How To Implement A Zero Trust Architecture

Stephanie Hoenig, February 4, 2021

In the age of working from home, the advantages of embracing Zero Trust are more explicit than ever.

From increasing agility and improving user experience to making cloud migration easier and taking the pressure off your internal IT team, there are clear benefits for almost every business. 

But how do you go about actually implementing a Zero Trust architecture? 


Here are the steps you need to take…


Understand the Zero Trust Principles

As a first step in implementing Zero Trust architecture within your business, it’s important to start with a clear understanding of the principles behind it. 

Established by Microsoft, the principles of Zero Trust are: always verify, use least privileged access and assume breach. Based on these principles, Zero Trust limits lateral movement to better secure resources by eliminating unknown - or unmanaged - devices.

The Zero Trust model means the identity and health of every device that tries to access data within your business is verified before access is granted. Any attempt to communicate on a given network is assumed to be untrustworthy. If it can not be verified, access is not granted.

Zero trust is a relatively new and evolving approach to security adopted and developed primarily by Microsoft to address the security challenges that come with cloud migration and a mobile workforce.

According to Microsoft, who we are proud to partner with, there are four elements that are necessary for an optimum Zero Trust environment. These are:

  • Strong identity authentication everywhere (user verification via authentication)
  • Devices are enrolled in device management and their health is validated
  • Least-privilege user rights (access is limited to only what is needed)
  • The health of services is verified (this is a future goal)

These elements combined are a fundamental part of building a strict boundary around corporate and customer data as part of the Zero Trust approach. 

In case you are not yet familiar with the Zero Trust principles, watch our on-demand webinar for an introduction to the modern security approach.


Make two-factor authentication mandatory

One of the easiest tools to quickly and easily roll out within your business as part of your Zero Trust approach is two-factor (or even multi-factor) authentication. It’s a quick and easy win. 

It means any employee logging into a company computer or trying to access the company Cloud is required to have something they ‘know’, like a username and password, and something they ‘own’, like a device to which a code can be sent (either via text or via a dedicated app). 

This isn’t just a straight-forward way to dramatically boost security; it also simplifies the user experience as it eradicates the need for employees to memorise complex passwords - and productivity gets boosted because the need to constantly re-authenticate access is eradicated. In other words, it’s a win win. 

There are several third-party software options that can enable you to get two-factor authentication up and running. If you are a Microsoft customer, it’s possible you may already have this available as part of your Office 365 or Microsoft 365 package. You may still need expert help to ensure its set up effectively.


Understand your data - and your users

Before you get stuck into understanding the data that your Zero Trust architecture is in place to protect, it’s important to understand your users. 

What data do they use? What data do they share? What applications do they use to do these things? These are the questions you need to ask yourself. 

Then, you’ll need to carry out a data audit. 

The goal with this is to get a clear picture of what kind of data you have within your business, how sensitive it is, how important it is, and exactly where it is stored. 

When assessing the criticality of your data, bear in mind the hypothetical damage that losing it would do to your business. 

You’ll also need to work out who within your company should and - perhaps more importantly - should not have access to certain data in order to be able to do their job. 

Following this, it’s essential to look at how your data flows across your network during its life cycle.

Where does it go? Who accesses it? What’s the purpose of the data? Why does it flow that way? You need to be able to answer these questions about your data so that you understand how to effectively defend it with your new Zero Trust architecture. 


Filter and monitor how your data is used

As part of building your Zero Trust architecture, you will need a filtering policy. This is a set of rules that allow certain data flows and block others. This is part and parcel of the ‘micro-perimeters’ that are a foundation of the 'Never Trust, Always Verify' approach. 

There are various platforms within data centres and via Cloud providers that can enable you to set up filters within your network. You will also need to define the rules of the filters that grant access to the allowed flows. 

Once you have defined what you class as legitimate business connectivity requirements within your filters, it’s possible to initiate an intelligent automation system that compares new requests, and grants or denies access based on the predefined rules. 

Once your filters are running smoothly, it’s not the end of the story. You will need to continuously monitor internal and external activity on the data in order to identify areas for improvement and to identify potential threats. 


Establish your long term plan

Implementing Zero Trust architecture within your business isn’t a linear project with a definitive box you can tick at the end to say it’s complete. 

External threats to your network will continue to evolve and you’ll need to regularly reconsider and revisit your access permissions granted in order to maintain the security of your network. 

It’s also important to consider your long-term Zero Trust plan. A ‘roadmap’ that outlines steps you can take once your basic Zero Trust framework is in place can be helpful for this. 


Would you like a bespoke Zero Trust roadmap or a Microsoft 365 Security Assessment for your business? Do you need some friendly support to implement Zero Trust architecture at your firm?

Your local ITEC experts can help. Get in touch today.

leave a comment