Blog | 13 August 2020
Never trust, always verify: What is the Microsoft Zero Trust security model?
Head of Mobility and Security
Everything you need to know about the principles, application and thinking behind applying Microsoft’s Zero Trust approach to your cyber security.
So, your perimeter has gone and the bad guys are finding new ways to gain access. How can you adapt your cyber security solution to better defend against the modern threat landscape without sacrificing productivity?
The answer lies in adopting a Zero Trust approach.
In this blog, we’ll explain what Microsoft means by a Zero Trust approach, its core technologies and principles – and we’ll outline the initial steps you can take to apply it.
What does Zero Trust mean?
Less trust seems a strange way to achieve greater cyber security, but bear with me.
For a long time, IT security followed the old castle and moat approach. Organisations locked their precious data deep inside a digital stronghold and built well-fortified defences around it.
Bad guys outside, good guys inside. Easy. At least it was – until the walls came down.
The past decade has seen that well-defended structure blown apart. The rise of remote working, cloud services, BYOD and the Internet of Things means a new approach to cyber security is required.
With threats now coming at you from all angles, unverified trust leaves you dangerously exposed.
Hence the emergence of the term ‘Zero Trust’. An approach that Microsoft describes as “an ‘assume breach’ security posture that treats each step across the network and each request for access to resources as a unique risk to be evaluated and verified.”*
Zero Trust works on the assumption that all activity is malicious until proven otherwise.
Now that might sound heartless, but the modern threat landscape has made it necessary – a situation only exacerbated by the rapid change undergone as a response to the COVID-19 pandemic.
The principles of Zero Trust
According to Microsoft, Zero Trust operates on three core principles:
Don’t assume that just because something is on your network and seems legitimate that it is.
Access decisions should be based on several factors, including user identity, location, device compliance, classification of data and any relevant issues based on this access request. This should then be continuously verified throughout the session.
Least privileged access
Least privileged access means restricting user access rights to just the resources that are required to carry out the task at hand.
This is achieved by implementing just-in-time and just-enough-access policies. These, coupled with information protection policies, will help protect data wherever it travels and ensures the relevant level of ac
cess to your files is provided.
This one is important as it frames the whole mindset with which you should approach your security.
By doing so, you reduce the attack surface and prevent lateral movement by segmenting your network, users and devices when threats are detected.
You should ensure that all sessions are encrypted and utilise analytics to get visibility of threats and improve threat detection.
How does Zero Trust work?
The image below demonstrates the stark difference in verification power provided by Zero Trust.
To achieve this level of control and detail, a Zero Trust approach should encapsulate the six key components of any environment:
Identity management is critical
Identity and security are often thought of as individual entities, but the truth is that managing your user identities is crucial to realising the security benefits of a Zero Trust approach.
A robust identity platform and approach is essential. Provisioning and managing the lifecycle of your identities and enabling a single sign-on approach to EVERYTHING is critical.
I’d recommend doing this by applying Conditional Access policies within Azure AD and assessing risk through Azure Identity Protection. This helps you gain confidence in your authentication request and approval process.
SSO can then be achieved through publishing your applications within Azure AD and using the Azure Application Proxy for any on-premises applications.
With your identity management under control, you now have a much easier and effective way to apply policies to the many authentication requests that occur.
And I’m not just talking about applying second-factor authentication (which you absolutely should), but it also gives you the ability to evaluate other aspects to gain assurance and understand the risk involved from any given authentication request.
This insight then allows you to apply even greater controls in line with your established risk tolerance.
Establish device safety
Once your identity management is in good nick, you need to understand the risk presented by the device being used to access your resources.
Having the ability to understand if a device is known and managed is one thing – understanding if that device has all the necessary security controls in place is another.
Achieving this across different platforms can be challenging but it’s important to do so.
Whilst a device could be compliant in its configuration, you need to be able to, in near real-time, understand if that device is behaving suspiciously.
Policies can then be configured to either block access or direct the connection through a different route where additional visibility and protection can be applied.
Microsoft’s Intune solution can provide management and policy enforcement for your end-points to gauge their compliance while an Azure AD and local AD hybrid setup can be used to indicate ‘known devices’.
Advanced endpoint security solutions such as Microsoft Defender ATP, managed through Microsoft Threat Protection, can provide continuous assessment of devices.
Routing your riskier connections through Microsoft Cloud App Security will provide additional in-line protection through its reverse proxy capability.
Global admin is only for when things hit the fan
Providing users with more access than required is an age-old problem.
Nearly everyone knows it’s bad practice to hand out global admin rights for simple tasks, but it’s still happening. The reason being is that it makes life easier for the admin to just provide free reign to a user rather than configure specific limits that they may end up having to amend later.
For Zero Trust to work, this mindset needs to change. You need to reduce your security footprint as much as possible to close off unnecessary and easy access for uninvited guests. This can be achieved by ensuring that users only have the privileges required to do their job.
Adopting a just-in-time approach for your privileged accounts allows the user to only use their privileged role when they need it and removes the access when they don’t.
A combination of Azure Privileged Identity Management, Azure VM ‘just in time’ access and Azure Entitlements address this challenge.
Monitor, orchestrate and respond
The success of adopting a Zero Trust approach depends largely on an organisation’s ability to apply these best practices and couple it with an assume breach mindset.
It really is a case of not if but when. Nowadays, there are just too many ways a malicious actor can gain access to have 100% confidence that they’ll be stopped at the front door.
Azure ATP will provide comprehensive visibility into what’s going on within your environment from an identity perspective and works with Microsoft Sentinel to achieve a wider correlation of events and activities.
Microsoft Sentinel will then provide you with the ability to correlate security insights across a wide range of sources, giving you visibility across the entire attack chain.
Adopting an assume breach mindset whilst using the necessary tools to give you this visibility needs to be considered across all your devices, applications and services, infrastructure, identities, data and networks.
How can I get started with Zero Trust?
Achieving a Zero Trust approach is not something that can be rushed if it’s to be effective.
But if you feel you’re ready to begin your Zero Trust journey then the following steps will provide a good foundation:
1. Assess your risk
Compile an inventory of your assets and IT infrastructure. What types of data do you have and where is it kept? What degree of protection is required?
With the traditional perimeter gone and data moving freely between devices in different locations, your security needs to follow the data trail.
2. Network segmentation
For Zero Trust to work, you have to be able to limit lateral movement within your network when a breach occurs. Think of it like shutting the fire doors to contain a blaze and prevent its spread.
Segment your network by separating different layers of your applications into different network VLANS managed by rules that dictate what can (and importantly can’t!) travel from one VLAN to the other.
Separating layers of the application, such as the database, application processing and application interface components, will make it much harder for malicious users to gain control. This should be considered for both your Azure-hosted infrastructure and on-premises infrastructure.
3. Configure access
Once you know your risk and have appropriately divided your network, you can begin to think about who you’re going to give access to based on defined identity rules.
This is where you can stipulate the use of MFA and control access based on role, device, application and more. Be sure to configure your network so that granting access to one environment does not mean automatic access to others.
In Zero Trust, every access request is scrutinised to ensure validity.
4. Don’t forget your people
Throwing state of the art technology at the problem will only get you so far. Ensure that you educate your users on why the changes are being made, how to use the technology properly and invest in teaching them good cyber hygiene habits and Zero Trust tenets.
Human beings will always be fallible and – intentionally or not – pose a significant risk to your IT security. So proper tech adoption planning is critical to reaping the benefits of a Zero Trust approach.
5. Enable least privileged access
Prioritise your most valuable assets and look to apply fine-tuned privileged access controls now that you’ve got your identity management working flawlessly.
This is where that just-in-time access comes into play and helps give your security a boost. Ideally, you would eventually have this degree of control over your entire estate, but first and foremost start with protecting your key resources and data.
6. Analyse, analyse, analyse
Zero Trust is driven by data. For a Zero Trust approach to be successful, you’ll need an effective way to monitor the activity of your environment that removes the alert fatigue and heavy lifting from your IT security team.
Software such as Microsoft Sentinel is ideal for this purpose. Constantly evaluating access requests and weighing them against factors such as location, time, device, frequency, etc. Giving you near real-time feedback of any suspicious activity, whilst facilitating verified requests to proceed with next to no interruption to the end-user.
Zero Trust will continue to increase in its importance. Not only to improve your overall security position, but also as an enabler for effective remote working.
Our new world of flexible remote access will only grow in demand and complexity. I see this as a positive move, but we need to make sure that however and wherever we work, we can do so with the confidence that we’re secure.
Adopting Microsoft’s Zero Trust approach to everything you do will help to get you there.
*Ann Johnson, Microsoft’s CVP in Business Development for Security, Compliance and Identity
- Zero Trust is a security approach based on an assume breach mindset.
- Every access request is verified and analysed before approval.
- It brings together strong IAM and the latest security technologies.
- Apply Zero Trust to every element of your environment.
- Zero Trust enables flexible access and fast, data-driven security response.
Ready to ‘Become greater’?
When you sign up to our mailing list, you’ll get the best content, expert resources, and exclusive event invites sent directly to your inbox.
Mat is Kocho’s Head of Mobility and Security. He leads a team of consultants and architects that live and breathe secure transformation – delivering excellence across Microsoft 365 and Azure.
Latest blog articles
Azure AD B2B vs B2C: What are the key differences between Microsoft’s external access products?
The definitive guide to Azure AD: Everything you need to know
Securing your path to passwordless authentication: A quick guide to modern sign-on methods
The definitive guide to Microsoft Sentinel: Everything you need to know to get started with Microsoft’s cloud SIEM
We’re here to help you on your journey towards becoming greater. Get in touch to find out how.