5 Zero Trust Best Practices for Implementation

Javed Shah

While zero trust implementation can advance your security, you may want to know of the best practices to really get the most out of your zero trust framework.

What are the main concepts of zero trust? The main concepts of zero trust are:

  • User Authentication
  • Least Privilege Access
  • Continuous Monitoring
  • Response and Remediation

What Is Zero Trust?

As the name suggests, “zero trust” is an approach to system and network security where trust between that system and a user or device is never assumed but always re-examined and re-established as the user performs actions and interacts with resources.

So, for example, once a user logs in to an application or a server, the system will continually require them to re-authenticate themselves as they change their user context (moving into new servers, accessing different files, executing different applications, etc.).

This lack of inherent trust between a system and a user extends across all resources in a system, calling for rigorous and ongoing monitoring of security related to data, applications, and network resources. Implementing several types of security technologies to promote zero-trust principles is called a zero-trust architecture.

Zero-Trust Architecture

Implementing a technical architecture to ensure zero-trust practices involves touching on all the critical attack surfaces through which hackers could abuse system trust to breach a system. The particulars will vary from system to system and between organizations, but the National Institute for Standards and Technology (NIST) has offered a framework for ZTA.

NIST Special Publication 800-207, “Zero Trust Architecture,” offers a generalized approach to zero trust that addresses the core requirements for ZTA. This document defines logical components, such as policy enforcement points, continuous diagnostics, compliance systems, threat intelligence, and network logs.

Further, this publication also provides suggestions for implementing actual architecture around these components, including:

  • Enhanced Identity Governance: This approach calls for the use of policies around actor identities, including roles, attributes, use history, devices used, and environmental factors.
  • Micro-Segmentation: This approach follows a strategy of segmenting network resources from one another such that users, data, and system assets are logically separated from each other and connected via network gateways.
  • Network Infrastructure and Software-Defined Perimeters: This approach involves using different layers of the Open Systems Interconnection (OSI) model to monitor network perimeters and internal network traffic to monitor and enforce zero-trust principles.

While there are several different components, layers, and models for zero-trust architecture, some basic features will always be present:

  • User Authentication: Strong authentication, almost always through multi-factor methods, is necessary to implement zero-trust at system perimeters. Without a reliable and secure way to verify user identities when they try to access resources, there is no ZTA.
  • Least Privilege Access: In ZTA, it’s critical that the system re-authorize users as they interact with new resources and applications. Moreover, this re-authorization should follow the Principle of Least Privilege, which states that resource access should only extend as far as the user’s immediate job or task.
  • Continuous Monitoring: NIST states that a true ZTA will never assume that a resource or user is inherently trustworthy and must be regularly monitored.
  • Response and Remediation: Any security breach, or suspected vulnerability, must be immediately addressed and remediated. Any security event must have an immediate response.

What Are Some Best Practices for Implementing Zero-Trust Architecture?

Best practices in zero-trust systems revolve around maintaining the level of security required to ensure that the entire concept of always-on verification and monitoring is reliable. These best practices, therefore, extend across the entire landscape of technologies used within a system, albeit with different applications depending on the context (user identification, monitoring, etc.).

Some of these best practices include:

  1. Utilize Multi-Factor Authentication: A best practice for almost any security posture, specifically called out by NIST in their zero-trust framework, is using MFA to strengthen authentication. Because properly identifying and vetting users logging into a system is so critical to ZTA and all the components therein, the importance of having a strong MFA can’t be understated.                                                                                                             As a floor-up practice, rock-solid authentication is the baseline for ZTA, the “front door” of system access, and anything that can bolster that security (passwordless security, hardware-based MFA, liveness testing, identity assurance) is essential here.
  2.  Validate Devices: Your employees and users will almost certainly connect to wireless networks through various devices, whether mobile devices or laptops, as part of their work. Under ZTA, you cannot simply trust that a device that has been verified once is forever trustworthy, and as such, a regular device validation solution will be necessary.
  3. Create Zero-Trust Networks: A zero-trust network (ZTN) is a sub-component of ZTA, focusing specifically on user interactions and network components. A ZTN will verify user access whenever they move between devices, gateways, or network segments.
  4. Lean on the Principle of Least Privilege: The Principle of Least Privilege dictates that no user or process has elevated privileges beyond exactly what they need to accomplish their task.                                                  While this might seem like a no-brainer, you’d be surprised how easy it is for privilege creep to slip into systems with complex user hierarchies or without proper role administration. By following PoLP, however, you can minimize the impact of a compromised account.
  5. Implement Automation: Behavioral monitoring and AI have grown as useful tools to help security experts better understand potential threats. As such, these solutions are quickly becoming a system monitoring component, particularly in ZTA contexts where the admins must explicitly assume that any user or resource could be compromised.

Start Your Zero Trust Implementation Strong with 1Kosmos BlockID

One of the critical parts of ZTA, and zero-trust implementation overall is strong authentication. This includes using MFA processes, leveraging strong biometrics, and securing solutions like passwordless authentication.

1Kosmos BlockID can serve a critical part of a zero-trust architecture by bringing these technologies to bear in an enterprise platform. Our identity verification solution provides passwordless authentication, compliant identity assurance methods, liveness proofing, and simple user interfaces that make onboarding and continued use easier.

These tools include:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

Read our whitepaper to discover what 1Kosmos brings to a solid zero-trust framework for Going Beyond Passwordless Solutions.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.