Zero Trust is becoming the industry-standard security framework. However, the term’s overuse in the industry to describe latest-and-greatest products has produced confusion and doubt around its definition and validity.
To clarify, Zero Trust is not a product or solution, but an approach to security. Solutions may help you establish a Zero Trust security approach, but there is no “silver bullet” to implementing Zero Trust all at once.
Simplifying Zero Trust
This can make Zero Trust seem daunting. Fortunately, there are ways to simplify and kick-start your Zero Trust journey. In this article, we’ll discuss the process of developing a full Zero Trust roadmap, identify high-impact implementations that may help you get your Zero Trust endeavor off the ground, and outline methods for determining where to begin.
This guidance is designed to help IT professionals at small and medium enterprises (SMEs) make Zero Trust progress, no matter their starting point.
The Zero Trust Roadmap
Achieving Zero Trust security is usually a 2–3 year endeavor, and it can take even more time to reach full Zero Trust maturity. The only way to successfully complete this journey is to break it up into smaller, achievable milestones and accept your incomplete Zero Trust state along the way.
To help companies do this, Forrester released a Practical Guide to a Zero Trust Implementation. This guide outlines a method for setting goals and milestones to draw up a Zero Trust roadmap. The roadmap is typically segmented into five categories, which Forrester recommends addressing in roughly the following order:
Developing the roadmap can be a significant undertaking: it involves assessing your current security posture, understanding business goals, and determining time tables and steps for each phase of the journey.
While developing a Zero Trust roadmap is the ideal way to start your journey, time constraints, pressure from leadership, security vulnerabilities, and other factors often create the need to shore up an organization’s security environment more quickly.
For those looking for a more immediate way to make progress toward establishing a Zero Trust security approach, the rest of this article will offer guidance on kick-starting Zero Trust and determining where to begin.
In the next section, we’ll give a rundown of critical and impactful Zero Trust implementations. Then, we’ll offer guidance on deciding where to start among that list based on your organization’s current state and needs. Note that we still recommend working on a formal roadmap in the background while taking these more immediate actions.
Impactful Zero Trust Implementations
It helps to understand some of the common elements of Zero Trust that your company could work toward. Then, based on your environment and priorities, you can more easily identify quick wins that you can implement alongside your formal Zero Trust roadmap planning.
The following implementations are critical to upholding Zero Trust security. Establishing or expanding on any of these, therefore, will make significant, direct impacts on your Zero Trust progress. Consult this list and linked resources when exploring various angles for kick-starting Zero Trust in the next section.
- Multi-factor authentication (MFA) everywhere
- Identity and access management (IAM)
- Streamlined onboarding and offboarding
- Single sign-on (SSO)
- Conditional access
- Resource visibility
- Access control
- Infrastructure visibility
- Data encryption in transit and at rest
- Central directory
Quick Zero Trust Wins
There are a few angles you can take when deciding what to prioritize. However, the key to any of these angles is prioritizing the steps that make the most sense for your organization. Below are a few guiding metrics to choose from when identifying which steps will be most impactful. Consider these angles in conjunction with your current environment and the above list of impactful Zero Trust implementations.
Shore Up the Basics
The Zero Trust journey includes an implicit Phase 0, which encompasses cyber hygiene basics, like antivirus software, next-generation firewalls, and version control. While these implementations can’t reliably secure your organization on their own, they add a layer of security and a strong foundation to your Zero Trust architecture. If you’re lagging behind on some of the basics, work on shoring them up first before moving on to more advanced Zero Trust implementations.
Example of Shoring Up the Basics: Next-Generation Antivirus Software
Next-generation antivirus software (NGAV) uses more advanced and intelligent detection methods than traditional antivirus software to prevent more threats. Ideally, NGAV should be installed on every endpoint accessing corporate data (including employee-owned devices). If this isn’t possible right away, start by installing NGAV on company devices — your MDM implementation later in your Zero Trust journey may help you implement NGAV on all endpoints.
Expand What You Already Have in Place
Most organizations aren’t starting from ground zero when they begin working toward Zero Trust. Although they may not realize it, many organizations already have some solutions that support Zero Trust in place. Some of the most common include:
- Multi-factor authentication (MFA)
- Identity and access management (IAM)
- Single sign-on (SSO)
- Conditional access policies
Starting with what you already have is both easy and cost-effective. If you find your organization already has a solution that supports Zero Trust at least partially established, start by expanding that solution.
Example of Expanding Current Solutions: Expand SSO
If you already have SSO in your environment, integrate more applications into the tool with the goal of eventually using SSO for all resources — a key Zero Trust implementation.
If you can only do a few at a time, start by implementing SSO for the most high-impact tools, like those that store personal identifiable information (PII), support core business functions, or handle financials. Common priority applications might include your CRM, HR platform, and accounting software.
For some organizations, baby steps are the best route. This may be the case for strained IT teams, smaller organizations, organizations at the very beginning of their journey, and organizations without much leadership buy-in.
Small steps don’t have to yield small impacts. Some small, low-cost initiatives can have substantial effects on your security and move you significantly closer to your Zero Trust goal.
Example of a Small but Impactful Initiative: MFA Everywhere.
Many organizations already have MFA in place in some of their tech stack. Expanding this to cover more of their tech stack — to eventually be in place everywhere — has substantial security gains, and can be cost-effective and easy to implement. Most users are familiar with MFA processes, so buy-in effort is usually minimal.
Some MFA solutions even come free with IAM and directory software, which can further amplify your Zero Trust progress. Investing in one tool that can do both (among other Zero Trust initiatives, like automating offboarding and patch management, for example) is a cost-effective way to spur significant progress.
Start with High-Traffic Tools
Another place to start can be at high-traffic junctures: what people use the most. For instance, while securing access to documents only HR leadership uses may be worthwhile, its low usage might allow it to wait while you focus on more frequent touchpoints, like collaboration platforms or project management tools.
This method can be ideal for larger SMEs with many users working on certain platforms and remote or hybrid SMEs that worry about proper tool usage in unsupervised environments. Securing these high-traffic tools can be a great catch-all safeguard to start with.
Example of a High-Traffic Tool to Start with: SSO
SSO can apply to all employees and all resources, making it a high-traffic tool with a high security yield. Implementing SSO is a low-cost and low-effort way to drive immediate security benefits across your organization.
Secure the Crown Jewels First
This methodology approaches security at the most critical level first. Of course, in an ideal world, you’d be able to secure all the elements in your infrastructure right away. But prioritizing one thing de-prioritizes another by nature; understanding your company’s infrastructure, resources, environment, and threat vectors can help inform these tough choices.
Thus, this approach works well in organizations that already have a good understanding of their environment, resources, and stack, and can easily identify their most critical assets. If inventorying your infrastructure to identify your crown jewels becomes a large task that could hold up progress, consider starting with another, more digestible step instead as you inventory and assess your infrastructure.
Example of a Step that Secures the Crown Jewels: Network Segmentation.
Segmenting the network to at least guest and corporate levels can work wonders in protecting your critical assets. Segment resources on each segmentation based on the principle of least privilege (PLP), with the crown jewels only accessible on the admin/highest-privilege network. Dynamic VLAN assignment can help automate this segmentation.
Deepen Your Understanding of Zero Trust
The more you understand Zero Trust, the better you’ll be able to identify strategic ways to build toward a Zero Trust architecture. To dive deeper into Zero Trust security and understand how to work toward it in your environment, download the whitepaper, Zero Trust Demystified: Simplifying the Zero Trust Journey for SMEs.