What is this “Zero Trust” everyone is talking about these days? Under what rock has this term been hiding all the time? What “Zero trust” means anyway?
The zero-trust concept or, the concepts that zero trust encompasses, are not new at all. During the Jericho Forum in 2003, the term de-perimeterisation was discussed – ways to protect an organization’s data and systems’ boundary by removing a boundary between outside networks and an organization and protecting it on multiple stages by using a combination of secure protocols, encryption, and multiple authentication levels.
Vendors other than Microsoft have adopted zero trust as well, and this principle is not exclusive to cloud providers either.
Not so many years ago, we had data residency on premises only, where little or insignificantly small amount of data left protected organizational networks. Today, the security landscape is completely different, where data is no longer stored on file servers and desktop computers but on laptops, tablets, mobile phones, in workers’ pockets and backpacks, roaming outside what was once perceived as a security of organizational boundaries.
In Zero Trust model, or concept, instead of believing that everything behind corporate firewall is safe, we believe that every access request is not safe, and it is not trusted. We act as if every request originates from an untrusted, uncontrolled network, regardless of where request originates from, or what resource it accesses. We utilize segmentation and least privileged access to mitigate lateral movement, ensure that every access request is authenticated, authorized, and reviewed.
Nowadays, we need a security model that can effectively adapt to modern environment complex architecture, including mobile, roaming data and users, which protects every entity wherever it is located, whoever it might be. Data, applications, devices, people – zero trust strategy is designed to question all and to protect all.
There are three main principles of Zero-Trust strategy:
- Assume breach. Verify that all sessions and requests use end-to-end encryption. Use device, network, and users access segmentation to prevent or reduce lateral movement. Implement threat analytics to gain insight and have greater visibility.
- Verify explicitly. Implement comprehensive authentication and authorization on all data points, comprising user identity, user and sign-in risk, device status and health, data classification and location.
- Use least privileged access. Restrict user access and privileged access using Just-Enough Administration (JEA) and Just-in-Time administration (JIT), conditional or risk-based policies and data protection policies and technologies.
What is more important, Zero Trust approach includes automated security policy enforcement to ensure compliant behaviour throughout entire organisation.
Microsoft defines several components in Zero Trust model that deserve our security focus. Each of these parts are foundational to security approach and are sources of signals and a security control plane:
- Identities. Today, identities are not just people but devices and services as well.
- Endpoints. Continuous monitoring of device health and security is crucial, from personal and IoT devices to servers and desktops.
- Applications. Cloud or on-premises applications and APIs need access controls, usage analytics, monitoring, and secure configuration.
- Data. Securing data is fundamental. We need to ensure data is secure when in motion or at rest, on devices or when it leaves infrastructure and applications.
- Infrastructure. On-premises or cloud infrastructure deserves proper security too. Restricting and controlling access using Just-in-Time and Just-Enough Administration (JIT, JEA), monitoring for anomalous behaviour, or using automation to shorten response time to risky behaviour.
- Networks. Segmenting networks using subnets, multiple networks, user-defined routes, end-to-end encryption, monitoring, and analytics.
So, which Microsoft products should we use to establish Zero Trust strategy? Well, different organisations will have different approaches to implementing zero trust methodology to security simply because no organisation is the same, does not use the same products and does not have the same infrastructure architecture. But the principles are still the same. Let us look at one approach. Zero Trust approach should start with protecting identities, where each access request is equally treated and verified using strong identity authentication. Microsoft Azure Active Directory (Azure AD) is an identity and secure access management solution (IAM) that supports Multi-factor Authentication (MFA), where adding a second factor in authentication process can reduce lost or leaked passwords problems. To make authentication even stronger, we can use Passwordless authentication using mobile authenticator app or FIDO2 token for even better protection.
Azure Active Directory not only enables strong authentication, but it provides Conditional Access to analyse signals, or conditions of users, devices, locations and automate and enforce resource access policies across entire organisation.
User access control is based on evaluations of several factors, such as user risk, sign-in risk, type of devices and platforms used, locations from where access is requested or device condition. After evaluating all signals, Azure AD Conditional Access can grant access, allow access on specific conditions or block access to requested resources.
In case a legitimate user is requesting access to corporate resources, but the request originates from a compromised device or user sign-in risk signalises impossible travel activity – a multi-factor authentication challenge can be requested, or a user access can be denied. The Azure AD Conditional Access is the most direct and picturesque example of “do not trust anyone”, “verify explicitly” or Zero Trust approach to security.
Just-in-Time and Just-Enough Administration (JIT, JEA) are not reserved solely for infrastructure Zero Trust approach but in protecting Identities as well.
Azure Security Center is a unified infrastructure security management system that provides security posture insight and actionable advice across Azure, on-premises and third party cloud workloads. Azure Security Center’s Cloud Workload Protection (CWP), or Azure Defender, enables intelligent workload protection across hybrid workloads and offers just-in-time virtual machine access. Customisable options include port, protocol, source IP addresses or CIDR blocks, and maximum request time allowed to access a virtual machine.
Azure AD Privileged Identity Management (Azure AD PIM) in contrast, controls JIT and JEA settings for Azure AD identities. It enables security administrators to limit users’ access to privileged roles, discovers users with privileged roles assignments and to perform privileged access reviews. Azure AD PIM provides just-in-time privileged access to Azure AD and Azure resources, enforces MFA to activate a role, use justification to follow and understand user activations, provides audit history and more.
To protect endpoints and devices, to detect and remediate advanced attacks on endpoints, Microsoft Defender for Endpoint supports Microsoft Windows operating systems from Windows 7 to Windows Server 2019, Android, MacOS and Linux.
Many organisations struggle with Shadow IT, with unknown and unsanctioned cloud applications. To discover applications used in corporate networks and to fight “the invisible and unknown enemy” – that is, attempt to control access to third party applications or “shadow” cloud applications – IT departments need a cloud app security broker (CASB). Fortunately, Microsoft Cloud App Security is a CASB solution that tightly integrates with other products in Microsoft portfolio. Its risk catalogue contains more than 16,000 applications that are assessed over eighty risk factors that help IT departments and security professionals make right decisions when assessing applications risk.
Products and features mentioned here are just a tip of the iceberg in a massive, possible Zero Trust security scenarios. You might be using some or all products cited and, of course, you might use some others too, like Microsoft Endpoint Manager, Microsoft Defender for Identity, Microsoft Defender for Office 365, Data Loss Prevention (DLP) policies, BitLocker, Azure Policy, Azure Sentinel, Azure Blueprints, ARM templates, Azure DDoS Protection, Azure Web Application Firewall, Azure Firewall, Network Security groups or Application Security Groups.
No matter what you use, ensure you follow three basic Zero Trust principles: Assume breach, Verify explicitly and Use least privileged access.