Traditional network architecture was built with the concept of a perimeter network where once someone was on the network, there was an implicit level of trust. The shift toward cloud hosting, remote work and other modernization has created challenges with a traditional perimeter network architecture.
These challenges can be addressed by implementing a Zero Trust Architecture, which ensures that all traffic in and out of a business is verified and authorized. Implementing a Zero Trust Architecture can be done in steps without disrupting employee productivity and connectivity.
This roadmap was built by security experts to provide a vendor agnostic Zero Trust architecture and example implementation timeline. The timeline assumes that an organization is beginning their Zero Trust journey from scratch, but is meant to be useful for all organizations.
There are seven major components to organizational security that need to be considered when it comes to implementing a comprehensive Zero Trust Architecture. Your implementation order does not need to match how they are listed in the component and reference architecture sections below.
Components of a Zero Trust Architecture
- Establish a corporate identity
- Enforce MFA for all applications
Endpoints and Devices
- Implement MDM/UEM to control corporate devices
- Implement endpoint protection
- Inventory all corporate devices, APIs and services
- Block DNS requests to known threats
- Block threats behind SSL/TLS
- Segment user network access
- Use Internet backbones for branch to branch connectivity
- Close all inbound ports open to the Internet for application delivery
- Monitor inbound emails and filter out phishing attempts
- Inventory all corporate applications
- Zero Trust policy enforcement for Applications
- Publicly addressable
- Privately addressable
- SaaS applications
- Non-browser apps (SSH, RDP, SMB, thick clients)
- Protect applications from Layer 7 attacks (DDoS, injection, bots, etc)
- Enforce HTTPS and DNSsec
Data Loss Prevention and Logging
- Establish a process to log and review traffic on sensitive applications
- Define what data is sensitive and where it exists
- Stop sensitive data from leaving your applications (e.g. PII, CCNs, SSNs, etc)
- Identify misconfigurations and publicly shared data in SaaS tools
- Establish a SOC for log review, policy updates and mitigation
- Stay up to date on known threat actors
- Employ a DevOps approach to ensure policy enforcement for all new resources
- Implement auto-scaling for on-ramp resources
This is a reference guide that explains each function in a Zero Trust Architecture along with recommended vendors for each function.
Level of effort scale:
🔧 - Small effort; this can be done by an individual or small team
🔧🔧 - Medium effort; this will require a team and advanced preparation
🔧🔧🔧 - Large effort; this will require multiple teams and a project plan
Users include employees, contractors and customers. To implement zero trust, an organization must first have an accurate picture of who should actually be trusted, and with what — otherwise known as Identity. Then it must establish a way to securely authenticate the identity of its users.
Endpoints and Devices
Endpoints and Devices include any device, API or software service within an organization or that have access to organizational data. Organizations must first understand their full set of devices, APIs and services. Then Zero Trust policies can be implemented based on the context of the device, API and service.
Internet Traffic includes all user traffic destined for websites outside of an organization’s control. This can range from business related tasks to personal website usage. All outbound traffic is susceptible to malware and malicious sites. An organization must establish visibility and control over user traffic destined for the Internet.
Networks include all public, private and virtual networks within an organization. Organizations must first understand their existing set of networks and segment them to prevent lateral movement. Then, Zero Trust policies can be created that granularly control which segments of a network that users, endpoint and devices can access.
Applications include any resource where organizational data exists or business processes are performed. Organizations must first understand the applications that exist and then establish Zero Trust policies for each application or, in some cases, block unapproved applications.
Data Loss Prevention and Logging
Once you have established all the Zero Trust elements of your architecture to this point, your architecture will be generating large volumes of data on what’s happening inside your network. At this point, it’s time to implement Data Loss Prevention and Logging. These are a set of processes and tools that focus on keeping sensitive data inside of a business and flagging any potential opportunities for data leakage. Organizations must first understand where their sensitive data exists. Then they can establish Zero Trust controls to block sensitive data being accessed and exfiltrated.
Once you have built out your Zero Trust architecture for all the other elements of your organization, there are a set of actions you can take to move your organization to a Zero Trust steady state, ensuring consistency with the architecture moving forward.
Example implementation timeline
Every Zero Trust Architecture deployment is unique but there are a common set of steps that most projects follow. This is a recommended timeline for a business getting started on a Zero Trust Architecture implementation.
|Phase 1||❑ Deploy global DNS filtering||Cisco Umbrella DNS, Cloudflare Gateway, DNSFilter, Zscaler Shift|
|❑ Monitor inbound emails and filter out phishing attempts||
|❑ Identify misconfigurations and publicly shared data in SaaS tools||Cloudflare CASB, DoControl, Netskope CASB, Zscaler CSPM|
|Phase 2||❑ Establish corporate identity||Microsoft Azure AD, Okta, PingOne, Onelogin|
|❑ Enforce MFA for all application||
|❑ Enforce HTTPS and DNSsec||Akamai, AWS, Azure, Cloudflare, GCP|
|❑ Block or isolate threats behind SSL||
|❑ Zero Trust policy enforcement for publicly addressable applications||Zero Trust Reverse Proxies: Azure App Proxy, Cloudflare Access, Netskope Private Access, Zscaler Private Access (ZPA)|
|❑ Protect applications from layer 7 attacks (DDoS, Injection, Bots, etc)||Akamai, AWS, Azure, Cloudflare, GCP|
|❑ Close all inbound ports open to the Internet for application delivery||Akamai EAA, Cloudflare Access, Netskope Private Access, Zscaler Private Access (ZPA)|
|Phase 3||❑ Inventory all corporate applications||Secure Web Gateway and CASB’s with Shadow IT discovery: Cloudflare Gateway, Microsoft Defender for Cloud Apps, Netskope Next Gen SWG, Zscaler Internet Access (ZIA)|
|❑ Zero Trust policy enforcement for SaaS applications||
|❑ Segment user network access||Cloudflare Zero Trust (Access and Gateway), Netskope Private Access, Zscaler Private Access (ZPA)|
|❑ Zero Trust Network Access for privately addressable applications||Cloudflare Access, Netskope Private Access, Zscaler Internet Access (ZIA)|
|❑ Implement MDM/UEM to control corporate devices||
Windows: Microsoft Intune
|❑ Define what data is sensitive and where it exists||DataDog, Splunk, SolarWinds|
|❑ Send out hardware based authentication tokens||Hard Keys: Yubico|
|❑ Stay up to date on known threat actors||Cloudflare Radar, CISA, OWASP|
|Phase 4||❑ Enforce hardware token based MFA||Hard Keys: Yubico|
|❑ Establish a SOC for log review, policy updates and mitigation||N/A|
|❑ Implement endpoint protection||VMWare Carbon Black, Crowdstrike, SentinelOne, Microsoft Windows Defender|
|❑ Inventory all corporate devices, APIs and services|
|❑ Use broadband Internet for branch to branch connectivity||Cloudflare Magic WAN, Cato Networks, Aryaka FlexCore|
|❑ Establish a process to log and review employee activity on sensitive applications||
|❑ Stop sensitive data from leaving your applications (e.g. PII, credit cards, SSNs, etc)||Cisco Umbrella, Cloudflare Gateway, Netskope Next Gen SWG, Zscaler Internet Access (ZIA)|
|❑ Employ a DevOps approach to ensure policy enforcement for all new resources||Ansible, Puppet, Terraform|
|❑ Implement auto-scaling for on-ramp resources||