Moving to a Zero Trust approach does not have to be overly complex. Organizations can start by implementing MFA, closing unnecessary ports, and a few other simple steps.
After reading this article you will be able to:
Related Content
Zero Trust security
What is ZTNA?
Principle of least privilege
Microsegmentation
Multi-factor authentication
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Zero Trust is a security approach built on the assumption that threats are already present within an organization. In a Zero Trust approach, no user, device, or application is automatically "trusted" — instead, strict identity verification is applied to every request anywhere in a corporate network, even for users and devices already connected to that network.
A Zero Trust security architecture is constructed on the following principles:
To learn more about these principles and how they combine and reinforce each other, see What is a Zero Trust network?
Implementing comprehensive Zero Trust security can take some time and requires quite a bit of cross-team collaboration. The more complex an organization's digital environment is — i.e. the wider variety of applications, users, offices, clouds, and data centers it has to protect — the more effort will be required to enforce Zero Trust principle for every request moving between those points.
For this reason, the most successful Zero Trust implemenations begin with simpler steps that require less effort and buy-in. By taking these steps, organizations can significantly reduce their exposure to a variety of threats and build buy-in for larger, more systemic improvements.
Here are five such steps:
Multi-factor authentication (MFA) requires two or more authentication factors from users who log in to an application, instead of just one (like a username and password). MFA is significantly more secure than single-factor authentication, due to the difficulty, from the attackers' perspective, of stealing two factors that belong together.
Rolling out MFA is a good way to start tightening security for crucial services, in addition to gently introducing users to a more stringent security approach.
Zero Trust considers device activity and posture in addition to identity. Putting Zero Trust policies in front of all applications is the end goal, but the first step is to do so in front of mission-critical applications.
There are several ways to put a Zero Trust policy between device and application, including via encrypted tunnel, proxy, or single sign-on (SSO) provider. This article has more details on configuration.
Email is a major attack vector. Malicious emails can come even from trusted sources (via account takeover or email spoofing), so applying an email security solution is a huge step towards Zero Trust.
Users today check email via traditional self-hosted email applications, browser-based web applications, mobile device applications, and more. For this reason, email security and phishing detection is more effective when cloud-hosted — it can then easily filter emails from any source and for any destination, without tromboning email traffic.
In networking, a port is a virtual point where a computer can receive inbound traffic. Open ports are like unlocked doors that attackers can use to penetrate inside a network. There are thousands of ports, but most are not used regularly. Organizations can close unnecessary ports in order to protect themselves from malicious web traffic.
From phishing websites to drive-by downloads, insecure web applications are a major source for threats. DNS filtering is a method for preventing untrusted websites from resolving to an IP address — which means anyone behind the filter cannot connect to such websites at all.
These five steps will get an organization well on its way to a full Zero Trust security framework. Cloudflare offers a white paper that breaks down these steps in more detail. Download: "A Roadmap to Zero Trust Architecture."
Zero Trust security is a security model that assumes no user or device should be automatically trusted, whether inside or outside the network perimeter. Unlike traditional approaches focused on perimeter defense, a Zero Trust architecture verifies everyone and everything attempting to access resources regardless of location.
Key components include identity verification systems, device health validation tools, and continuous monitoring capabilities. These components work together to evaluate each access request against established security policies before granting resource access.
Microsegmentation divides the network into isolated segments with separate access controls, limiting lateral movement if a breach occurs. It ensures that users and devices can only access the specific resources they need for their role, following the principle of least privilege.
A Zero Trust assessment is an evaluation of an organization’s security posture across all endpoints. Insights from a one-time assessment help organizations identify gaps and risks that should be addressed by adopting Zero Trust principles. Assessments can also be conducted continuously in real time to help organizations fine-tune enforcement of conditional access and gateway policies based on device health and compliance checks.