How to Do Zero Trust if You Don’t Have an It Guy

Zero trust is making its way to the vocabulary of companies seeking to improve their online security. And not just small companies; the European Parliament is proposing a universal standard of cyber-hygiene measures for public institutions, which, among others, includes zero trust.

But how do you implement zero trust if you’re a small company and don’t have a cyber security expert on staff?

Skip to the solution here.

What is zero trust

Zero trust is a cybersecurity approach that uses strict identity-based user verification to reduce the risk of cyber threats and mitigate their impact. In addition, it increases the agility of IT teams, improves observability, and enables compliance enforcement. Zero trust rests on five pillars:

• Identity verification – Users must prove they are who they claim they are. Zero trust architectures often employ two-factor authentication (2FA) to make the process more secure.
• Encryption – Communication takes place via an encrypted tunnel that protects the data and the identity of the communicating parties from online threats like man-in-the-middle attacks.
• Segmentation – Least-privilege assignment of access rights ensures that an intruder that uses stolen credentials will only gain access to a limited set of systems, and not the whole network. This segmentation applies to any cloud, SaaS application, or LAN.
• Logging – Keeping detailed access logs is an important component of company security that is required by data protection acts (GDPR, SOC2, HIPAA).
• Policy enforcement – Policy violation results in an instant access denial for the non-compliant account or device. It’s also common that the zero trust checks the security posture of connecting devices, i.e. antivirus software, password strength, operating system, vulnerability patches, etc.

Learn more about zero trust in this article.

Who is zero trust for?

Threat actors have begun to target a wider spectrum of victims, including small businesses and government organizations. Much of the day-to-day work of these entities now takes place online, which makes them viable targets.

Zero trust is helpful to organizations that need to shrink their attack surface, such as:

1. Companies with remote employees and external contractors - Remote workers and contracting parties need secure access to internal systems via infrastructure and devices that the company does not own.
2. Companies with cloud infrastructures - Companies increasingly store their data in public clouds, and they need to ensure data protection at their end and during transmission.
3. Companies with remote branches - Businesses that interconnect several LANs via remote links and require secure access to remote resources.
4. Companies with customer-facing services - Businesses that record user information must conform to strict data protection policies. Among other reasons, this is their obligation under the terms of data protection acts (GDPR, SOC2, HIPAA).
5. Public institutions - Public institutions are under legal obligation to ensure the protection of citizens’ personal data. Especially as the civil service faces pressure for digitization, hardening their security will become imperative.

The solution: Go networkless

GoodAccess a 100% cloud-delivered zero trust solution. You don’t need any additional infrastructure; it already incorporates the mechanics of zero trust network access, so all you need to do is set up your access rules via a central management console.

The biggest hurdles that prevent companies from implementing zero trust are cost and complexity of implementation. But both of these are swiftly overcome with GoodAccess. The cloud-delivered zero trust network access solution dovetails with your existing environment, carries no additional engineering overhead, and costs less per month than a trained IT security expert.

You can sign up for free and test all of the solution’s features for two weeks.

Step 1: Sign up for a free trial

Create an account using the link here and verify your email. Creating the account is free and gets you unlimited use of the product for 14 days.

It usually takes us a few hours to approve a free trial, or in rare cases, days.

Step 2: Name your team

Once we’ve approved your trial and you have signed into your GoodAccess control panel, you will need to choose a name for your team and connect to a gateway.

We recommend choosing a gateway that is nearest to your geographical location. You get lower latency that way.

Step 3: Invite team members

In the GoodAccess Control panel, go to the Members section.

Here, click Invite member to send invitation emails to your team members.

If you have a more complex network, you can add devices (such as routers or firewalls) from this interface.

Have your team members download and install the GoodAccess app.

Once it is installed, they need to fill in your Team ID, their username/email and password.

You should see your team members appear in the list in the Control Panel.

Step 4: Set up 2FA/SSO

First, download and install an authenticator app such as Google Authenticator, Microsoft Authenticator, or Authy on your computer or device.

Then, go to Settings in the GoodAccess Control Panel and switch to the Two-Factor Authentication tab.

Check the checkbox Enable Two-Factor Authentication and click Save Changes.

The same dialog is used for enabling 2FA for every login and setting up a session timeout.

When you and your team try to log in, you should be prompted to complete 2FA.

Scan the generated QR code and then type in your one-time passcode in the box below.

Once you have authorized 2FA, you should see a green pop-up telling you 2FA was successfully activated.

Step 5: Set up access control

First, you need to add your systems. A system can be an online app (e.g. your CRM or eshop administration) or a server.

For a full guide on access control, check this article.

In the Control Panel go to the Systems section.

Click on Add System in the top-right corner and fill out the dialog.

• Enter a Name,
• Choose Tags,
• Select the Type,
• Enter the system’s URL.

Finally, click Add System, and your newly connected system should appear on the list.

For a hands-on guide, watch this video.

When you have added all your systems, you need to create access cards. Access cards determine what systems each individual user can access. They will also see shortcuts to their allowed systems in their GoodAccess app.

Go to the Access Control section and click Add Access Card.

Enter the access card’s name and click Add Access Card.

Your access card is now blank. Click Edit in the top-right corner of the card to add members and systems.

For example, if you’ve created a card called “Sales”. In the Members tab, tick all salespeople, and in the Systems tab tick all the systems salespeople need access to.

Confirm your choices by clicking Save.

For a more hands-on guide, check out this video:

Step 6: Set up policy enforcement

GoodAccess can block access to harmful or prohibited websites.

In your Control Panel, go to the Settings section and switch to the Secure Shield tab.

Here you can switch Threat Blocker on and off (it’s on by default). Threat Blocker is a built-in DNS filter that blocks access to harmful websites, such as phishing sites or malware-hosting sites.

Under Custom domain blocking you can block additional websites, such as social media or other productivity sinks.

Click Add Domain and fill out the domain name in the dialog (e.g. facebook.com).

Confirm by clicking the Add domain button.

Note: You can also add your custom domain blacklists. Switching to the DNS Management tab will allow you to upload your custom blacklist by clicking Import CSV in the Custom DNS Filtering section.

Step 7: Track activity

To check your access logs, navigate to the Access Logs section in the Control Panel.

From here you can view the access history of your team members, their IP addresses, timestamps of their connections, or the amount of data transmitted.

You can export this data in CSV or PDF by clicking on the corresponding button in the top-right corner.

Summary

That is all – you don’t need a degree in IT to build a zero trust environment.

If you need any guidance setting up your zero trust environment, let us know. We’re always happy to help.