From Theory to Practice: The Core Principles of Zero Trust
With the tightening of security measures, it is observed that traditional security approaches are inadequate at this point. According to a Forrester report, insider threats are estimated to have increased by 80% in 2023. The Zero Trust approach treats every user and every access request in the system as a potential threat and approaches them with suspicion. The Zero Trust approach may seem difficult and complicated at first glance, but its basis is extremely simple. Zero Trust Architecture assumes that every access request must go through an identity verification process and that continuous verification must be maintained. According to Microsoft, this architecture consists of 3 main controls:
- Always verify: Clearly verify data points, user activities, health of services and devices, anomalies, and many more.
- Use least privelege: Limit user access according to the minimum authorization principle.
- Assume a breach: Segment access assuming a breach has occurred. This reduces the impact of breaches and prevents lateral movements.
And it consists of 7 domains: Identity (User), Data, Infrastructure, Applications, Devices, Network, Analytic and Automation.
Transitioning to the Zero Trust model is one of the issues that many organizations hesitate to implement due to the idea that it is complex and costly. Changing old habits and reshaping systems can be challenging for both employees and the organization. While the complexity and high costs of Zero Trust may deter many organizations, the transition to this model can be made easier with gradual and adoption.
Gradual Transition to Zero Trust
Adopting Zero Trust doesn’t mean overhauling your entire security architecture overnight. Organizations can implement this model in phases, starting with small but effective steps to strengthen their systems. These steps make organizations more resilient to attacks while also laying the groundwork for a broader Zero Trust strategy.
This phased approach also has the advantage of minimizing disruptions to the user experience. When new security measures are implemented gradually, employees can adapt without disrupting their daily operations. As a result, the transition to Zero Trust becomes more manageable, both cost-wise and operationally. Additionally, raising awareness within the organization ensures that security is viewed as a shared responsibility across all departments.
How can a phased approach be implemented?
It is quite possible to make a smoother transition with a 3-phase transition to each domain. You can increase this number of phases to 4 if you wish. If you are planning a 4-phase transition, you can think of your first phase as the preparation phase. The other 3 phases will be as follows. You can imagine the phases as follows.
Step 1 – Foundational Actions: In the introduction phase, you can take actions that you are already implementing or can easily implement. This phase is also a phase that we will use to identify and manage.
You should take minimum actions this phase such as these key actions:
- Inventory Management: Creating a detailed inventory of all assets (devices, users, applications, data, etc.) is the first step to understanding security vulnerabilities. For example, it provides great support in creating an action plan by easily identifying affected devices.
- Basic Security Policies: It supports the creation of a security awareness covering the entire organization by implementing minimum standards in order to initiate basic security steps throughout the organization.
- Trainings and Awareness: It is one of the fundamental steps to understand the prepared policies and to increase security awareness and consciousness.
Step 2 – Mid-level Actions: At this phase, you can take more serious measures by increasing the level of actions you have taken at the entry level. Taking a higher-level measure gradually will support the adaptation of employees.
At this phase, it’s essential to go beyond the basic measures and implement more advanced actions, such as those listed below. However, to effectively carry out these actions, the foundational steps must already be in place.
- Systematic Security Testing: You can perform deeper security analyses by regularly performing security tests such as SAST and DAST to ensure the security of your applications and systems.
- Management and Process Optimization: Stricter access control actions such as RBAC and PBAC should be preferred and critical processes for secure development such as SDLC should be integrated.
- Data Protection: In Phase 2, protecting sensitive information through data encryption and tokenization, coupled with early detection of abnormal activities using user behavior analytics, plays a crucial role. These strategies enable you to proactively identify and mitigate security threats before they escalate.
Step 3 – Advanced Actions: At this phase, you should take the maximum-security precautions you can.
You should take maximum actions this phase such as these key actions after the other two phases. These actions are now the highest-level actions that can be taken:
- Automation and Analytics: You can leverage advanced systems like SIEM and SOAR to automate data analytics and streamline threat detection and response. Additionally, integrating AI capabilities into these systems can take security measures to the next level, increasing both accuracy and efficiency.
- Advanced Security Measures: You can maximize security by implementing such as behavioral biometrics (password-free verification), centralized authorization and access only when necessary (JIT/JEA) systems.
- Zero Trust Approach: You can strengthen your network security by adopting approaches such as micro-segmentation and ZTNA, and also increase your security level on a technical level by integrating next-generation security frameworks such as SASE to provide a more flexible and powerful defense against evolving threats.
If we need to evaluate each domain individually:
| DOMAIN | STEP 1: Foundational Actions | STEP 2: Mid-level Actions | STEP 3: Advanced Actions |
| Identity (User) | IAM (User Inventory) ACLMFA for just admins | MFA for all users and trainings Certficate Management (PKI) Least Privilege Privilege Access Devices (You can use in the Device domains if you want) PAMSSO | Behavioral Biometrics Integration (Passwordless) RBAC Contextual Authentication Project Just in Time (JIT) and Just Enough Access (JEA) Centralised Authorisation |
| Data | Asset Inventory Data Classification Data Loss Prevention (DLP) Bring Your Own Key (BYOK) Policy Based Access Controls (PBAC) | Data Encryption and Tokenization Data Protection Policy Document Digital Rights Management (DRM) User & Entity Behavior Analytics | Security Analytics Self-Key Management System Hold Your Own Key (HYOK) Key Recovery |
| Infrastructure | Patch Management Basic Security Policies Implementation Vulnerability Management | Configuration Management Secure Coding | Advanced Threat Detections CTI |
| Applications | Application Inventory Secure Coding Training Shadow IT Detection WAF | Application Security Testing (SAST/DAST) SDLC process Secure Coding Implementation Cybersecurity Supply Chain Risk Management (C-SCRM) | Automated Secure Software Design Lifecycle (SSDL) API Security (OAuth, JWT) DevSecOps Adoption (CI/CD) |
| Devices | Device Inventory Regular Software Updates Device Configurations Device Detection and Compliance Remote Access Protection | Endpoint Protection (EDR, Antivirus etc.) Device Activity Monitoring MDM | Device Encryption Device Hardening Mobile Threat Control IOT devices Automated Vulnerability and Patch Management |
| Network | NextGen Firewalls VPN Implementation SD-WANSDN | Intrusion and Detection System (IPS/IDS) Network Traffic Analysis Network Segmentation Implementation Transport Layer Security (TLS) inspection | NAC ZTNA Micro or Macro Segmentation Secure Access Service Edge (SASE) |
| Analytic and Automation | Data Collection Framework Automated Log Management System | SIEM Implementation Automated Incident Response Playbooks | Automated Detection and Response Automated Risk Assessment |
In addition to the examples above, adopting Zero Trust, ensuring its adoption and planning training on these subject supports adaptation to the technical projects listed above.
Conclusion: Don’t Leave Security to Chance
The success of Zero Trust should not only be a technical application, but also a permanent part of the corporate culture and employee awareness.
When implementing this model, it should not be forgotten that humans are the biggest and weakest link in the security chain. Awareness training to be given to employees within the organization will greatly support the adoption and effective implementation of the Zero Trust culture. Raising employees’ awareness about security plays a key role in the successful implementation of this model.
As a result, Zero Trust is not only a security model; it is also an opportunity to create security awareness throughout the organization. Creating this culture will both create a more resilient structure against internal threats and strengthen the organization’s overall security posture.
Melis works as a Senior Information Security Associate at PwC Turkiye and has over 7 years of experience in the information security field. In addition, Melis specializes in IT compliance, security awareness and risk management on security best practices. She writes academic articles on various security topics such as risk management and international security standards. Additionally, Melis conducts various awareness-raising initiatives to improve the information security awareness of organizations and society.