and ensure you’re actively enforcing PoLP.
7. Identity and Access Management
Zero Trust essentially treats identity as the new perimeter which makes identity and access management (IAM) critical to achieving Zero Trust. Fortunately, many organizations have some way of tracking identities and access — often through a directory.
However, those directories are often rooted in on-premise technology that doesn’t lend itself to Zero Trust. In addition, the directories often fail to natively integrate with other elements of the organization, like management, which can create data siloes or fragile dependencies when integrated manually.
How to expand upon identity visibility and management:
Expand your directory.
Directory solutions don’t have to be limited to IAM. In fact, the more your directory includes, the better you can integrate, manage, and secure your environment. The JumpCloud directory platform, for example, includes SSO, MFA, MDM, and patch management. It’s able to tie all of these components to the same source of truth and report on them all at once, allowing for more dimensional and nuanced insights into your environment.
Bring your directory to the cloud.
Many popular directory services — like Microsoft Active Directory, for instance — are still legacy-based. Organizations operating with on-premise directory technology should consider bringing it to the cloud.
Cloud-based directories are better-suited to the distributed, cloud-based networks that have become common since the rise of SaaS and remote work. This makes cloud directories naturally more Zero Trust inclined, as they use technology that’s designed to work securely within your cloud-based infrastructure. In addition, cloud-based directories make it easier to broaden your directory to include additional services.
Create an Actionable Zero Trust Plan
Because Zero Trust is a modern, in-depth security approach, it can feel a bit unattainable to organizations working with lean teams and limited budgets. However, Zero Trust is a long-term security strategy with rollouts that are meant to be slow and incremental. Implementations should work with your existing business plans rather than against them.
For step-by-step guidance to developing a Zero Trust roadmap that aligns with your business’ goals, resources, and current state, download Forrester’s Practical Guide to a Zero Trust Implementation.