Zero Trust Best Practices

Best Practices for Zero Trust Security

Zero trust security is not a product, it’s a process. Below are six best practices that organizations should observe on the path to zero trust security.

Verify all users with multi-factor authentication (MFA)

It is often said that zero trust is rooted in the principle of “never trust, always verify.” But, properly implemented, is it more accurate to say that zero trust is rooted in the principle of “never trust, always verify and verify again.”

Gone are the days where a username and password would be enough to validate a user’s identity. Today, these credentials must be fortified using multi-factor authentication (MFA). Additional authenticating factors may consist of one or more of the following:

• Something you know: This can be a password, a security question, a PIN, zip code, or any other piece of information that is personal.
• Something you have: Usually a verification SMS, a prompt sent to your phone, generated codes in authenticator apps, a hardware token, etc.
• Something you are: This can be a biometric such as a fingerprint scan, retina scan, face scan, or voice.

When implementing zero trust architecture, the identity of every user accessing your network (privileged user, end-user, customers, partners…) should be verified using multiple factors. And these factors can be adjusted depending on the sensitivity of the data/ resources being accessed.

Verify all devices:

Verifying your users is necessary but not sufficient. The principles of zero trust also extend to endpoint devices. Device verification includes ensuring that any device used to access your internal resources meets your company’s security requirements. Look for a solution that allows you to track and enforce the status of all devices with easy user onboarding and offboarding.

Implement the Principle of Least Privilege

The principle of least privilege (PoLP) determines what you can access in a zero-trust environment. It is based on the idea that a particular user should only be granted just enough privileges to allow them to complete a particular task.

For example, an engineer who only deals with updating lines of legacy code does not need to access financial records. PoLP helps contain the potential damage in the event of a security compromise.

Least privilege access can also be expanded to include “just in time” privileged access. This type of access restricts privileges to only the specific times when they are needed. This includes expiring privileges and one-time-use credentials.

Monitor & Audit Everything:

Apart from authenticating and assigning privileges, you should also monitor and review all user activity across the network. This will help identify any suspicious activity in real time. Visibility is especially important for users who have administrative rights due to the sheer scope of their access permissions and the sensitivity of the data they can reach.

Adopt Attribute-Based Controls:

Use attribute-based controls to authorize access to resources across your security stack – from cloud and on-prem applications, to APIs, to data, and infrastructure. These will let the administrator easily adjust and enforce access policies in order to block suspicious events in real-time.

Consider your end users:

Don’t let the perfect be the enemy of the good. Implementing the perfect zero trust strategy that your end-users hate to use is not a very good strategy. You end-users just want to work. Consider a strategy and products that create the most frictionless and SaaS-like experience for your team.