Skip to content
Articles
How to start implementing Zero Trust?

How to start implementing Zero Trust?

Threats are evolving, and it quickly feels like defense doesn’t always adapt at the right speed to effectively combat multiple categories of attacks: internal threats, zero-day vulnerabilities on VPN gateways, credential theft, password attacks, network layer exploits, or, more commonly: user errors and social engineering.

Usage patterns are also changing, along with the concept of the perimeter. As companies increasingly shift their infrastructures toward the cloud, how can we adapt our security strategy to make it compatible with this new way of thinking about networks and data management?

Zero Trust addresses this issue with a simple principle: never trust, always verify. There are multiple ways to implement such a concept. But where to start?

How to progressively bring this philosophy to your IT system? And most importantly, how to begin this transformation without difficulty?

No Zero Trust without the basics

Most experts will argue that Zero Trust is an advanced concept that can only apply to information systems that have already achieved a certain level of maturity in terms of security. There is some truth to that, but it’s not entirely accurate.

It is entirely possible to start introducing Zero Trust from the system construction phase, or within an existing system, during its security phase as long as you have an initial mapping of your system and an inventory of users.

By identifying these two elements, you can:

  • Clearly determine where the data to be protected is stored and what the critical services and applications are within the system.

  • Prepare the implementation of an access rights matrix, linking users and applications, in order to eventually implement the principle of least privilege.

This provides a global view of the attack surface, and you can already begin integrating some of the principles rooted in Zero Trust.

Woman with MFA

Start with multi-factor authentication

“Never trust and always verify” applies quite naturally to authentication methods. While authentication has long relied on the classic username/password pairs, they are more vulnerable than ever in a Zero Trust strategy.

Zero Trust is intimately linked to identity because this principle redefines the notion of trust. Therefore, it is essential to strengthen the subject of authentication.

As we already discussed in the article Passwords are going to disappear, multi-factor authentication will evolve in the coming years to become much less cumbersome and more transparent for users.

While we wait for all applications to become compatible with these new methods, many already support MFA via OTP. Starting to implement these measures today will make the next steps much easier.

And, ultimately, what could be more acceptable to a user than moving from using one-time codes to fingerprint verification on their phone?

In short, you should take advantage of multi-factor authentication support by:

  • Using the previously obtained application mapping to configure MFA on most of them within the realm of what’s achievable.

  • Prioritizing critical applications, and gradually extending its use to minimize risks related to credential theft.

“Now that I know who you are, we can talk.”

Locks on backpack

Continue with micro-segmentation

Segmenting the network into trusted zones is a concept as old as firewalls, and it’s not something that Zero Trust brings.

However, rethinking segmentation and combining it with Zero Trust by incorporating network least privilege is the logical evolution.

In reality, the idea is to stop thinking about access to applications through opening flows in firewalls or relying on IP addresses and ports to allow or deny access to services.

Instead, think identity, applications, and secure point-to-point connections. This is the essence of Zero Trust applied to the network.

By using the user inventory and an initial access rights matrix, it becomes possible to:

  • Provide point-to-point access between users and applications rather than access to network zones.

  • Close access to applications by default, and gradually open them based on needs, following the predefined access rights matrix.

Here, ZTNA (Zero Trust Network Access) solutions come into play to provide a turnkey method to ensure this principle of micro-segmentation. Chimere specializes in this.

Beyond redefining how to segment the network, ZTNA naturally incorporates features such as end-to-end encryption, exposure elimination, attack surface reduction, high service availability, and fine access traceability.

A clock with lock

Go further with contextual access

Is it normal for this contractor to access the application over the weekend, in the middle of the night, from an IP address located on the other side of the world when they should be in the same city as their client?

With Zero Trust, not only do you determine who has the right to access which resource, but also under what conditions and context.

To go further, ZTNA allows for finely associating security policies with users or services to block or allow access.

More specifically, contextual access can be based on the following criteria:

  • Authorized time windows, depending on the criticality of the services, but also the groups and user permissions on which access is authorized.

  • Geographic location, more specifically the zone associated with the source IP address of the user when they attempt to establish their connection.

  • The security posture and type of device the user is attempting to connect with. Is it a managed device? Is the operating system allowed? Does it belong to the right domain? Is the antivirus up to date, and has it detected any recent threats?

All these types of checks, though more advanced, are achievable with ZTNA and serve as the foundation for a true Zero Trust policy.

They fully align with the philosophy of the concept, respecting the principle of zero trust and constant verification.

If you’re interested in French Zero Trust, feel free to learn more about Chimere or sign up for the newsletter:

Nous n'avons pas pu confirmer votre inscription.
Votre inscription est confirmée.

La lettre Chimere

Inscrivez-vous à notre newsletter pour suivre nos actualités.