Roadmap to Zero Trust

5 simple projects to advance Zero Trust adoption

Zero Trust adoption is complex, but getting started doesn’t have to be

Adopting Zero Trust security is widely recognized as a difficult journey. In many ways, this reputation is well deserved. Zero Trust requires work that Security and IT are justifiably cautious about: rethinking default-allow policies and perimeter-based network architecture, enabling collaboration between functionally different teams, and putting faith in new security services. Organizations may postpone this transformation for a variety of reasons, including:

  • Capacity constraints with competing projects

  • Variation in Zero Trust vendor offerings

  • Uncertainty about where various applications and resources exist on the network

  • Disruption to employee productivity

The Zero Trust framework is quite complex on the whole — the complete roadmap to Zero Trust architecture consists of 28 comprehensive projects. However, some projects require comparatively little effort, even for small teams with limited time.

Piecemeal Zero Trust adoption

In a networking context, Zero Trust security requires that every request moving into, out of, or within a corporate network is inspected, authenticated, encrypted, and logged. It’s based on the idea that no request should be implicitly trusted, no matter where it comes from or where it’s going.

Making early progress toward Zero Trust means establishing these capabilities where they are not currently present. For organizations starting from scratch, this often means extending capabilities beyond a single ‘network perimeter.’

Here are five of the simplest Zero Trust adoption projects: focusing on securing users, applications, networks, and Internet traffic. They won’t achieve comprehensive Zero Trust alone, but they do offer immediate benefits and can create early momentum for broader transformation.


Enforce multi-factor authentication for critical applications

In a Zero Trust approach, the network must be extremely confident that requests come from trusted entities. Organizations need to establish safeguards against user credentials being stolen via phishing or data leaks. Multi-factor authentication (MFA) is the best protection against such credential theft. While a complete MFA rollout may take significant time, focusing on the most critical applications is a simpler — but still impactful — win.

Organizations that already have an identity provider in place can set up MFA directly within that provider — e.g., through one-time codes or push notification apps sent to employee mobile devices. For applications not directly integrated with your identity provider (IdP), consider using an application reverse proxy in front of the application to enforce MFA.

Organizations with no identity provider in place can take a different approach to MFA. Using social platforms such as Google, LinkedIn, and Facebook, or one-time passwords (OTP), can help double-check user identities. These are common ways to DIY access for third-party contractors without adding them to a corporate identity provider, and these strategies can also be applied within the company itself.


Zero Trust policy enforcement for critical applications

Enforcing Zero Trust means more than simply verifying user identities. Applications must also be protected with policies that always verify requests, consider a variety of behavior and contextual factors before authenticating, and continuously monitor activity. As in Project 1, implementing these policies becomes simpler when applied to an initial list of critical applications.

This process varies based on the type of application at hand:

  • Private self-hosted applications (addressable only on the corporate network)

  • Public self-hosted applications (addressable over the Internet)

  • SaaS applications


Monitor email applications and filter out phishing attempts

Email is the number one way most organizations communicate, the most-used SaaS application, and the most common entry point for attackers. Organizations should apply Zero Trust principles to email to complement their standard threat filters and inspections.

Additionally, Security should consider using an isolated browser to quarantine links that are not suspicious enough to completely block.


Close all inbound ports open to the Internet for application delivery

Open inbound network ports are a common attack vector and should be given Zero Trust protection, only accepting traffic from known, trusted, verified sources.

These ports can be found using scanning technology. Then, A Zero Trust reverse proxy can securely expose a web application to the public Internet without opening any inbound ports. The application’s only publicly visible record is its DNS record — which can be protected with Zero Trust authentication and logging capabilities.

As an added layer of security, internal/private DNS can be leveraged using a Zero Trust Network Access solution.


Block DNS requests to known threats or risky destinations

DNS filtering is the practice of preventing users from accessing websites and other Internet resources that are known or highly suspected to be malicious. It is not always included in the Zero Trust conversation because it does not involve traffic inspection or logging. However, it can ultimately control where users (or groups of users) can transfer and upload data — which aligns well with the broader Zero Trust philosophy.

DNS filtering can be applied via router configuration or directly on a user machine.

Understanding the broader Zero Trust picture

Implementing these five projects can be a relatively straightforward foray into Zero Trust. And any organization that completes these projects will have made significant progress toward better, more modern security.

Broader Zero Trust adoption remains complicated. To help, we’ve built a vendor-neutral roadmap for the entire Zero Trust journey, covering these five projects and others like them. Some will take far longer than a few days, but the roadmap can provide greater clarity into what Zero Trust adoption means.

All of these services are built into the Cloudflare connectivity cloud: a unified platform of cloud-native services designed to help organizations regain control of their IT environment. Cloudflare is the leading connectivity cloud company. It empowers organizations to make their employees, applications, and networks faster and more secure everywhere, while reducing complexity and cost. Powered by one of the world’s largest and most interconnected networks, Cloudflare blocks billions of threats online for its customers every day.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Key takeaways

After reading this article you will be able to understand:

  • The 28 projects in the Zero Trust roadmap

  • 5 Zero Trust adoption projects that require comparatively little effort

  • The types of services that enable implementation

  • How to initiate an adoption roadmap for your organization

Dive deeper into this topic.

Learn more about Zero Trust and start planning a roadmap for your organization with the complete guide, A roadmap to Zero Trust architecture.

Receive a monthly recap of the most popular Internet insights!