Zero Trust and 20 Features for Your Cybersecurity

Protecting Servers and Data: Zero Trust and 20 Features for Your Cybersecurity

Servers are reliable things. Especially in experienced hands. At the hardware level, many systems and components are redundant, partial maintenance can often be performed without interrupting operations, and with virtualization and clustering, even full maintenance is possible through live migration of virtual machines and complete shutdown of individual nodes.

Network connections are also often redundant at the backbone level, and sometimes entire clusters are duplicated, implementing a "heartbeat" mechanism — regular signals exchanged between systems in different data centers to verify that they are operational and synchronized.

And then an update from CrowdStrike (a cybersecurity protection tool) arrives on your beautiful fault-tolerant server. A tool that is supposedly meant to fight everything bad rather than join forces with it. And another 8,500,000 servers and PCs around the world decide to join the party, after which banks, airports (and aviation as a whole), hospitals, security services, and many other pillars of modern civilization end up sleeping it off somewhere in the bathtub.

Billions in losses. Colossal reputational damage.

And according to official reports, there was no cyberattack at all — they managed to shoot themselves in the foot.

In this article, I will talk about useful practices that can protect your servers and data — from both insiders and outsiders. And, as tradition dictates, there will be a poll at the end. And remember: the best way to achieve enlightenment is to point out the author's mistakes and start an argument with a random commenter on a tech forum :)

IMPORTANT! Some of the recommendations in this article are not very convenient (or extremely inconvenient) for users and administrators. The most secure system is a powered-off system, and in the real world you have to balance the convenience of employees and customers against security.

There are many cases where security measures become so oppressive that employees simply leave the company. It is also worth mentioning that businesses sometimes invest enormous amounts of money in security out of their operating profits, only to end up balancing on the edge of bankruptcy. Yes, cybersecurity is expensive, including personnel costs (you will likely need to expand your team because some processes will inevitably slow down). That is why it is important to distinguish healthy paranoia from unhealthy paranoia, assess risks, and evaluate the cost of mitigating them, including indirect expenses.

Cybersecurity — If You Stare Into the Logs Long Enough, the Logs Will Start Staring Back

Cybersecurity is usually associated with protection against external threats, but the CrowdStrike example from the introduction demonstrates that internal mistakes can cause more damage, cause it faster, and do so far more easily than external attackers.

Implementing proper testing and rollback procedures for updates is an essential part of internal cybersecurity. Human error remains a constant factor as well: everything from weak passwords like "qwerty1234" to "Oops, I accidentally deleted the archive for the tax department" or "I opened an attachment from someone pretending to be my manager and everything broke." The same category includes pirated software bundled with ransomware, such as "Free VPN for unrestricted streaming and bypassing geo-restrictions."

There is another fly in the ointment: low qualifications or insufficient experience among administrators. Incorrect system configurations leave vulnerabilities behind, and vulnerabilities that can be exploited inevitably will be exploited. If your own people do not break something first, outsiders eventually will.

Internal security systems must continuously monitor the state of the IT infrastructure, identify anomalies, including those caused by internal failures, and automatically respond to them. When implemented correctly, this can prevent problems from escalating. A good example is the technical disruption that followed the cyberattack against a major logistics company, which according to some estimates resulted in losses ranging from tens to hundreds of millions of dollars. Competent information security practices and properly maintained backups would have been significantly cheaper.

Zero Trust: An Administrator Who Trusts Nobody (Not Even Himself) Is a Good Administrator

It's time to talk about the Zero Trust concept — a cybersecurity model built around the principle of "trust no one."

And verify everyone

With Zero Trust, you essentially operate under the assumption that the system has already been compromised by everyone at once. The key difference from traditional security models is that every user must continuously verify their identity, every request for access to resources must be validated, authenticated, and restricted to what is necessary. Whether the request comes from inside the network or from the outside perimeter does not matter.

The first step in implementing a Zero Trust model is auditing and inventorying all resources and data that need protection. Data comes first. This may include databases, files, cloud storage platforms (including cloud services), applications, archives, and any other assets whose access must be tightly controlled.

What to do:

• Conduct a complete inventory of all company IT assets, including asset ownership — who is responsible for each asset and what that asset is actually responsible for. The logic is straightforward: this server hosts the ERP system, this one runs the website, both support specific business processes, and if those processes are critical to the business, then these servers obviously require enhanced protection.

• Identify critical data and resources that require heightened access control.

• Assess existing security measures and identify potential vulnerabilities.

Access policies (assuming you did not accidentally arrive at Zero Trust by intuition) should be reviewed and redesigned to fit the new security model. Access should be granted according to the principle of least privilege (while still allowing employees to perform their jobs), and every user action should be limited to their direct responsibilities.

What to do:

• Implement an RBAC (Role-Based Access Control) approach, where access to resources is granted based on an employee's role and job function.

• Deploy IAM (Identity and Access Management) policies and systems that provide strict control over user permissions.

• Implement MFA (Multi-Factor Authentication) for all users, especially when accessing critical resources (if access is available from outside the organization, this is a must-have).

Network segmentation is one of the foundations of Zero Trust because it helps isolate different parts of the infrastructure from one another. This not only makes attacks more difficult to spread but also simplifies access management and monitoring.

Within a Zero Trust framework, monitoring should not be limited to checking whether someone has logged in. It is essential to continuously track user and device behavior, analyze anomalies, and respond rapidly to potential threats.

What to do:

• Implement a SIEM (Security Information and Event Management) solution. This is a system designed to collect and analyze logs in real time. Although a SIEM does not directly handle incident response, it provides the data and context required for SOC (Security Operations Center) teams and EDR/XDR platforms to operate effectively.

• Consider implementing a SOC (Security Operations Center) and EDR/XDR solutions. An internal SOC (or SOC-as-a-Service) provides continuous monitoring and incident response, while EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) platforms help respond to threats quickly by delivering deep visibility and protection across endpoints. For example, a device can be automatically isolated when suspicious activity is detected.

• Use UEBA (User and Entity Behavior Analytics) solutions. These behavioral analytics tools identify deviations in user and device activity that may indicate security threats. Some literature still refers to this category as UBA, but cybersecurity professionals are not known for being gentle! UEBA can detect suspicious activity that traditional security methods may overlook, including through the use of AI-powered analysis.

• Implement SOAR (Security Orchestration, Automation, and Response) capabilities. These platforms help identify, prioritize, and manage standardized security incident response procedures by automating workflows and reducing response times.

In a Zero Trust environment, every device requesting access to your network is treated as a potential threat. That is why it is critical to maintain strict control over all devices, ensure their security, and verify their status before granting access.

What to do:

• Use MDM (Mobile Device Management) and EMM (Enterprise Mobility Management) platforms to manage and control all corporate devices.

• If you practice BYOD (Bring Your Own Device — in other words, employees work from their personal computers), establish formal policies and procedures with clear device security requirements. A particularly effective approach is to place such devices in a separate, isolated network segment with substantial restrictions. After all, the number of potential security holes there can be absolutely staggering.

• Configure automatic security posture checks before a device is allowed to connect to the network. This may include verifying that the latest updates have been installed and that antivirus software is present and functioning. To achieve this, use tools that implement the NAC (Network Access Control) approach, such as Cisco Identity Services Engine or FortiNAC. Open-source alternatives also exist, including PacketFence.

And Now for Some Real-World Practices for Protecting Servers and Data from the Inside

These are just a few examples; experienced security professionals could easily add many more.

1. Honeytraps for Monitoring Employee Activity

The idea: create traps using fake files or directories with enticing names such as "finance_reports_2024.xlsx" or "passwords.txt". Configure alerts that trigger whenever someone attempts to access these files.

In practice: use the Auditd daemon on Linux to track access attempts to these files. This makes it possible to identify suspicious activity by internal users, including privileged administrators. Hopefully it is just idle curiosity, but it could just as easily indicate malicious intent or a compromised account that has fallen into the wrong hands.

2. Separate Logging for Privileged Activity Monitoring

The idea: configure dedicated logs for actions performed with administrative privileges. Separating general logs from privileged activity logs reduces the amount of data that must be analyzed and allows you to focus on events that pose the greatest risk. This becomes especially valuable if you have hundreds of domain controllers and tens of thousands of users.

In practice: use syslog, rsyslog, journalctl, or similar tools to maintain separate log storage. For example, on Linux you can configure dedicated log files for actions performed through sudo, su, or other privilege-elevation mechanisms.

For centralized log collection and analysis, use solutions such as ELK (Elasticsearch, Logstash, Kibana), Splunk, or Graylog. Configure alerts and dashboards to monitor suspicious activity related to administrative actions.

3. Limiting the Duration of Privileges (Just-In-Time Access)

The idea: grant temporary privileges only when they are genuinely needed, minimizing the time during which users could potentially misuse elevated permissions.

In practice: implement PAM (Privileged Access Management) solutions such as CyberArk, BeyondTrust, or similar privilege management platforms that can grant temporary administrator rights or other elevated permissions on demand and for limited periods. Even standard Active Directory environments can provide temporary group membership. Establish approval workflows requiring authorization from other administrators or managers before temporary privileges are granted, adding another layer of oversight. At the very least, make regular permission audits mandatory; even that alone can reduce the likelihood of a successful attack.

4. Regular Rotation of Access Keys and Passwords

How things used to work: frequently change passwords and access keys, especially for privileged accounts and third-party services, to reduce the risk of compromise. This remains an important practice for protecting sensitive systems and data, particularly when a breach is not discovered immediately. Ideally, establish formal procedures to avoid forgetting, and even better, automate the process.

How it tends to look today (example): forcing users to change passwords frequently often leads them to choose simpler and more predictable passwords, reducing overall security. Instead, use long, non-dictionary passwords consisting of random, meaningless character combinations that do not appear in breach databases, and always enable multi-factor authentication (MFA). Regular rotation is still highly relevant for automated systems and service accounts, but be careful when applying it to end users — nobody is going to memorize a brand-new complex password every month. An even better option may be to eliminate passwords entirely in favor of technologies such as FIDO security keys, provided your infrastructure supports them.

In practice: use automated secrets-management solutions such as HashiCorp Vault, CyberArk, or AWS Secrets Manager to regularly rotate and distribute credentials. This reduces the risk of abuse involving outdated or compromised secrets.

You can also use services such as Have I Been Pwned to determine whether your email address or password has appeared in known breaches, as well as solutions such as Lithnet Password Protection.

Always create strong passwords: a minimum length of 12–16 characters, including letters, numbers, and special characters, but without overly rigid composition rules that create predictable patterns a hacker can anticipate. It is worth understanding that a password like "gjregfqntdcthdthvjkk" is significantly harder to crack than "P@ssW0rd" while often being easier to remember.

5. Using Security "Grey Zones" (Greylisting)

The idea: introduce "grey zones" for privileged users, where certain actions require additional verification and approval. For example, a global CrowdStrike update

In practice: require multi-factor authentication (MFA) and additional validation steps, such as approval from a colleague or manager, before critical operations can be performed. Examples include deleting data or modifying important configurations.

6. Logging and Tracking Commands Executed Through the Terminal

The idea: record all commands entered into the terminal for later analysis and identification of suspicious activity.

In practice: tools such as Snoopy, auditd, or tlog on Linux can record terminal commands along with timestamps and user identities. This is extremely useful when investigating administrator activity.

7. Simulating an Insider Threat

The idea: periodically conduct internal security exercises that simulate the actions of an attacker who already has access to your systems, allowing you to evaluate how well your infrastructure withstands insider threats.

In practice: establish Red Teams that regularly conduct penetration tests and identify weaknesses by simulating the behavior of potential insider attackers. Use solutions such as OSSEC to model internal attack scenarios and evaluate your readiness for insider threats. Conduct drills and simulations based on realistic attack scenarios to ensure that your incident-response procedures actually work.

8. Isolation and Monitoring of Privileged Sessions

The idea: all privileged-user sessions should be isolated and monitored in real time.

In practice: use Duo Security, Centrify, or other PAM solutions already mentioned above, including open-source platforms such as Teleport and JumpServer, to isolate privileged sessions and record all activity in real time. Configure alerts and automated response mechanisms — such as immediate session termination — whenever suspicious behavior is detected during a privileged session. Implement procedures requiring approval from a second administrator or senior staff member before certain critical operations can be executed in real time.

9. Controlling the Use of Remote Administration Tools

The idea: restrict and monitor the use of remote-management tools such as SSH and RDP to prevent unauthorized activity.

In practice: implement two-factor authentication (2FA) for access to remote systems through SSH, RDP, and other protocols (or better yet, route them through a PAM platform). This adds an additional layer of security. Restrict access by IP address so that only trusted networks can connect to remote systems. Use VPNs or dedicated management networks for administrative access. Configure sessions to terminate automatically after prolonged inactivity or when suspicious activity is detected.

10. Applying the "Divide and Conquer" Principle to Data

The idea: split data into smaller, less meaningful segments so that obtaining a complete picture becomes much more difficult for an attacker.

In practice: apply encryption at the file, database, and communication layers. Use different encryption keys for different portions of data, making an attacker's job significantly harder even if they gain access to part of the information.

And this is just the internal side of the story — the kind of practices that rarely make headlines but often determine whether an incident stays contained or turns into a full-scale outage. Ten practical approaches to strengthening external cybersecurity, dealing with perimeter defense, attack surface reduction, and real-world intrusion scenarios will be covered in the next part of this article - follow us on LinkedIn so you don’t miss next article.