How to implement Zero Trust security

Moving to a Zero Trust approach does not have to be overly complex. Organizations can start by implementing MFA, closing unnecessary ports, and a few other simple steps.

Learning Objectives

After reading this article you will be able to:

  • Identify the steps needed to start implementing Zero Trust security
  • Understand the benefits of Zero Trust

Copy article link

How Zero Trust security works

Zero Trust is a security approach built on the assumption that threats are already present within an organization. In a Zero Trust approach, no user, device, or application is automatically "trusted" — instead, strict identity verification is applied to every request anywhere in a corporate network, even for users and devices already connected to that network.

A Zero Trust security architecture is constructed on the following principles:

To learn more about these principles and how they combine and reinforce each other, see What is a Zero Trust network?

2023 IDC MarketScape for ZTNA
The Zero Trust guide to securing aplication access

How to implement Zero Trust security

Implementing comprehensive Zero Trust security can take some time and requires quite a bit of cross-team collaboration. The more complex an organization's digital environment is — i.e. the wider variety of applications, users, offices, clouds, and data centers it has to protect — the more effort will be required to enforce Zero Trust principle for every request moving between those points.

For this reason, the most successful Zero Trust implemenations begin with simpler steps that require less effort and buy-in. By taking these steps, organizations can significantly reduce their exposure to a variety of threats and build buy-in for larger, more systemic improvements.

Here are five such steps:

1. MFA

Multi-factor authentication (MFA) requires two or more authentication factors from users who log in to an application, instead of just one (like a username and password). MFA is significantly more secure than single-factor authentication, due to the difficulty, from the attackers' perspective, of stealing two factors that belong together.

Rolling out MFA is a good way to start tightening security for crucial services, in addition to gently introducing users to a more stringent security approach.

2. Rolling out a Zero Trust policy for crucial apps

Zero Trust considers device activity and posture in addition to identity. Putting Zero Trust policies in front of all applications is the end goal, but the first step is to do so in front of mission-critical applications.

There are several ways to put a Zero Trust policy between device and application, including via encrypted tunnel, proxy, or single sign-on (SSO) provider. This article has more details on configuration.

3. Cloud email security and phishing protection

Email is a major attack vector. Malicious emails can come even from trusted sources (via account takeover or email spoofing), so applying an email security solution is a huge step towards Zero Trust.

Users today check email via traditional self-hosted email applications, browser-based web applications, mobile device applications, and more. For this reason, email security and phishing detection is more effective when cloud-hosted — it can then easily filter emails from any source and for any destination, without tromboning email traffic.

4. Closing unnecessary ports

In networking, a port is a virtual point where a computer can receive inbound traffic. Open ports are like unlocked doors that attackers can use to penetrate inside a network. There are thousands of ports, but most are not used regularly. Organizations can close unnecessary ports in order to protect themselves from malicious web traffic.

5. DNS filtering

From phishing websites to drive-by downloads, insecure web applications are a major source for threats. DNS filtering is a method for preventing untrusted websites from resolving to an IP address — which means anyone behind the filter cannot connect to such websites at all.

Sign Up
Security & speed with any Cloudflare plan

More on Zero Trust implementation

These five steps will get an organization well on its way to a full Zero Trust security framework. Cloudflare offers a white paper that breaks down these steps in more detail. Download: "A Roadmap to Zero Trust Architecture."