Never trust, always verify: What is the Microsoft Zero Trust security model?

To achieve this level of control and detail, a Zero Trust approach should encapsulate the six key components of any environment:

Identity management is critical

Identity and security are often thought of as individual entities, but the truth is that managing your user identities is crucial to realising the security benefits of a Zero Trust approach.

A robust identity platform and approach is essential. Provisioning and managing the lifecycle of your identities and enabling a single sign-on approach to EVERYTHING is critical.

I’d recommend doing this by applying Conditional Access policies within Azure AD and assessing risk through Azure Identity Protection. This helps you gain confidence in your authentication request and approval process.

SSO can then be achieved through publishing your applications within Azure AD and using the Azure Application Proxy for any on-premises applications.

With your identity management under control, you now have a much easier and effective way to apply policies to the many authentication requests that occur.

And I’m not just talking about applying second-factor authentication (which you absolutely should), but it also gives you the ability to evaluate other aspects to gain assurance and understand the risk involved from any given authentication request.

This insight then allows you to apply even greater controls in line with your established risk tolerance.

Establish device safety

Once your identity management is in good nick, you need to understand the risk presented by the device being used to access your resources.

Having the ability to understand if a device is known and managed is one thing – understanding if that device has all the necessary security controls in place is another.

Achieving this across different platforms can be challenging but it’s important to do so.

Whilst a device could be compliant in its configuration, you need to be able to, in near real-time, understand if that device is behaving suspiciously.

Policies can then be configured to either block access or direct the connection through a different route where additional visibility and protection can be applied.

Microsoft’s Intune solution can provide management and policy enforcement for your end-points to gauge their compliance while an Azure AD and local AD hybrid setup can be used to indicate ‘known devices’.

Advanced endpoint security solutions such as Microsoft Defender ATP, managed through Microsoft Threat Protection, can provide continuous assessment of devices.

Routing your riskier connections through Microsoft Cloud App Security will provide additional in-line protection through its reverse proxy capability.

Global admin is only for when things hit the fan

Providing users with more access than required is an age-old problem.

Nearly everyone knows it’s bad practice to hand out global admin rights for simple tasks, but it’s still happening. The reason being is that it makes life easier for the admin to just provide free reign to a user rather than configure specific limits that they may end up having to amend later.

For Zero Trust to work, this mindset needs to change. You need to reduce your security footprint as much as possible to close off unnecessary and easy access for uninvited guests. This can be achieved by ensuring that users only have the privileges required to do their job.

Adopting a just-in-time approach for your privileged accounts allows the user to only use their privileged role when they need it and removes the access when they don’t.

A combination of Azure Privileged Identity Management, Azure VM ‘just in time’ access and Azure Entitlements address this challenge.

Monitor, orchestrate and respond

The success of adopting a Zero Trust approach depends largely on an organisation’s ability to apply these best practices and couple it with an assume breach mindset.

It really is a case of not if but when. Nowadays, there are just too many ways a malicious actor can gain access to have 100% confidence that they’ll be stopped at the front door.

Azure ATP will provide comprehensive visibility into what’s going on within your environment from an identity perspective and works with Microsoft Sentinel to achieve a wider correlation of events and activities.

Microsoft Sentinel will then provide you with the ability to correlate security insights across a wide range of sources, giving you visibility across the entire attack chain.

Adopting an assume breach mindset whilst using the necessary tools to give you this visibility needs to be considered across all your devices, applications and services, infrastructure, identities, data and networks.

How can I get started with Zero Trust?

Achieving a Zero Trust approach is not something that can be rushed if it’s to be effective.

But if you feel you’re ready to begin your Zero Trust journey then the following steps will provide a good foundation:

1. Assess your risk

Compile an inventory of your assets and IT infrastructure. What types of data do you have and where is it kept? What degree of protection is required?

With the traditional perimeter gone and data moving freely between devices in different locations, your security needs to follow the data trail.

2. Network segmentation

For Zero Trust to work, you have to be able to limit lateral movement within your network when a breach occurs. Think of it like shutting the fire doors to contain a blaze and prevent its spread.

Segment your network by separating different layers of your applications into different network VLANS managed by rules that dictate what can (and importantly can’t!) travel from one VLAN to the other.

Separating layers of the application, such as the database, application processing and application interface components, will make it much harder for malicious users to gain control. This should be considered for both your Azure-hosted infrastructure and on-premises infrastructure.

3. Configure access

Once you know your risk and have appropriately divided your network, you can begin to think about who you’re going to give access to based on defined identity rules.

This is where you can stipulate the use of MFA and control access based on role, device, application and more. Be sure to configure your network so that granting access to one environment does not mean automatic access to others.

In Zero Trust, every access request is scrutinised to ensure validity.

4. Don’t forget your people

Throwing state of the art technology at the problem will only get you so far. Ensure that you educate your users on why the changes are being made, how to use the technology properly and invest in teaching them good cyber hygiene habits and Zero Trust tenets.

Human beings will always be fallible and – intentionally or not – pose a significant risk to your IT security. So proper tech adoption planning is critical to reaping the benefits of a Zero Trust approach.

5. Enable least privileged access

Prioritise your most valuable assets and look to apply fine-tuned privileged access controls now that you’ve got your identity management working flawlessly.

This is where that just-in-time access comes into play and helps give your security a boost. Ideally, you would eventually have this degree of control over your entire estate, but first and foremost start with protecting your key resources and data.

6. Analyse, analyse, analyse

Zero Trust is driven by data. For a Zero Trust approach to be successful, you’ll need an effective way to monitor the activity of your environment that removes the alert fatigue and heavy lifting from your IT security team.

Software such as Microsoft Sentinel is ideal for this purpose. Constantly evaluating access requests and weighing them against factors such as location, time, device, frequency, etc. Giving you near real-time feedback of any suspicious activity, whilst facilitating verified requests to proceed with next to no interruption to the end-user.

Conclusion

Zero Trust will continue to increase in its importance. Not only to improve your overall security position, but also as an enabler for effective remote working.

Our new world of flexible remote access will only grow in demand and complexity. I see this as a positive move, but we need to make sure that however and wherever we work, we can do so with the confidence that we’re secure.

Adopting Microsoft’s Zero Trust approach to everything you do will help to get you there.

*Ann Johnson, Microsoft’s CVP in Business Development for Security, Compliance and Identity

Key takeaways