EN 
If you ask most security professionals to define zero trust, you’ll get an eye roll and an exasperated sigh. To many, it’s been little more than a marketing exercise, and let’s be honest, a lot of what we’re seen and heard about zero trust security over the past decade has been more fluff than substance.
The term has been so loosely defined that countless cybersecurity vendors have, at one point or another, claimed to offer some sort of zero trust solution. It’s easy to see why it has such a bad rep.
Today, though, understanding zero trust has become more tangible. Thanks to NIST SP 800-207 and other concrete documentations and reference architectures, zero trust has been given shape and meaning. And just as importantly, technology has started to catch up with the vision. A pure zero trust architecture may still be out of reach for all but the largest, most well-funded organizations, but that doesn’t mean security teams can’t take meaningful steps toward zero trust segmentation.
Realistic Goals for Zero Trust Implementation
The most important step in any journey is the first one, and moving toward the zero trust model is no different.
The first step toward zero trust is planning where you want your journey to end up. The best way to think about that end state is within the context of making network access control as granular as possible. That’s really the heart of zero trust principles, per NIST 800-207, the goal of any zero trust program should be to:
- Prevent unauthorized access to data and services
- Make access control enforcement as granular as possible
To that end, we’re going to look at two critical areas of network connectivity:
- Server-to-server connections
- User resource access
We’re also going to briefly look at setting up a zero trust pilot program that eliminates implicit trust from your environment, helping overcome the overwhelming feeling that may come when taking on a project this broad in scope.
Step 1: Server to Server Security Through Network Segmentation
To say that today’s enterprise networks are complex is an understatement. Multiple cloud instances run together with on-premises network hardware comprising devices from a wide range of vendors, all operated by millions of complex policies that define your overall security posture.
In this environment, excessive access is the standard for policy creation, especially for firewall rules. Nobody wants to be the guy who submarined a project launch or upgrade by accidentally blocking access to a critical service. The problem? A zero trust network full of overly-broad access contradicts the very zero trust policy you’re trying to achieve.
How to Tackle This
The first step toward effective segmentation is to:
- Continually monitor your environment for any rules granting excessive access
- Set up guardrails to make sure new rules aren’t too broad
- Conduct TFA log analysis to monitor privilege access
- Use threat intelligence to inform your security policy decisions
A strong segmentation policy requires ongoing attention, not just a one-time implementation. Review our network segmentation best practices for detailed guidance.
Identify potential cyber threats before they impact your network segment configurations.
The end goal is to restrict network access as much as possible without interrupting business or slowing down the speed of operations.
Step 2: Implementing Zero Trust Network Access for User Resources
Your employees, customers, and other users are no longer in any single location.. The reality today is that a significant portion of access requests to your critical infrastructure are coming from untrusted networks:
- Home networks
- Coffee shops
- Vacation homes
- Personal devices
The perimeter is everywhere and growing. This opens a host of new potential attack vectors and vulnerabilities that impact cloud security
The Solution: Federated Access
The first step when you implement zero trust is adopting a federated access program.
Having a consistent set of policies, practices, and protocols in place—regardless of what resource is being accessed or where the request originates—is key to achieving zero trust access across your organization.
Important considerations:
- Implement intelligently with input from across the operation
- A poorly-implemented access program can be ineffective AND reduce productivity
- Employees will struggle if existing workflows don’t fit new systems
However, a properly-implemented federated access management program can streamline zero trust network access while tightening network security. Learn more about FireMon’s ZTNA solutions.
When combined with multi-factor authentication (MFA), it goes a long way toward eliminating unauthorized access and increasing the granularity of access control.
Leverage Existing SASE Capabilities
Another effective use case for securing user access involves utilizing SASE capabilities that many organizations already have built into their existing firewalls.
Setting up SASE from the ground up can be costly and complex, but there are ways to set up the basics without too much effort.
Step 3: Launching a Zero Trust Pilot Program
Zero trust adoption can appear to be an impossible dream, particularly for those organizations who would benefit the most. Large organizations have thousands of users and servers, and a loss of productivity, even momentary, can bring incredible financial losses.
The challenge: Very few security and IT professionals have experience with many, let alone all, zero trust technologies and workflows. If new systems and workflows aren’t set up property or otherwise negatively impact productivity, there’s a risk of a ripple effect: not only will there be immediate repercussions, but also that dev teams may go around security in the future, seeing it as a roadblock.
Understanding why zero trust fails in the real world can help you avoid common pitfalls.
The Solution: Start Small
Don’t bite off more than you can chew. Start with a zero trust pilot program.
How to begin:
- Pick a business area with relatively simple operations
- Choose an area with a single (or very few) applications or services
- Use technology you already own, you may be surprised at the zero trust capability that already exists
Example: SASE doesn’t always require re-architecting the network. Some modern NGFWs have SASE functionality built in, giving enterprises the ability to set up policy-based user access restrictions without additional hardware outlays.
Fortinet, for example, offers native capabilities without any additional hardware or subscription cost.
Also consider: Look at your cloud services to see what capabilities exist, particularly in identity and access management.
Building Your Zero Trust Strategy
Adopting zero trust can appear daunting, and it is if your aim is to reach a pure ZTA. But that doesn’t make it impossible, and it also doesn’t minimize the value of simply going as far as realistically possible. For many organizations, the additional security of a pure ZTA simply isn’t worth the added cost and complexity of its implementation right now, and may not be for quite some time.
The right approach:
- Evaluate the zero trust segmentation capabilities within your organization’s reach
- Move strategically
- Take things one step at a time
Don’t let the sheer scale of the possibilities stop you from taking pragmatic steps that will benefit your security immediately. Explore how to embrace zero trust without blowing up your network.