Getting Started with Trust Service

6 min

introduction the nile trust service can be activated on both new (greenfield) and existing (brownfield) deployments to provide zero trust enforcement across the enterprise network this section outlines the prerequisites, configuration steps, and best practices to help administrators enable and operationalize the trust service efficiently preparing for deployment before enabling the nile trust service, administrators should review their network design, existing policy configurations, and upstream integrations preparation ensures a smooth transition from traditional segmentation models to identity based zero trust enforcement prerequisites ensure all sites are running the latest software version that supports the trust service confirm that essential network services such as dhcp, dns, radius, and identity providers (idp) are reachable and configured for identity based micro segmentation, verify that users and devices can be identified through either scim/idp groups or device fingerprinting for environments requiring protection against rogue devices, review plans for continuous validation for environments where policy enforcement will be migrated from the external firewall into the nile zero trust fabric, review what the existing poicies are recommended initial setup sequence review network segments document existing network segments and associated user/device categories define policy groups create baseline user, device, and application groups representing the enterprise environment set up infrastructure services validate that dns, dhcp, radius, and idp ip addresses are included in the infrastructure services application group create initial service profiles configure profiles for onboarding, dns, and essential protocols build initial policies establish basic connectivity rules such as employee access to the internet or iot devices to intranet applications key setup tasks for refining zero trust once the basics have been established and refinement of zero trust posture is desired, additional tasks include specify intranet address space if intranet will be used in policies, ensure the intranet app group is accurate refine policy groups consider increasing security posture through smaller policy groups and group devices together iot devices or iot device categories (printers, cameras, etc ) user groups like employees and guests and contractors app groups beyond intranet and internet, such as data center applications, or more specific categories of corporate applications create more restrictive service profiles instead of a fully open port/protocol profile, consider limiting the allowed traffic types optional unclassified users and sevices setup unclassified users and devices by default cannot access the internet if a different policy is desired, add an explicit policy for these policy groups should be created optional define quarantine policy if the use of the default quarantine group is desired, then policies are required, one for defining what the devices can access when in quarantine, and one defining who/what can access these devices a policy should exist that defines what app group (e g , quarantine servers) devices in quarantine are allowed to access this app group need not include infrastructure services like dhcp as they are already predefined by default, nile has created a quarantine policy that denies access to internet as a placeholder policy and must be updated with the desired quarantine app group and an allow action, if use of the quarantining function is expected a policy should exist that defines who can access the devices in quarantine (and via what protocol/port) build additional policies using the refined poilcy groups, define more restrictive access poilcies and progressively work towards a least privilege access model employee & guest access to internet (controlled by an internet service profile) employee access to printers except for administrative access employee access to corporate intranet applications (captured in an application group) it admin access to administrative protocols/ports of printers and iot devices iot and printer access to specific internet or print server destinations best practices for initial rollout start with a minimal set of policies focused on critical business workflows gradually expand policies to cover additional applications or devices once validation is complete avoid overly broad open service profiles; refine them to least privilege configurations as you stabilize operations regularly review unclassified and quarantine lists to address anomalies early summary the nile trust service simplifies the journey to zero trust by automating classification, onboarding, and policy enforcement across all network layers whether deployed in a new environment or integrated into an existing one, it provides a secure and flexible foundation for modern enterprise connectivity next migration overview — learn how existing nile access service deployments transition to the new trust engine with identity based microsegmentation