A Beginner's Guide to Zero Trust

When it comes to preventing cyberattacks, there’s a wide range of software, hardware, and staffing solutions, with more being introduced every day. It may seem like the only way to protect your assets is through artificial intelligence, machine learning, and automation -- choices too expensive for a small or medium-sized business.

But one of the most effective methods for protecting your network and data could be the zero-trust security model, which turns the traditional strategy of “keeping the bad guys out” on its head by assuming everyone is a bad actor until proven otherwise.

It may sound like a lofty goal, but, for SMBs, aspects of this security model could add much-needed layers of protection as cyber threats continue to evolve.

Overview: What is zero-trust security?

Zero-trust security is neither a product nor a service but a fundamental shift in the way we think about security. Rather than defining an attack surface and building a wall around it to keep hackers outside, all users must prove themselves trustworthy, whether they’re inside or outside the network.

According to Amit Bareket, CEO and co-founder of Perimeter 81, zero trust restricts access to the entire network by isolating applications and segmenting network access based on user permissions, authentication, and user verification.

Zero-trust security makes it possible to secure users and devices in ways that perimeter-based security cannot. Its approach ensures IT departments can affirm that all resources, whether they’re on premises or cloud-based, are controlled and protected from the inside out.

The concept works like this: Imagine a house with many rooms. You need a key to get in the front door. Once inside, however, every room is locked, and you’ll need another key for each room you want to enter.

Once inside a room, you’ll need another key to open the closet if you want to access items stored inside. In other words, even if you’re approved to enter the house, you may only have access to items in the kitchen pantry, not those in the bedroom closet.

“This shift is necessary because yesterday’s security technologies are unable to meet today’s security challenges,” says Jason Garbis, senior vice president at secure access company Appgate.

“Traditional network security approaches are failing to adequately protect organizations. Trust is presumed and misplaced because access control is based on an outdated model that allocates trust based on physical locations and cannot efficiently operate in today’s highly distributed environments.”

With zero trust, users gain access based on identity-centric and context-sensitive policies, which are automatically and dynamically enforced.

How does zero-trust security work?

In the traditional “perimeter” security model, trust is enforced at the perimeter (or, at the front door and windows of the house) and, once inside, a user can move anywhere they like. Since this gives the user access to an unprotected number of assets once they’ve logged into the network, a malicious actor can easily move around and collect sensitive data without detection.

By shifting to a zero-trust model, we treat the majority of connected devices -- such as laptops, networks, printers, departmental databases -- as untrusted, enforcing security around the intellectual property that truly needs to be protected. This also simplifies operating with a remote workforce because zero trust considers the workforce the same as the untrusted internet.

Zero-trust security can work on various levels of a computer system (networking, program execution, storage, and more) to block unknown activity. The administrator specifies a set of rules to enumerate permitted activities, and the software will evaluate every activity against that set of rules to determine whether it's on the allowed list. If it’s not, the activity is blocked.

According to Bareket, a business’s zero-trust network should be divided into various levels of trust. Those levels are segmented by how critical the resources are and should limit the number of employees with access to any one level or segment.

Businesses should implement the least-privilege access model into their zero-trust security. This provides access only to an employee who needs the resources to do their job rather than giving all employees access, which can create security issues.

3 advantages of using zero-trust security

Zero-trust security is one of the only security methods that's nearly guaranteed to always work, says Michael Hornby, founder and president of Round The Corner Computers. Even cutting-edge technologies like artificial intelligence may allow threats access.

“The only way to truly block malicious activity is to only allow activity you are sure is not malicious,” Hornby says.

By deploying several layers of security, businesses not only protect more data, they also gain advanced warning about any possible breaches.

Advantage: Within SMB reach

Many of today’s most-hyped security systems boast artificial intelligence, machine learning, and automated threat hunting and remediation. For most SMBs, however, these are outside budgetary and staffing limits.

While the degree of zero-trust practices you deploy will vary based on your financial investment in tools and IT staff, there are a number of helpful and affordable zero trust-based measures you can take to shore up your defenses.

“Unlike large businesses, SMBs don’t have the manpower and financial resources to have their own IT team to ensure the security of the corporate network and systems,” Bareket explains. “With zero-trust security, companies of all sizes can easily implement the zero-trust model to align with their company needs, saving time and money.”

Hornby agrees. His team has been implementing zero-trust practices across its client base, which ranges from four-person companies up to 150 people, with the average being around 25.

“For a small business, third-party software is typically the best way to implement zero trust,” he says. “Microsoft has some built-in application control, but third-party solutions are much easier to implement and can be quite cost-effective.”

Multifactor authentication (MFA) also is an affordable security option that every SMB should be using. Google did a study in 2019 showing that multifactor authentication blocks the vast majority of attacks -- almost 100% in most cases.

“Properly implemented, zero trust takes this to the next level by requiring more frequent authentication and verification,” adds Dustin Bolander, CIO of Clear Guidance Partners Strategy + Technology.

Advantage: Remote control

One major advantage of zero-trust network access is the ability to uniformly provide fine-grained, secure remote access for all users to all resources. This is better than traditional virtual private networks (VPNs), says Garbis, which can only connect users to a single location and often grant far too much network access.

“Adopting a zero-trust approach allows an organization's network to be dynamic and fluid without compromising security,” Garbis says. “For example, it enables the creation of access policies based on identities and attributes rather than just IP addresses, the ability to adjust entitlements and privileges in near real-time, and the ability to isolate critical systems with grained micro-segmentation.”

Because they treat all users as “remote” from a security and access perspective, zero-trust solutions make today's shift to mass work-from-home scenarios more transparent and uneventful.

Additionally, says Jonil Patel, CISO at Threat Protect, zero-trust security provides greater control over cloud computing, which is especially important for remote working. It helps with any audit processes that a business carries out and improves speed and agility while decreasing risk by improving visibility into who is accessing the network.

Advantage: Easy to integrate

Unless an organization is using cloud-based offerings all the time, they will have some private servers, services, or networks to which they need to control access.

A well-designed zero-trust solution will be easily integrated with an organization’s identity management system, Garbis says, so users will benefit from a seamless and transparent authentication and access experience.

IT and security teams will be able to easily define access policies that automatically follow users across their devices, adapt to changing context, and provide consistent security for all types of resources, while significantly reducing their attack surface and risk.

Zero-trust solutions are often a good fit for organizations challenged with providing third parties with secure, limited access to their networks.

Advantage: Device security

Endpoint security has come under increasing scrutiny since so many workers were sent home earlier this year. Using home laptops, printers, and internet connections, it was difficult for many SMBs to guarantee the security of their network when their attack surface was greatly expanded almost overnight.

“By shifting our focus to a zero-trust model, we treat the majority of corporate devices, including user laptops, departmental networks, printers, and more, as untrusted, and enforce security only around the intellectual property that truly needs to be protected,” says Norm Laudermilch, COO at ControlCase.

Zero-trust platforms include attributes of device health, available for inclusion in your company’s data and network access policies. Security teams create policies that grant or deny access based on device posture checks, such as the OS patch level or antivirus presence, so that lax device security on an employee’s part doesn’t put your network at risk.

How to implement zero-trust security

Implementing zero-trust security best practices will mean different things to different companies. Different measures can be adopted depending on your size, your IT budget, your staff resources, and the number of assets and sensitivity of data you need to protect. The key is to think less about individual solutions and more about the overall approach.

“Many vendors claim to offer zero-trust solution products, and many of these products can be elements in a zero-trust solution, but none are comprehensive,” says Jeff Stollman, principal consultant at RMTM.

“Zero trust requires sophisticated access control not only to applications, but also to hardware and data,” Stollman says. “It requires applications that are specially designed to maximize their resistance to attack, as well as operational and physical security, including threat detection and nullification that is typically beyond the budget of small and medium businesses.”

Still, there are manageable and affordable ways for small businesses to deploy a zero-trust approach in securing their network.

1. Data discovery

The first step is to carry out a data audit to fully understand the kind of data you have, its level of sensitivity, and where it resides. Additionally, you’ll want to determine who in your organization has -- and, more importantly, should not have -- access to different segments of data based on the bare minimum access they need to carry out their jobs.

Once you know what you need to protect, you can develop policies and systems to make sure that transitions, traffic, and access are controlled.

2. Top-of-mind security problems

It’s best to start with the obvious. Garbis recommends focusing first on enabling secure cloud adoption, accelerating secure DevOps, or implementing or replacing your VPN for a focused set of users. If any part of that sentence is indecipherable to you, you might need to call in a cyber security consultant to help you evaluate your current state of security and set a path of next best steps to keep your network secure.

“These approaches will solve immediate problems and build momentum for a broader and more strategic zero-trust initiative,” Garbis says. “Top-down leadership and vision around zero trust also is an important ingredient to open doors and knock down organizational or political barriers that otherwise might be in place.”

3. Third-party software solutions

Perhaps one of the easiest tools to immediately deploy is two- or multi-factor authentication.

According to Bolander, SMBs can require all users logging into a computer at the office to use multifactor authentication (MFA), such as a push to an app or a text code on your cell phone, to complete that login.

“Many businesses only require using multifactor if you are remote or not on a company device,” he notes. “If your business uses cloud desktops, logins to the cloud should require another login as well as an MFA prompt to access it.”

Another software tool is a password management system that requires users to login and complete an MFA prompt every single time as opposed to only at initial login. It’s also a good idea to look into the best endpoint security software solutions to protect remote workers’ home devices.

Many businesses use Microsoft Office 365, and “there are some great zero-trust tools available in it, especially when you upgrade to the M365 Business Premium licenses,” according to Bolander. His team deploys Cisco Duo for all its clients because it has an affordable package that costs $3 per user per month.

Bolander reminds SMBs that if they choose to go this route, IT consultants, managed IT, and software vendors often pose the biggest security risk, so make sure their accounts are required to be as secure as you can make them.

4. A long-term plan

Zero-trust security is not a one-and-done fix. Since there is no single packaged solution that will put these best practices into place, you’ll need to consider your long-term plan for securing your network and perhaps implement various layers of protection in stages.

If you need some help in designing your strategic roadmap to zero-risk security, you may want to look at the Continuous Adaptive Risk and Trust Assessment, which recommends continuous cybersecurity assessments and contextual decision-making based on risk and trust evaluations.

It was introduced by Gartner in 2010, and the approach checks an access-seeking user or device and then calculates a balance of risk and trust associated with it.

As security threats evolve and as your company grows, you’ll want to frequently revisit access permissions to be sure you maintain the integrity of your data and systems. More importantly, you’ll want to explore your options for zero-trust risk management, incident response, and endpoint detection and response (EDR) solutions for when a breach is detected.

We never said it would be easy

There are some drawbacks to zero-trust security models, Hornby warns. First, they require a lot of administration -- every permissible activity and update needs to be whitelisted. Second, legitimate traffic is far more likely to be blocked, and, when that happens, users can’t perform their tasks until the administrator whitelists them.

Finally, if it’s not administered correctly, a zero-trust system won’t work properly, so call in an experienced security professional if you aren’t an expert.

“Still, I’d strongly argue that the benefits of zero-trust security outweigh the costs,” says Hornby.

While there are lots of easy ways to implement zero-trust best practices -- such as MFA and password management -- make no mistake that this can be a time-consuming approach that requires managing risk, fully understanding your threat vector, and baking in layers of security across a segmented network. Even if you employ a full-time IT staff on-site, you may need to bring in consultants to get things started.