12 Zero Trust Architecture Examples With Actionable Guide

November 30, 2024
Zero trust Architecture Examples, zero trust example

At this stage, it's safe to assume you're familiar with the core principle of Zero Trust Architecture: "never trust, always verify." Zero Trust is a framework, not a single tool you can install. So, what does a real-world zero-trust architecture example look like? What tools are necessary to achieve full zero trust implementation? In this article, we have presented a zero-trust architecture example to illustrate how a fully secured organization operates and included 12 additional zero-trust examples highlighting the features and tools required for 360-degree zero-trust protection.

Zero Trust Architecture Example: Fully Executed Strategy 

XYZ Ltd., a company with 100+ remote employees across 14 countries, implemented Zero Trust Architecture to secure its IT infrastructure effectively. Here’s how they achieved it:

  • The company deployed Pomerium to enable context-aware authentication, ensuring that employee identities are verified based on contextual factors like geographical location, time of access, and IP address rather than relying solely on credentials. 

  • It uses Pomerium to get continuous verification to prevent session hijacking risks. 

  • To strengthen security further, Google Workspace was integrated with Pomerium as an IdP, utilizing Google Authenticator for Multi-Factor Authentication (MFA). In cases where contextual factors failed to verify a user, additional measures such as biometrics, unique codes, or magic links were required for identity confirmation.

  • Device compliance was addressed by integrating FleetDM with Pomerium. This ensured that all remote devices met compliance standards, had proper configurations, and ran updated software. 

  • Pomerium also functions as a reverse proxy, providing a modern alternative to traditional VPNs. It acts as a gateway between users and internal services, ensuring that only authorized requests are granted access.

  • Additionally, Role-Based Access Control (RBAC) was implemented with Pomerium to restrict access based on predefined user roles.

  • To bolster its security framework, XYZ Ltd. installed VMware NSX for network segmentation, IBM Anomaly Detection to mitigate insider threats, and Forcepoint Data Loss Prevention (DLP) to prevent data exfiltration. 

  • Finally, the company used Kong Gateway to secure its APIs, preventing unauthorized access to critical services.

In this zero trust example, XYZ Ltd. has established a robust zero-trust security framework by protecting all its resources using various zero-trust tools.

Zero Trust Examples: 12 Components for 360-Degree Protection

Here are 12 zero-trust examples and tools an organization needs to strengthen its security posture across all areas and establish a true zero-trust model.

1. Device Health

The zero-trust software checks the security health of the device before granting access. This approach prevents non-compliant or vulnerable devices from becoming attack vectors. It protects against compromised or non-compliant devices accessing sensitive resources. 

Example scenario: An employee working remotely attempts to log in to the company’s internal systems. The zero trust model enforces a compliance check, ensuring the device has updated antivirus software, the operating system is updated, and firewalls are enabled and configured. 

How to achieve this?  

Use MDM solutions like FleetDM and Endpoint Detection and Response (EDR) solutions like CrowdStrike or Microsoft Defender.

2. Device Identity and Authentication

This is a more zero-trust technical approach where unique identities to devices are assigned using certificates or tokens. It ensures that only registered and known devices can access sensitive resources.

Example scenario 1: Devices receive a cryptographic certificate during onboarding. Before accessing resources, the device presents this certificate to prove its authenticity.

Example scenario 2:  A sales manager accessing the CRM tool from a company laptop is granted access. However, if the same manager tries to log in from a personal device, they are blocked or required to use MFA.

How to achieve this? 

Use tools such as Public Key Infrastructure (PKI) certificates (SSL/TLS certificates, email signing certificates, etc.,) and Endpoint Management Solutions like e.g., Jamf, Microsoft Intune, NinjaOne Endpoint Management, ManageEngine Endpoint Central, Atera or IBM MaaS360.

3. Context-Aware Authentication

This is one of the core pillars of zero-trust architecture. In context-aware authentication, the user’s identity is verified with multiple contextual factors instead of relying only on credentials. 

Example scenario: An employee is trying to access a file from the company’s resources. The context-aware proxy software will verify their identity with contextual factors like geographical location, behavioral patterns, IP address, authorization level, device status, etc., before granting or denying access. Also check out: Context-aware authentication in layman’s terms

How to achieve this? 

Use context-aware proxy tools like Pomerium, Google IAP, etc. 

4. Network Segmentation

This zero-trust approach isolates critical applications into separate network segments. Even if an attacker compromises one application, they cannot move laterally to access others. It limits the radius of potential breaches.

Example Scenario: A micro-segmentation tool isolates key applications such as IT system admin files, financial databases, and HR systems into separate network segments. So, if a threat actor got access to, let’s say, the marketing department’s folders, they wouldn’t be able to access the critical files and resources of other departments. It’s more of a damage control approach. 

How to achieve this? 

Use tools like VMware NSX, Illumio, or Cisco Secure Workload.

5. User Identity Verification Through MFA

This is the most basic and widely used feature to implement zero-trust. In multi-factor authentication (MFA), more than one authentication method is used to verify the user’s identity. It prevents unauthorized access even if a password is compromised. 

Example scenario: A user trying to access a corporate email account must authenticate their identity using multiple factors such as a password, a one-time code sent to their phone, or biometric data like a fingerprint.

How to achieve this?

Use tools like Google Authenticator, Cisco Duo, Auth0 by Okta, etc. to enable multi-factor authentication. 

6. Dynamic Access Control Through JIT Access

Just-In-Time (JIT) Access is another example of zero-trust approach. Just-In-Time (JIT) Access in Zero Trust is a security approach where users or systems are granted access to resources only for a limited time and only when needed, reducing the attack surface. It prevents over-privileged accounts and enforces accountability.

Example Scenario: A developer needs temporary access to production servers. The zero trust framework issues time-limited access after the developer’s request is approved and logs all activity.

How to achieve this?

Use tools like Azure Privileged Identity Management (PIM), BeyondTrust Privileged Access Management, Google Cloud's Just-In-Time Access, or CyberArk.

7. Anomalous Behavior Detection (ABD)

Implementing ABD is required to get a strong zero-trust posture. It enhances an organization's ability to detect and respond to irregular activities proactively. ABD is commonly used to identify and mitigate insider threats or compromised accounts. 

Example scenario: If a user downloads an unusual amount of sensitive data, the ABD system triggers an alert and restricts their access.

How to achieve this?
Use tools like IBM Anomaly Detection, Cisco Identity Services Engine (ISE), and Anodot to implement Anomalous Behavior Detection in your systems.  

8. Continuous Verification 

Unlike traditional approaches that verify a user’s identity and authorization only at the start of a session, this Zero Trust model continuously monitors and validates users in real-time throughout the session, reducing the risk of session hijacking. 

Example scenario: An employee from the finance department is logging in with the correct credentials from their usual IP address and location. If, during the session, the IP address unexpectedly changes to a foreign location, the Zero Trust software detects this anomaly and immediately terminates the session to safeguard the system.

How to achieve this? 

Use zero-trust tools like Pomerium or Tailscale to enable continuous verification. 

9. Role-based access control (RBAC)

Role-Based Access Control (RBAC) in Zero Trust assigns permissions to users based on their roles within the organization, ensuring they can only access resources necessary for their duties. It enforces the principle of least privilege by restricting access to predefined role-specific actions and data.

Example scenario: In a company, an HR manager with an RBAC policy can access employee records but is restricted from viewing financial data. If they try to access the finance system, Zero Trust software blocks the attempt as it falls outside their role's permissions.

How to achieve this? 

Use tools like Pomerium, Azure AD, or Okta Identity Cloud to embed policies for RBAC. 

10. Data Loss Prevention (DLP)

Data Loss Prevention (DLP) in Zero Trust monitors and controls data transfers to prevent unauthorized access, data exfiltration, or sharing of sensitive information. It applies strict policies based on user identity, role, and context to ensure data remains secure and compliant. 

Example scenario: A financial analyst attempts to email sensitive client information. The DLP system intercepts the action and blocks the email, logging the attempt for review.

How to achieve this?

Use tools like Forcepoint Data Loss Prevention, Symantec DLP, Microsoft Purview, or Digital Guardian Data Protection Platform.

11. Reverse Proxy

A reverse proxy in Zero Trust acts as an intermediary between users and internal services, inspecting and filtering traffic to ensure only authorized requests are allowed. It enforces policies like identity verification, encryption, and access control before granting resource access.

Example scenario: A company uses a reverse proxy to secure its internal CRM system. When an employee tries to access the CRM, the reverse proxy verifies their identity, applies access policies, and encrypts the traffic before granting access, blocking unauthorized users.

How to achieve this?

Use free reverse proxy tools like Pomerium, HAProxy, Traefik, etc. 

12. Securing APIs

Zero Trust API Gateways ensures that only authenticated and authorized clients can interact with APIs, protecting sensitive data and services from unauthorized access. It protects APIs from unauthorized calls and reduces the risk of data breaches.

Example scenario: An e-commerce platform uses a Zero Trust API Gateway to secure its payment processing API. The gateway validates every request with client authentication and checks for anomalies, ensuring only authorized payment systems can access customer financial data.

How to achieve this?

Use tools likeKong Gateway, Gravitee.io API Management, or AWS API Gateway with zero trust configurations.

Share:

Stay Connected

Stay up to date with Pomerium news and announcements.

More Blog Posts

See All Blog Posts
Blog
What is a "Pomerium"?
Blog
How Pomerium Supports FedRAMP Compliance
Blog
Controlling for Humans with Usable Security

Revolutionize
Your Security

Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.

Pomerium logo
© 2024 Pomerium. All rights reserved