NEW VIDEO: COVID-19: Securing newly remote users and admins (Paul's Security Weekly). WATCH NOW!

Zero Trust: Where Do I Start?

Companies have finally jumped on the zero trust bandwagon, understanding how its principles help affect stronger security control across the spectrum of data, people, systems, and networks. For years security practitioners have understood that the internal network is as threat-riddled as the internet; they just hadn’t found ways to implement zero trust without totally overhauling entire infrastructures or impacting efficiency and ease of use.

In the last few years, however, things have started to change. New technologies like Edgewise have emerged on the market, making it easier for end users to deploy solutions built on zero trust principles. But with the whirlwind of products comes confusion. What does “zero trust” actually mean? Where should zero trust be applied? How do I get started?

The fact is, zero trust is not a product at all. It’s a framework or strategy that helps organizations remove the legacy concept of trust that’s led to uncounted numbers of breaches caused by attackers’ lateral movements, malware propagation, and abused and unauthorized access controls. Whether using a commercially-available technology or redesigning your networks in-house, some important guidance on getting started with zero trust includes:

Recognize zero trust is a strategy

Any zero trust project you undertake relies on a business strategy built around the company’s objectives and critical assets.

Identify key assets

Before you design for stronger security, you have to know what you need to protect.

Standardize to reduce risk

Once you understand what assets you need to protect, it’s imperative to implement a uniform way to gain visibility into how those assets are communicating and consistently apply policy across all network deployments so that the complexity level hasn’t ratcheted up a few hundred notches.

Beyond these preparations, companies are struggling with where, exactly, to begin. At its core, zero trust is an organizational approach to protecting data, therefore cases could be made for starting at any layer of the OSI model. Anywhere you choose to start, whatever changes you apply that remove unnecessary privileged access and add continuous verification requirements, you will be incrementally improving the security of your networks and data. That said, most organizations cannot take on a project to completely overhaul their networks and zero trust everything—even if that’s the eventual desired state. Stepping back one more pace, before you start a zero trust project, ask yourself: what is the most important thing I need to protect?

The answer to that question will guide you to your answer.

Stay on the cutting edge. Subscribe to our blog.

Outside-in vs. inside-out

There are two models of zero trust that are most prevalent today:

  • outside in: the BeyondCorp model of applying zero trust to end users and devices
  • inside out: applying zero trust to the network and/or the applications and services communicating on the network  

As zero trust can be a phased deployment, you can start at either place. A person could easily argue that because the easiest way for attackers to access your network is by stealing a valid user’s identity and using it move through the network, the best place to start is at the endpoint.

However, along with the movement toward zero trust, security professionals have also begun moving security responsibility away from the perimeter and toward the application—because the applications are the jackpots cyber criminals are after. And it makes sense to put the strongest, most reliable security closest to the thing criminals want: data. This inside-out approach is logical for a number of reasons:

  1. Putting the most hardened controls around the most valuable assets means that even if adversaries are able to penetrate the perimeter or steal user identities, they still can’t access the data. In other words, criminals can get into the locked room but they can’t crack the safe.
  2. Endpoints are infinite; applications aren’t. While it’s true that the number of applications and services spun up and changed by DevOps teams is increasing all the time, the number of things deployed on the network will never outnumber the users, their various devices, their ever-changing locations, their evolving job responsibilities and resource needs, etc. A user’s “identity,” therefore, must change constantly to accommodate their particular situation whereas an application’s identity remains relatively constant in comparison. As such, controlling applications is exponentially less complex than controlling users.

Trying to decide “Where do I begin” simply boils down to the fact that everything touches the data. With data at the heart of business operations, it ‘s most effective, therefore, to control access to and from the data—from the inside-out—first.

Implementing zero trust is almost always going to be a phased deployment, so choosing between inside-out and outside-in should be based on your business use case. However, as you decide where to apply zero trust first, remember that the endpoint is only the first step in every attack scenario. By placing zero trust controls directly around your key assets, you know that whoever or whatever gets onto your network, they won’t be able to pass the verification process and your data will remain secure.


Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.