UseCase9_ZeroTrust - sandersdHES/PAMEmergingTech GitHub Wiki
Zero trust is a security strategy based the principle “never trust, always verify”. This means that not all users should be trusted by default, even if within your network or using privileged access within your corporation. Threats can exist both inside and outside the network, and many businesses now use cloud solution, IoT devices, remote applications, … This makes the range of attack much wider and we can never be sure that some actions by some users are really worth of being trusted.
These are some key concepts of Zero Trust in general focus on :
- Continuous verification and monitoring : notably via risk-based policies, conditional access to resources, … Constant monitoring to be sure every accessed is secured at all times, even throughout the session.
- Principle of Least Privilege : Grant only what the minimum permissions to users or devices, based on their tasks.
- Micro-segmentation : Breaking up your network into small zones. This helps separating the access of some resources to specific parts of the network only.
- Assume breach : Always be on edge and make the actions that you would use to mitigate a cyberattack become part of the normal routine of your security policies.
- Multi-factor authentication : Used has another barrier to protect credentials, making passwords not enough in case of credential theft.
Here are some key benefits of using Zero Trust in a company :
| Benefit | Description |
|---|---|
| Enhanced Security | Reduces breach risk and limits attacker movement |
| Reduced Attack Surface | Fewer entry points for cyber threats |
| Efficient Threat Response | Rapid detection and containment of suspicious activities |
| Improved User Experience | One point of entry for access and authentication |
| Cost Savings | Lower breach costs and reduced need for multiple security tools |
| Support for Modern Work | Enables secure cloud, remote, and hybrid work |
| Regulatory Compliance | Easier to meet compliance requirements and maintain audit trails |
| Accurate Asset Inventory | Better visibility and control over users, devices, and resources |
You can implement it using many standards. Here you can see the Zero Trust Framework from The National Institute of Standards and Technology for the United States (NIST) to illustrate how it can be set up.
PAM360 has also the capabilities of enabling Zero Trust with its software solution.
Let’s see PAM360’s approach on this topic :
-
Validate Users and Resources
- The first step is to confirm the identity and integrity of both users and the resources they are trying to access. This often involves verifying credentials, roles, and device security posture.
-
Verify Access Policy
- Next, PAM360 evaluates predefined access policies to check whether the access request aligns with what is permitted. Policies may be based on roles, risk levels, behaviour, or context (e.g., time, location).
-
Grant / Deny Access
- Based on the access policy evaluation, PAM360 either grants or denies access. This decision is dynamic and contextual, consistent with the Zero Trust principle of "never trust, always verify".
Now how does PAM360 implement Zero Trust ?
-
Installing PAM360 Agent in User Devices and Resources
- Deploying PAM360 agents on endpoints and critical resources to enable monitoring, enforcement, and access control.
-
Configuring Trust Score Parameters – Users and Resources
- Defining parameters that determine the trustworthiness of users and assets (e.g., user role, behaviour history, system vulnerabilities).
-
Configuring Trust Score Weightage
- Assigning weights to different parameters, reflecting their importance in the overall trust evaluation.
-
Access Policy Configuration
- Creating and defining access control rules based on trust scores, organisational policies, and compliance requirements.
-
Associating Access Policies to Resource Groups
- Linking configured policies to specific groups of resources, enabling consistent enforcement.
-
Resolving Conflicts between Access Policies
- Handling overlapping or contradictory policies to ensure clear and secure access decisions.
Only a handful of roles should be allowed to configure Zero Trust on your PAM360. By default :
- The Privileged Administrator role has access to all of these operation privileges.
- The Administrator role can create, manage and resolve conflicts in their access policies, approve access policies and view the access policies created by other administrators.
- The Password Administrator role can perform all operations as Administrators except for access policy approval.
Now let’s go to the use case : Implementing Zero Trust Access Control
This use case demonstrates how to configure and enforce Zero Trust policies in PAM360, using dynamic user and resource trust scores. The goal is to ensure that access to sensitive systems is context-aware and continuously evaluated.
The Zero Trust model is built on the principle of “never trust, always verify.” Rather than relying on static credentials or traditional perimeter defenses, Zero Trust in PAM360 evaluates access based on multiple contextual parameters, such as:
- User authentication method
- Device type and risk
- Resource sensitivity
- Access control configuration
This dynamic model enables fine-grained and adaptive access control, aligning with modern cybersecurity standards.
Sources :
https://www.manageengine.com/privileged-access-management/help/zerotrust.html
https://www.crowdstrike.com/en-us/cybersecurity-101/zero-trust-security/
https://www.ibm.com/think/topics/zero-trust
https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-overview
https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/
- Administrator access to PAM360
- At least one resource added to PAM360 (e.g., Linux machine)
- A basic understanding of trust scores and access policies
- Log in as a Privileged Administrator
- Navigate to Admin > Zero Trust > Configuration
Here, you’ll see parameters that influence User and Resource Trust Scores.
- Authentication Factors: MFA usage, IP reputation, login history
- Device Context: Type of device used, browser safety, OS patch level
- Go to Admin > Zero Trust > User Trust Score or Resource Trust Score
Here, you can assign weights (0–10) to each parameter. The total score is capped at 100 and is dynamically calculated at login or during access attempts.
The score will be adapted depending on if a parametric condition is met or not.
Another interesting addition is the Zero Trust Access Policies. Zero Trust policies are enforced only when multiple security conditions are satisfied. These include:
- Assigned Password Policy
- Password Access Control
- If enabled, PAM360 will check if access control is properly configured for each account/resource the user owns. If the account or resource does not have access control enabled/configured, the Zero Trust access policy will not consider the criteria satisfied, access will likely be denied.
- If disabled, PAM360 will ignore whether access control is configured for the account or resource the user owns
- User Trust Score
- Resource Trust Score
More info: Zero Trust Policy Documentation
Now prepare your first policy
- Go to Admin > Zero Trust > Access Policies
- Click Add Policy
- Name it “Privileged Policy”
- Configure conditions as shown:
After that, the access policy might need to be approved by a super administrator if such role exists.
If policy approval is enabled:
- Go to Admin > Access Policies > Process Request
- Approve or reject pending policy requests
-
Navigate to Groups > Add Group > Static Group
-
Select the Linux machine (or relevant resource) to include in the group
-
Assign your Zero Trust Policy to this group from the group settings
Try logging in to the Linux machine using a test user with a low trust score.
- PAM360 will evaluate trust conditions in real-time
- If the user's context doesn’t satisfy the policy, access is denied
The user also receives an email notification explaining the reason for denial and suggesting to contact an administrator
This use case shows how PAM360 enables a practical implementation of the Zero Trust model:
- User and Resource Trust Scores dynamically evaluate context
- Access is granted only when all conditions are met
- Real-time denial and notification protect against high-risk logins
- Security posture adapts continuously—aligned with modern enterprise standards
You now have a powerful policy-driven access control mechanism that enforces trust before access is granted.