How to implement zero trust: A step-by-step roadmap
Once organizations recognize the benefits of a zero trust architecture, their next priority is to put their knowledge into action; to explore how to implement zero trust.
But while the theory of zero trust is well known, businesses wondering how to implement a zero trust network can be left struggling to find practical guidance. “Where I do start with zero trust?” is a common question; “What capabilities are required to implement zero trust security?” is another.
This article aims to plug that gap, exploring how to implement zero trust security and setting out practical steps to improve the security of your IT operations.
Why Implementing Zero Trust Is Crucial (Scroll Down for Implementation Steps)
If you’re here, we’ll assume you have a good understanding of the zero trust concept.
Zero trust frameworks have grown increasingly central to organizations’ operating models over recent years, for instance:
- The Internet of Things has increased the number of devices a business’s network needs to support
- Cloud-based applications and remote data centers are used to host data
- Remote and hybrid working create a “new normal” in the workplace
Combined, the impact of these changes is a network where the perimeter — your potential “attack surface” — can be challenging to define and, therefore, protect.
Devising a roadmap for zero trust implementation is the next essential step in your journey to make your network as watertight as possible.
How to Implement Zero Trust with Just 7 Steps
The good news is that there are recognized steps you can take when implementing a zero trust architecture. When exploring how to implement zero trust security, you should:
1. Define Your “Protect Surface”
As the attack surface grows and becomes less distinct, it’s essential to take a different tack and focus on your protect surface; the necessary items to defend.
Therefore, step one in implementing zero trust is defining these critical items. Identify the essential data, assets, applications and services (DAAS) that should make up the non-negotiables you need to protect.
By doing this and defining a protect surface that’s usually significantly smaller than the potential attack surface, organizations can focus their efforts on the most crucial areas.
Examples of DAAS you might include:
- Data: Customer personal or financial information; healthcare data
- Applications: In-house or proprietary software, especially that which would threaten business continuity in the event of a breach
- Assets: These might include the IoT devices mentioned above, specialized equipment or other business-specific assets
- Services: Your domain name system (DNS) or Dynamic Host Configuration Protocol (DHCP)
Defining which of your data, applications, assets and services are most sensitive, critical or at risk can be a challenge — you need to look across your entire organization and take a comprehensive view, something that demands scrupulous oversight.
But, once these are defined, you can take steps to move your protection and controls closer to your protect surface, reducing the risk of breach.
2. Map Your Transaction and Traffic Flows
Data moves around your network constantly, between devices, applications and assets. When looking at how to implement zero trust, it’s therefore essential to understand this data flow. Where is data coming from and moving to? Who is using it?
Zero trust relies on “no” being the default answer. To identify which data flows should not be trusted, you need to know which are vital to your operations and should be allowed. This mapping of data flow underpins that decision.
3. Implement a Zero Trust Architecture
Once you have mapped your data flows and identified permitted ones, you invoke the zero trust approach to block everything else.
This requires implementing a zero trust architecture, sometimes referred to as architecting a zero trust network; in other words, building network controls that only allow through legitimate data flows. Your zero trust network sets the rules that determine which flows are allowed and which are not.
Keep proportionality in mind; while in theory you can place controls or filters anywhere in the network you want, in practice you should weigh up the value of the control against the time and expense of putting it in. If a data flow is a minute, how much effort do you really want to devote to controlling it?
Understanding flow intent can help here. Try asking questions like:
- Why is the data moving?
- Who requires it?
- What is the purpose?
This can be a better criterion to prioritize your controls more than data scale or frequency.
4. Create Your Zero Trust Policy
What will you base your zero trust controls on? Organizations often rely on the Kipling Method here: asking who, what, when, where, why and how concerning data access to determine what should be allowed.
This approach can give the granularity needed to identify legitimate data flows and access requirements. Clear policies and strict controls are essential to a successful zero trust implementation; its very nature demands that there is no ambiguity, with clearly-defined and enforced controls.
5. Conduct Appropriate Monitoring
Once policies and controls are in place, monitoring becomes your next priority. For this, you need clear visibility across the network and an “always on” approach to monitoring and compliance.
Monitoring your zero trust network to ensure that the controls are operating as they should, and storing a compliant audit trail of records, will position your operation well for any audit or compliance check, whether internal or external. Accurate and comprehensive data is vital to effective governance, risk and compliance (GRC). When rigorous monitoring and compliance checks are BAU, reporting is straightforward, and you are always prepared for scrutiny.
6. Automate, Automate, Automate
Implementing a zero trust architecture is a tremendous job; once you’ve delivered, the last thing you want is to risk the ongoing effectiveness of your approach. Trying to manage a zero trust network manually can be a recipe for disaster; as with many other elements of governance, risk and compliance, automation can be the key to success. As we’ve outlined above, your zero trust network is a constantly evolving entity; automating the policies and rules that govern new additions to the network is the only way to realistically maintain the rigor and agility needed to keep pace with a changing IT and security environment. Whether it’s identifying new DAAS, rubber-stamping the need for change, or deploying that change across the network, manual intervention risks human error, omissions and cybersecurity risks. Automation brings consistency, robustness and precision.
7. Revisit and Continuously Expand
Developing your zero trust network to include new or additional DAAS should be an ongoing task, an iterative process.
Your network expands all the time, with new devices, users and applications. The initial project to implement a zero trust network may be significant and, as a result, come with substantial cost and, potentially, cause some distraction from, or disruption to, BAU processes.
Ongoing, once your zero trust architecture is in place, you should be able to expand on it with minimal disruption, ensuring the entirety of your network remains as protected as possible.
Closing Thoughts on Zero Trust Implementation
The ever-changing and growing threats to your network demands organizations understand how to implement zero trust. The steps set out above are designed to provide a clear, step-by-step roadmap to zero trust implementation.
To keep pace with the evolving business risks you face and the cutting-edge GRC strategies you can use to tackle them, you can subscribe to our GRC newsletter, a single source of the latest governance, risk and compliance information.
