Roadmap to Zero Trust

Learn 5 simple projects toward a Zero Trust future

Zero Trust adoption is complex, but getting started doesn’t have to be

Adopting Zero Trust security is widely recognized as a difficult journey. In many ways, this reputation is well deserved. Zero Trust requires work that security and IT are justifiably cautious about: re-thinking default-allow policies and perimeter-based network architecture, collaboration between functionally different teams, and putting faith in new security services. Organizations may postpone this transformation for a variety of reasons, including:

• Capacity constraints with competing projects

• Variation in Zero Trust vendor offerings

• Uncertainty about where various applications and resources exist on the network

• Possible disruption to employee productivity

While the Zero Trust framework is quite complex on the whole — the complete roadmap to Zero Trust architecture consists of 27 steps — but, some of which require comparatively little effort, even for small teams with limited time.

Piecemeal Zero Trust adoption

In a networking context, Zero Trust security requires that every request moving into, out of, or within a corporate network is inspected, authenticated, encrypted, and logged. It’s based on the idea that no request should be implicitly trusted, no matter where it comes from or where it’s going.

Making early progress towards Zero Trust means establishing these capabilities where they are not currently present. For organizations starting from scratch, this often means extending these capabilities beyond a single ‘network perimeter.’

Here are five of the simplest Zero Trust adoption projects, focusing on securing users, applications, networks, and Internet traffic. They won’t achieve comprehensive Zero Trust alone, but do offer immediate benefits, and create early momentum for broader transformation.

PROJECT 1

Enforce multi-factor authentication for critical applications

In a Zero Trust approach, the network must be extremely confident that requests come from the entity they claim to. This means establishing safeguards against user credentials being stolen via phishing or data leaks. Multi-factor authentication (MFA) is the best protection against such credential theft. While a complete MFA rollout may take significant time, focusing on the most critical applications is a simpler — but still impactful — win.

Organizations that already have an identity provider in place can set up MFA directly within that provider — e.g. through one-time codes or push notification apps sent to employee mobile devices. For applications not directly integrated with your IdP consider using an Application Reverse Proxy in front of the application to enforce MFA.

Organizations with no identity provider in place can take a different approach to MFA. Social platforms like Google, LinkedIn, and Facebook, or one-time passwords (OTP), are another way to double-check user identities. This is a common way to bootstrap access for third-party contractors without adding them to a corporate identity provider, and can also be applied within the company itself.

PROJECT 2

Zero Trust policy enforcement for critical applications

Enforcing Zero Trust means more than simply verifying user identities. Applications must also be protected with policies that always verify requests, consider a variety of behavior and contextual factors before authenticating, and continuously monitor activity. As in Project 1, implementing these policies becomes simpler when applied to an initial list of critical applications.

This process varies based on the type of application at hand:

1. Private self-hosted applications (addressable only on the corporate network)

2. Public self-hosted applications (addressable over the Internet)

3. SaaS applications

PROJECT 3

Monitor email applications and filter out phishing attempts

Email is not always included in the Zero Trust conversation. Yet, it is the number one way most organizations communicate, the most-used SaaS application, and the most common entry point for attackers. It deserves Zero Trust principles to complement the usual threat filters and inspections.

Deploying cloud email security is a critical step in achieving this. Additionally, security should consider an option to quarantine links in an isolated browser that are not suspicious enough to completely block.

PROJECT 4

Close all inbound ports open to the Internet for application delivery

Open inbound network ports are a common attack vector and should be given Zero Trust protection.

They can be found using scanning technology — from there, a Zero Trust Reverse Proxy can securely expose a web application to the public Internet without opening any inbound ports. The application’s only publicly visible record is its DNS record — which can be protected with Zero Trust authentication and logging capabilities.

As an added layer of security, internal/private DNS can be leveraged using a Zero Trust Network Access solution.

PROJECT 5

Block DNS requests to known threats or risky destinations

DNS filtering is the practice of preventing users from accessing websites and other Internet resources that are known or highly suspected to be malicious. It is not always included in the Zero Trust conversation because it does not involve traffic inspection or logging. But, it can ultimately control where users (or groups of users) can transfer and upload data — which aligns well with the broader Zero Trust philosophy.

DNS filtering can be applied via router configuration or directly on a user machine.

Understanding the broader Zero Trust picture

Implementing these projects can be a relatively straightforward foray into Zero Trust. And any organization that accomplishes them will have made significant progress towards better, more modern security.

Broader Zero Trust adoption remains complicated. To help, we’ve built a vendor-neutral roadmap for the entire Zero Trust journey, covering these five projects and others like them. Some will take far longer than a few days, but the roadmap can provide greater clarity into what Zero Trust adoption means.

Cloudflare offers all of these services through Cloudflare Zero Trust. It can verify, filter, isolate, and inspect all network traffic, all on one uniform and composable platform for easy setup and operations. And, its secure virtual backbone — using a 300+ city global network with over 12,500 interconnections — offers significant security, performance, and reliability benefits compared with the public Internet.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Key takeaways

• There are 27 comprehensive steps in the Zero Trust roadmap

• 5 Zero Trust adoption projects require comparatively little effort

• The types of services that enable implementation

• How to initiate an adoption roadmap for your organization

Related resources

• Guide: A roadmap to Zero Trust architecture

• What is the principle of least privilege?

• The rise of Zero Trust Network Access

• Extending Zero Trust to the Internet browser