Everything you need to know about the principles, application and thinking behind applying Microsoft’s Zero Trust approach to your cyber security.
So, your perimeter has gone and the bad guys are finding new ways to gain access. How can you adapt your cyber security solution to better defend against the modern threat landscape without sacrificing productivity?
The answer lies in adopting a Zero Trust approach.
In this blog, we’ll explain what Microsoft means by a Zero Trust approach, its core technologies and principles – and we’ll outline the initial steps you can take to apply it.
Less trust seems a strange way to achieve greater cyber security, but bear with me.
For a long time, IT security followed the old castle and moat approach. Organisations locked their precious data deep inside a digital stronghold and built well-fortified defences around it.
Bad guys outside, good guys inside. Easy. At least it was – until the walls came down.
The past decade has seen that well-defended structure blown apart. The rise of remote working, cloud services, BYOD and the Internet of Things means a new approach to cyber security is required.
With threats now coming at you from all angles, unverified trust leaves you dangerously exposed.
Hence the emergence of the term ‘Zero Trust’. An approach that Microsoft describes as “an ‘assume breach’ security posture that treats each step across the network and each request for access to resources as a unique risk to be evaluated and verified.”*
Zero Trust works on the assumption that all activity is malicious until proven otherwise.
Now that might sound heartless, but the modern threat landscape has made it necessary – a situation only exacerbated by the rapid change undergone as a response to the COVID-19 pandemic.
According to Microsoft, Zero Trust operates on three core principles:
Don’t assume that just because something is on your network and seems legitimate that it is.
Access decisions should be based on several factors, including user identity, location, device compliance, classification of data and any relevant issues based on this access request. This should then be continuously verified throughout the session.
Least privileged access means restricting user access rights to just the resources that are required to carry out the task at hand.
This is achieved by implementing just-in-time and just-enough-access policies. These, coupled with information protection policies, will help protect data wherever it travels and ensures the relevant level of access to your files is provided.
This one is important as it frames the whole mindset with which you should approach your security.
By doing so, you reduce the attack surface and prevent lateral movement by segmenting your network, users and devices when threats are detected.
You should ensure that all sessions are encrypted and utilise analytics to get visibility of threats and improve threat detection.
The image below demonstrates the stark difference in verification power provided by Zero Trust.
View the visual full size.
To achieve this level of control and detail, a Zero Trust approach should encapsulate the six key components of any environment:
Ensure end-users have MFA and SSO enabled on their accounts.
Access decisions can be based on device health, device compliance and whether devices are running endpoint protection or anti-malware.
Label and classify files to add additional levels of protection with information protection that follows the file wherever it travels.
Remove the requirement for VPN, discover shadow IT and configure SSO for your cloud apps.
Segment your network to reduce the attack surface and prevent lateral movement by encrypting both internal and external networks.
Keep infrastructure updated with regular configuration reviews and just-in-time access. Monitor infrastructure in real-time to protect against potential attacks.
Identity and security are often thought of as individual entities, but the truth is that managing your user identities is crucial to realising the security benefits of a Zero Trust approach.
A robust identity platform and approach is essential. Provisioning and managing the lifecycle of your identities and enabling a single sign-on approach to EVERYTHING is critical.
I’d recommend doing this by applying Conditional Access policies within Azure AD and assessing risk through Azure Identity Protection. This helps you gain confidence in your authentication request and approval process.
SSO can then be achieved through publishing your applications within Azure AD and using the Azure Application Proxy for any on-premises applications.
With your identity management under control, you now have a much easier and effective way to apply policies to the many authentication requests that occur.
And I’m not just talking about applying second-factor authentication (which you absolutely should), but it also gives you the ability to evaluate other aspects to gain assurance and understand the risk involved from any given authentication request.
This insight then allows you to apply even greater controls in line with your established risk tolerance.
Understand what Microsoft means by a Zero Trust approach, its core technologies and principles, and the initial steps on your journey to apply it. You'll learn:
Once your identity management is in good nick, you need to understand the risk presented by the device being used to access your resources.
Having the ability to understand if a device is known and managed is one thing – understanding if that device has all the necessary security controls in place is another.
Achieving this across different platforms can be challenging but it’s important to do so.
The ability to dynamically understand both the device’s – and related identity’s – current risk status should drive the decision process when granting access to resources.
Whilst a device could be compliant in its configuration, you need to be able to, in near real-time, understand if that device is behaving suspiciously.
Policies can then be configured to either block access or direct the connection through a different route where additional visibility and protection can be applied.
Microsoft’s Intune solution can provide management and policy enforcement for your end-points to gauge their compliance while an Azure AD and local AD hybrid setup can be used to indicate ‘known devices’.
Advanced endpoint security solutions such as Microsoft Defender ATP, managed through Microsoft Threat Protection, can provide continuous assessment of devices.
Routing your riskier connections through Microsoft Cloud App Security will provide additional in-line protection through its reverse proxy capability.
Providing users with more access than required is an age-old problem.
Nearly everyone knows it’s bad practice to hand out global admin rights for simple tasks, but it’s still happening. The reason being is that it makes life easier for the admin to just provide free reign to a user rather than configure specific limits that they may end up having to amend later.
For Zero Trust to work, this mindset needs to change. You need to reduce your security footprint as much as possible to close off unnecessary and easy access for uninvited guests. This can be achieved by ensuring that users only have the privileges required to do their job.
Adopting a just-in-time approach for your privileged accounts allows the user to only use their privileged role when they need it and removes the access when they don’t.
A combination of Azure Privileged Identity Management, Azure VM ‘just in time’ access and Azure Entitlements address this challenge.
The success of adopting a Zero Trust approach depends largely on an organisation’s ability to apply these best practices and couple it with an assume breach mindset.
It really is a case of not if but when. Nowadays, there are just too many ways a malicious actor can gain access to have 100% confidence that they’ll be stopped at the front door.
Having the ability to see and understand suspicious or malicious activities within your environment (cloud or on-premises) is an absolute must-have in a Zero Trust world.
Azure ATP will provide comprehensive visibility into what’s going on within your environment from an identity perspective and works with Azure Sentinel to achieve a wider correlation of events and activities.
Azure Sentinel will then provide you with the ability to correlate security insights across a wide range of sources, giving you visibility across the entire attack chain.
Adopting an assume breach mindset whilst using the necessary tools to give you this visibility needs to be considered across all your devices, applications and services, infrastructure, identities, data and networks.
See for yourself how Sentinel can help you identify and stop threats before they have the opportunity to cause damage. You'll learn:
Achieving a Zero Trust approach is not something that can be rushed if it’s to be effective.
But if you feel you’re ready to begin your Zero Trust journey then the following steps will provide a good foundation:
Compile an inventory of your assets and IT infrastructure. What types of data do you have and where is it kept? What degree of protection is required?
With the traditional perimeter gone and data moving freely between devices in different locations, your security needs to follow the data trail.
For Zero Trust to work, you have to be able to limit lateral movement within your network when a breach occurs. Think of it like shutting the fire doors to contain a blaze and prevent its spread.
Segment your network by separating different layers of your applications into different network VLANS managed by rules that dictate what can (and importantly can’t!) travel from one VLAN to the other.
Separating layers of the application, such as the database, application processing and application interface components, will make it much harder for malicious users to gain control. This should be considered for both your Azure-hosted infrastructure and on-premises infrastructure.
Once you know your risk and have appropriately divided your network, you can begin to think about who you’re going to give access to based on defined identity rules.
This is where you can stipulate the use of MFA and control access based on role, device, application and more. Be sure to configure your network so that granting access to one environment does not mean automatic access to others.
In Zero Trust, every access request is scrutinised to ensure validity.
Throwing state of the art technology at the problem will only get you so far. Ensure that you educate your users on why the changes are being made, how to use the technology properly and invest in teaching them good cyber hygiene habits and Zero Trust tenets.
Human beings will always be fallible and – intentionally or not – pose a significant risk to your IT security. So proper tech adoption planning is critical to reaping the benefits of a Zero Trust approach.
Prioritise your most valuable assets and look to apply fine-tuned privileged access controls now that you’ve got your identity management working flawlessly.
This is where that just-in-time access comes into play and helps give your security a boost. Ideally, you would eventually have this degree of control over your entire estate, but first and foremost start with protecting your key resources and data.
Zero Trust is driven by data. For a Zero Trust approach to be successful, you’ll need an effective way to monitor the activity of your environment that removes the alert fatigue and heavy lifting from your IT security team.
Software such as Azure Sentinel is ideal for this purpose. Constantly evaluating access requests and weighing them against factors such as location, time, device, frequency, etc. Giving you near real-time feedback of any suspicious activity, whilst facilitating verified requests to proceed with next to no interruption to the end-user.
Zero Trust will continue to increase in its importance. Not only to improve your overall security position, but also as an enabler for effective remote working.
Our new world of flexible remote access will only grow in demand and complexity. I see this as a positive move, but we need to make sure that however and wherever we work, we can do so with the confidence that we’re secure.
Adopting Microsoft’s Zero Trust approach to everything you do will help to get you there.
*Ann Johnson, Microsoft’s CVP in Business Development for Security, Compliance and Identity
This blog was co-written with Luke Rees, ThirdSpace EMS Consultant.
Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.
As head of our Mobility & Security practice, Mat’s responsibilities include ensuring that our technical knowledge and delivery capability are fully up to speed and current, as well as creating a...
READ AUTHOR'S FULL BIO
Watch and discover everything you need to know about creating a Zero Trust approach.Watch now
Send us your questions or feedback.
Friendly folks are standing by!
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.