How to Implement Zero Trust in Your Organization

A zero-trust security model greatly reduces the risk of password-related cyberattacks. Learn how your organization can implement it.

What is Zero Trust?

Zero trust is an “assumed breach” security model created for cybersecurity solution architects, system integrators and DevOps teams to integrate essential cybersecurity capabilities into a pervasive IT environment that empowers cybersecurity planning and decision-making.

Zero trust does not trust any human users or devices, regardless of where they are located. In a zero-trust environment, all users and devices must be authenticated before they can access organizational resources. Instead of relying on where users are, zero trust makes them prove who they are.

Implemented properly, zero-trust network access provides IT administrators with full visibility into all users, systems and devices. People, apps and services can communicate securely, even across network environments. It doesn’t matter if users are connecting from their homes, hotels, coffee shops or airports, or even if they’re using their own devices. Administrators can see exactly who’s connecting to the network, where they are and what they’re accessing.

The Three Principles of Zero Trust

Three guiding principles form the core of zero-trust security.

  • Assume Breach

    Any human or device could potentially be compromised, even if they’re connecting from inside the office.

  • Verify explicitly

    All humans and machines must prove they are who they say they are before they can access network resources.

  • Ensure Least-Privilege

    Even after a user has been verified explicitly, they should only have the minimum amount of network access they need to perform their jobs – and no more.

How To Choose a Zero-Trust Solution

There are many zero-trust-compatible cybersecurity solutions on the market, but not all of them are suitable for your specific data environment and business needs. Ask yourself the following questions when choosing a zero-trust solution:

Does the solution require that components be installed on the client asset?

Client-side solutions could limit business processes and delay productivity. They also create additional administrative overhead for your IT team.

Does the solution work in cases where business process resources exist on-premises?

Some solutions assume that requested resources reside in the cloud (so-called north-south traffic) and not within an enterprise perimeter (east-west traffic). This poses a problem in hybrid cloud environments, where legacy line-of-business apps that perform critical functions may be run on-premises because migrating them to the cloud isn’t feasible.

Does the solution provide a means to log interactions for analysis?

Zero-trust access decisions depend heavily on the collection and use of data related to process flow – especially for privileged accounts.

Does the solution provide broad support for different applications, services and protocols?

Some solutions may support a broad range of protocols (SSH, web, etc.) and transports (IPv4 and IPv6), but others may only work with web or email.

Does the solution require changes to existing workflows?

Some solutions may require additional steps to perform a given workflow, which could require your organization to make changes to your existing workflows.

The Pillars of Zero-Trust Security

Once you’ve chosen a zero-trust solution, you should plan your zero-trust implementation around the following six pillars, all of which must be assessed, and then updated or replaced accordingly.

  • Identity

    In a zero-trust model, every user – both human and machine – must have a unique digital identity. Whenever this identity requests access to a resource, the system must verify it with strong authentication, backed up with behavioral analysis to ensure that the access request isn’t anomalous for that user. Once the identity is authenticated, the user’s network access must follow least-privilege principles.

    You can achieve this by ensuring users have strong, unique passwords for every account and enable Multi-Factor Authentication (MFA) wherever it is supported. Additionally, organizations should deploy real-time detection, automated remediation and connected intelligence solutions to both monitor for account compromise and respond to potential problems.

  • Data

    In today’s cloud-based environments, data resides everywhere, and it must be governed everywhere it resides. This involves strictly controlling and restricting data access according to least-privilege principles and ensuring that data is encrypted both at rest and in transit.

  • Network

    Segment networks to prevent threat actors from moving laterally and accessing sensitive resources. Utilize “in-pipe” network security controls to enhance visibility, including tools for real-time threat protection, end-to-end encryption, monitoring and analytics.

  • Applications

    Application access and privileges must be controlled and restricted as rigorously as the data itself. Gate access to apps, monitor app usage for anomalous behavior, and use Role-Based Access Control (RBAC) to ensure that users’ in-app permissions are appropriate and follow least-privilege principles.

  • Endpoints

    Only compliant and trusted apps and devices should be permitted to access data. Before allowing employees to access company apps on mobile devices, require them to enroll their devices in Mobile Device Management (MDM) and have them validated for general health and compliance with company security policies. MDM solutions also give administrators visibility into device health and compliance, as well as the ability to enforce policies and security controls, such as blocking copy/paste or download/transfer.

  • Infrastructure

    Managing permissions for both on-prem infrastructure and cloud-based Virtual Machines (VMs), containers and microservices can be challenging. Automate as many processes as possible. Use Just-In-Time (JIT) access to harden defenses, deploy security analytics to detect anomalies and cyberattacks, and automatically block and flag risky behavior for further investigation and remediation.

Best Practices for Deploying a Zero-Trust Architecture

One of the biggest challenges to implementing zero trust is knowing where to begin. Zero trust has a lot of moving parts, and there are no universal “zero-trust implementation” standards. Here are a few best practices for mapping out your organization’s zero-trust journey.

  • Realize that zero trust is a long-term commitment, not a one-time fix.

    As technology, workflows and the threat environment all shift and change, so will your zero-trust architecture.

  • Make sure you have buy-in from upper management.

    Zero trust requires an "all or nothing" mindset and firm commitment from all levels of leadership. Support from upper management was a commonality among CRA’s “champions” – while a lack of support was the top stumbling block cited by organizations continuing to struggle with zero trust adoption.

  • Start small.

    To avoid business disruptions, start a zero-trust deployment by first migrating low-risk business resources, then segueing to more critical resources after your team has more experience with the zero trust model.

  • When in doubt, focus on IAM first and foremost.

    Identity and Access Management (IAM) is the most frequently-implemented component of zero-trust, with 95% of organizations having an IAM solution in place.

How Keeper Can Help Your Organization Adopt Zero Trust

Keeper’s zero-trust, zero-knowledge cybersecurity suite enables organizations to adopt zero-trust remote access for their distributed workforces, with strong authentication and granular visibility and control. KeeperPAM™ – Keeper’s next-generation privileged access management solution – unifies Keeper Enterprise Password Manager (EPM), Keeper Secrets Manager (KSM) and Keeper Connection Manager (KCM).

By unifying EPM, KSM and KCM, Keeper provides IT administrators with a pervasive, single pane of glass to track, log, monitor and secure every user on every device from every location, as they transact with all permitted sites, systems and applications.

Implement Zero Trust With Keeper Today

English (US) Call Us