Zero Trust is complex, but getting started doesn’t have to be
By: Kenneth Lai, Vice President, ASEAN at Cloudflare
Adopting Zero Trust is often recognized as a complex journey. In many ways, this reputation is well deserved.
Zero Trust requires work that Security and IT are justifiably cautious about. It involves rethinking default-allow policies and perimeter-based network architecture, enabling collaboration between functionally different teams, and trusting new security services.
Understandably, some organizations may postpone this transformation, citing the uncertainty involved in adopting Zero Trust across the organization. The wide variety of available vendor offerings, coupled with many different information sources, and potential disruption to current workflows, all may deter organizations from deploying Zero Trust security.
That said, the evolving threat landscape that businesses are faced with today is ridden with attackers using increasingly sophisticated methods to target unsuspecting victims. Cloudflare’s own data across its network, one of the world’s largest and most interconnected, revealed that an average of 7.7 billion[1] cyber threats per day targeted the Southeast Asia region in Q2 2024.
In other words, a Zero Trust approach may no longer be an optional strategy in today’s digital age. Security leaders need to rise to the occasion and take charge of their organization’s security posture, or risk being vulnerable to cyber attacks.
Taking the first step towards Zero Trust adoption
What exactly does Zero Trust entail? In a networking context, Zero Trust security requires that every request moving into, out of, or within a corporate network is inspected, authenticated, encrypted, and logged. It’s based on the idea that no request should be implicitly trusted, no matter where it comes from or where it’s going. Every request must be validated.
Making early progress toward Zero Trust means establishing these capabilities where none are currently present. For organizations starting from scratch, this often means extending capabilities beyond a single ‘network perimeter.’
Here are five of the simplest Zero Trust adoption projects that focus on securing users, applications, networks, and Internet traffic. They won’t achieve comprehensive Zero Trust alone, but they do offer immediate benefits, create early momentum and lay the foundation for broader transformation.
- Multi-factor authentication for critical applications
In a Zero Trust approach, the network must be extremely confident that requests come from trusted entities. Organizations need to establish safeguards against user credentials being stolen via phishing or data leaks. Multi-factor authentication (MFA) is the best protection against such credential theft. While a complete MFA rollout may take significant time, focusing on the most critical applications is a simpler yet impactful win.
Organizations that already have an identity provider in place can set up MFA directly within that provider, through one-time codes or in-app push notifications sent to employee mobile devices. Even without an identity provider in place, organizations can opt for a different, simple route. Using social platforms such as Google, LinkedIn, and Facebook, or one-time passwords (OTP) sent to a mobile number, can help double-check user identities.
These are common ways to DIY access for third-party contractors without adding them to a corporate identity provider, and can also be applied within the company itself.
- Zero Trust policy enforcement for critical applications
Enforcing Zero Trust is more than simply verifying user identities. Applications must also be protected with policies that always verify requests, consider a variety of behavior and contextual factors before authenticating, and continuously monitor activity. As in Project 1, implementing these policies becomes simpler when applied to an initial list of critical applications.
- Monitor email applications and filter out phishing attempts
Email is the number one way most organizations communicate, the most-used SaaS application, and the most common entry point for attackers. Organizations need to ensure they apply Zero Trust principles to their email to complement their standard threat filters and inspections.
Additionally, security professionals should consider using an isolated browser to quarantine links that are not suspicious enough to completely block.
- Close all inbound ports open to the Internet for application delivery
Open inbound network ports are another common attack vector and should be given Zero Trust protection, only accepting traffic from known, trusted, verified sources.
These ports can be found using scanning technology. Then, A Zero Trust reverse proxy can securely expose a web application to the public Internet without opening any inbound ports. The application’s only publicly visible record is its DNS record — which can be protected with Zero Trust authentication and logging capabilities.
As an added layer of security, internal/private DNS can be leveraged using a Zero Trust Network Access solution.
- Block DNS requests to known threats or risky destinations
DNS filtering is the practice of preventing users from accessing websites and other Internet resources that are known or highly suspected to be malicious. It is not always included in the Zero Trust conversation because it does not involve traffic inspection or logging.
However, with DNS filtering in place, organizations can ensure there are safeguards as to where users (or groups of users) can transfer and upload data — which aligns well with the broader Zero Trust philosophy.
Understanding the broader Zero Trust picture
Implementing these five projects can be a relatively straightforward foray into Zero Trust. Any organization that completes these projects will have made significant progress toward better, more modern security, and established a sound foundation while doing so.
That said, broader Zero Trust adoption remains a complex topic for organizations today. Everyone’s journey will be slightly different, depending on business priorities, needs, and future plans.
Importantly, security leaders need to set out clear objectives in a Zero Trust roadmap to regain control of their IT environment. Malicious attacks are getting more creative than ever before, finding effective ways to infiltrate organizations and obfuscate security teams through the many digital touchpoints present today. Only with a clear plan can organizations make their employees, applications, and networks faster and more secure everywhere, while reducing complexity and cost.