How to get to zero trust security

The 4 principles and 4 tools you need

Zero Trust Security

The idea of Zero Trust security was first introduced by Forrester in 2010. But it’s still not as widely adopted as those in the security industry might hope. That may be changing though. With the threat from cyber criminals rising every year along with the cost of breaches to businesses, more and more organizations are seeking to implement a Zero Trust model. Here’s the core information you need to implement it in your business.

The four principles

Zero Trust involves a mind-shift more than any one technology. Once you make that mind shift, you can evaluate technical solutions for implementing Zero Trust. Here are the four principles that your company—and especially your IT organization—need to adopt:

Threats come from inside as well as outside

This is probably the biggest shift in thinking. Traditionally, IT has been focused on the perimeter of the organization, seeking to prevent entry. The idea is that those inside the organization are generally safe. So less effort is placed on verifying or detecting issues within the firewall. This is sometimes called the castle-and-moat approach to security.

Internal and external cyber threats

It’s time to change that mindset. In a Zero Trust environment, you assume that threats can come from inside as well outside. It may be because criminals have already infiltrated your organization. Or that you have a bad actor. Either way, it’s just as important to focus on what’s happening inside the organization and protecting from inside attack as outside attack.

Use micro-segmentation

Which leads to principle number two: use micro-segmentation. With this approach, even inside the firewall areas of the organization are walled off or segmented from others. For example, the marketing department gets access to the tools and data they use: customer information, apps like Salesforce, etc. But they don’t have access to financial data or tools used by accounting, nor the product IP and software that development works with.

Micro-segmentation

Least privileged access

Tied to micro-segmentation is the idea of least privileged access. That means limiting users, even within a department, to the minimum information and access they need. Just because someone works in finance doesn’t mean they need access to all the customer and company financial data. Depending upon the user’s role, he or she may only need access to a select set of customers’ data—or no access to customer financials at all.

By restricting access to just what’s needed, you help ensure that even if a hacker manages to impersonate a user’s identity, her or she can only do a limited amount of damage.

Never trust, always verify

To enforce all of this, an organization must flip the model and use what’s called a Zero Trust approach. You never trust that a user is who they say they are. Instead, you always verify the user’s identity and level of access. Never trust, always verify increases the chances of stopping a criminal or program that has infiltrated your organization before it can gain access to sensitive information or do damage.

Tools for Zero Trust security

If you’re looking at the four Zero Trust principles with a critical eye, you may see some challenges in the actual implementation. For example, while security requires a never trust/ always verify approach, the trick is to keep verification relatively painless for users. Going back to our castle analogy, having gates everywhere that require unlocking with a key can really impact people’s day to day productivity.

Similarly, we all know that roles are not entirely clean and some users will need access to applications or data that aren’t assigned to them by default based on their role. That means you need a fast way to provision and de-provision users for apps on an as-needed basis.

With that said, here are four tools central to Zero Trust security:

  • SSO—Single Sign-On (SSO) provides the ability for users to sign in once with their credentials, including a single password, and have access to all of their web apps. With the right tools, SSO can also provide single sign-on access to on-prem legacy apps. SSO increases security by getting rid of passwords while also increasing usability and employee satisfaction.
  • MFA—Multi-factor Authentication (MFA) is a critical tool that every organization should be using. MFA requires additional factors when users try to login. For example, they may be required to enter a PIN or authenticate from a mobile app in addition to entering their username and password.
    The fact is, passwords alone aren’t secure enough. You need MFA. But MFA should be combined with SSO. Otherwise, you’re adding more steps for users to login while still also requiring them to login many times per day.
  • Fast provisioning systems—When you move to Zero Trust, you’re going to need a system that lets you quickly provision and de-provision users for applications. Since you’re going to least privileged access, expect to have to make exceptions regularly. So, if your current system of provisioning is time-consuming, things are only going to get worse when you move to Zero Trust.
  • Device protection—The device the user is logging in from is the first line of defense and the focal point of attack: the endpoint. So, look for tools that protect and monitor devices so that you can offset the danger at the source.

That’s it. Those are the four principles and four tools to consider first when moving to Zero Trust.

Thanks for signing up.

We’ve sent a verification email to

To complete your trial sign up, please check your email and follow instructions to verify. You may need to check your spam. You will be prompted to set up a password and log in. Please note that your user name is your email address.

Get Started in 3 Easy Steps:

Try OneLogin Free for 30 days

All fields are required

  • This field is required.
  • Please enter your first name
  • Please enter your last name
  • Please enter your job title
  • Please enter your phone number
  • Note: Please enter a work email address only as we DO NOT accept web-mail addresses (gmail, yahoo, hotmail, etc.)

    Is that a correct business email address?
  • Please enter company name
  • .onelogin.com
    Please choose another subdomain
  • Please enter number of employees
  • Please enter country
  • Please enter state
  • By completing and submitting this form, I agree to the storing and processing of my personal data by OneLogin as described in our Terms of Service and Privacy Policy.

  • By creating your account, you agree to the Terms of Service and Privacy Policy.

Related Resources:

Quiz: Can you name these common cyberattacks?

Can you name the most common cyberattacks? Take our quiz and see how cyber-knowledgeable you really are.

Take Quiz

Is your enterprise password manager good enough?

Not all enterprise password managers are created equal. Does yours measure up?

Read More

Be sure your zero trust plan gives full coverage

Zero trust is the right move to make. But you also need to be sure your zero trust plan covers all the bases.

Read More