Many things need to be considered when delivering cybersecurity. These include getting buy-in from upper management, finding credible and experienced resources for the job, and managing other aspects of your environment, like personnel or physical assets.
In this blog, you will find:
Top-of-the-line security is essential to any business, and as companies grow, they often find themselves with more risks than just their assets. This blog will show you how to make your security processes more efficient and effective with the Microsoft Zero Trust model and help reduce the security risk in your environment.
You may be interested in these blogs:
What is Microsoft Zero Trust Model?
In the past, most organizations focused on protecting network access with on-premise equipment, firewalls, and VPNs (Virtual Private Networks), assuming that everything within your network was safe. But as corporate data footprints have expanded to sit outside your corporate network to live in the cloud, on-prem, or hybrid across both, the Zero Trust security model has evolved to address a more holistic set of attack vectors.
Zero Trust is a Security Framework 🔒
Zero Trust treats every connection attempt as coming from an unknown source. All users, whether inside or outside your organization's network, must authenticate and be authorized before being granted access. This includes configuration changes that occur on employees' devices during work hours (i.e., adjusting settings).
Why Zero Trust Model is Important? ✨
Zero Trust is important for your organization because it can protect your assets from attackers. Here are some reasons why you should care about it:
☑️ IT security is complex: Many devices, users, and connections can access corporate data from everywhere. It's challenging to keep track of everything - not only because it would take too much time but also because you can’t be sure what needs security attention.
☑️ A “Trusted network” security strategy can put you in danger: You might believe you can trust your network in your data center, but what if someone outside was already compromised? And this includes when you have services that are local and accessible only through one port or device.
☑️ Assets evolving beyond the network: Introducing new cloud services and hosting solutions adds another layer that needs attention, with secure access controls at every turn, which requires more than just tooling up - you also need security expertise that isn't always available in-house.
☑️ Attackers shift to identity attacks: ID theft is a big problem. It all starts with identity because it’s easier to capture and compromise than find an entry point into your network, which overwhelms security teams as they try desperately to figure out how this happened before more information gets leaked.
What are the three Principles of Zero Trust Security Model? 📝
There are three principles to keep in mind regarding security: verify explicitly, use least privilege access, and assume breach. These three principles can be applied across your digital estate for your identities, devices, apps, network, infrastructure, and data.
☑️ Verify Explicitly: Authenticate and authorize access based on all the available data points, including the user's identity, location, device, health data classification, and anomalies.
☑️ Use least privilege access: Minimize the users' access to just in time and access risk-based adaptive policies and data protection which protects data and productivity. Also, provide the least amount of access to resources for the user to be able to do their job for as little time as possible.
☑️ Assume breach: Minimize the scope of breach damage and prevent lateral movement by segmenting access via network user devices and application awareness. Also, verify that all sessions are encrypted end to end.
How to Use Zero Trust Architecture for Your Organization?
With the traditional security model, once someone signs in at their workstation, they can access all company networks, usually from the physical office space. It creates vulnerabilities because if somebody finds out your password, then you will have problems within that specific department and could risk other confidential information on these connected machines, too.
The Zero Trust architecture, however, protects each file, each e-mail, and each network by authenticating every identity and device. It also helps secure remote access, personal devices, and third-party apps.
Zero Trust Architecture Elements 🗄️
Zero Trust architecture includes your identities, endpoints, apps, data, infrastructure, and network and requires integration across these elements.
• Identity: Verify and secure each identity with strong authentication across your entire digital estate.
• Endpoints: Gain visibility into devices accessing the network. Ensure compliance and health status before granting access.
• Apps: Discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, and monitor and control user actions.
• Data: Move from perimeter-based data protection to data-driven protection. Use intelligence to classify and label data. Encrypt and restrict access based on organizational policies.
• Infrastructure: Use telemetry to detect attacks and anomalies, automatically block and flag risky behavior, and employ least privilege access principles.
• Network: Ensure devices and users aren’t trusted just because they’re on an internal network. Encrypt all internal communications, limit access by policy, and employ micro-segmentation and real-time threat detection.
The Workflow of Zero Trust Architecture ⚙️
1) Identities & End Points The foundation of Zero Trust security is identities. Both human and non-human identities need strong authorization, connecting from either personal or corporate Endpoints with compliant devices, together requesting access based on strong policies grounded in Zero Trust principles of explicit verification, least privilege access, and assumed breach.
2) Zero Trust Policy As a unified policy enforcement, the Zero Trust Policy intercepts requests and explicitly verifies signals from all six foundational elements based on policy configuration and enforces least privileged access. Signals include the user’s role, location, device compliance, data sensitivity, application sensitivity and much more. In addition to telemetry and state information, the risk assessment from threat protection feeds into the policy engine to automatically respond to threats in real time.
3) Policy Optimization The policy is enforced during access and continuously evaluated throughout the session. This policy is further enhanced by Policy Optimization. Governance and Compliance are critical to a strong Zero Trust implementation. Security Posture Assessment and Productivity Optimization are necessary to measure the telemetry throughout the services and systems.
4) Threat Protection The telemetry and analytics feed into the Threat Protection system. Large amounts of telemetry and analytics enriched by threat intelligence generate high-quality risk assessments that can be manually investigated or automated. Attacks happen at cloud speed – your defense systems must act at cloud speed and humans can’t react quickly enough or sift through all the risks. The risk assessment feeds into the policy engine for real-time automated threat protection and additional manual investigation if needed.
5) Network, Data, Apps & Infrastructure Traffic filtering and segmentation is applied in the evaluation and enforcement of the Zero Trust policy before access is granted to any public or private Network. Data classification, labelling, and encryption should be applied to emails, documents, and structured data. Access to Apps should be adaptive, whether SaaS (Software as a Service) or on-premises. Runtime control is applied to Infrastructure, with serverless, containers, IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and internal sites, with just-in-time (JIT) and Version Controls actively engaged.
6) Telemetry, analytics, and assessment Data collected from the Network, Data, Apps, and Infrastructure are fed back into the Policy Optimization and Threat Protection systems.
How to Achieve Zero Trust across your Digital Estate?
The Zero Trust security model is most effective when integrated across the entire digital estate. Most organizations will need to take a phased approach that targets areas for change based on the Zero Trust maturity model.
What are the three Stages in Zero Trust Maturity Model?
The Zero Trust maturity model can be split into three phases: the traditional phase, the advanced phase, and the optimal phase. Check which phases your organization belongs to:
- This is where most organizations generally sit today if they haven’t started their Zero Trust journey.
- You're still on premise, where your identity lies. Static rules may be some single sign on.
- You have limited visibility into your device compliance, your cloud environment, and your logins.
- You still have a flat network infrastructure, resulting in a broad risk exposure.
- You have begun your Zero Trust journey and are making progress in a few key areas.
- You're in the hybrid identity phase and you finally tuned access policies that are gaining access to your data, your apps, and your networks.
- Your devices are registered and compliant to your IT security policies.
- Your networks are being segmented and cloud protection is in place as well.
- Analytics are starting to be used to assess user behavior and proactively identify threats.
☑️ Optimal Phase
- You have made large improvements in security within a Zero Trust model.
- Your identities are cloud-based with real-time analytics dynamically gaining access to your applications, your workloads, networks, and data.
- Your data access decisions are governed by cloud security policy engines and sharing is secured with encryption and tracking.
- Trust has been removed from the network, so micro-cloud perimeters, micro-segmentation and encryption are in place.
- Automatic threat detection response is implemented.
How to Reach Optimal Phase in Zero Trust Elements?🛡️
Hybrid infrastructure is a great way to realize the value of Zero Trust initiatives while utilizing your existing investment. You can evaluate your Zero Trust Security posture with a self-assessment, and you can reach the optimal phase of Zero Trust with our suggestions here:
• Unify the identity and access management environment within your cloud apps and on-premises resources with a single sign-on integration with an identity provider like Azure AD.
• Use multi-factor authentication (MFA) to protect identities against attacks regardless of where you have your identities, whether it's within your Azure AD environment or for personal use.
• Start to sign in using passwordless authentication to reach the optimal stage, like using an approved device and biometrics to log in.
• Analyze user, device, and location in real-time to determine risk and deliver ongoing protection
• Register your endpoints with your centralized identity provider like Azure AD.
• Manage and monitor mobile devices, desktop computers, virtual machines and even servers with Microsoft Endpoint Manager.
• Manage on-premises solutions with Microsoft Intune, a cloud-based mobile device management service and configuration manager.
• Encrypt devices and apply hardening on workstations and servers. Also, use an Endpoint Detection and Response (EDR) solution and review detection response with Defender for Endpoint and apply policies on corporate issued devices that access your tenants.
• Use Defender for Cloud Apps, a cloud access security broker (CASB) that helps you extend real-time controls to any app in any browser. You can also comprehensively discover Secure control and provide threat protection and detection across your app ecosystem.
• Start with Shadow IT identifying what SAS-based applications your users are using and preventing unsanctioned apps that haven't been approved and may introduce risk.
• Make sure all apps are available using least privilege access with continuous verification and dynamic control in place for all apps.
• Manage permissions manually across environments and configuration of servers on which workloads are running.
• Monitor Workloads assigned app identity and alert for abnormal behavior
• Block unauthorized deployments and make granular visibility and access control available across all workloads.
Segment user and resource access for each workload.
• Fully distribute ingress/egress cloud micro-perimeters and deeper micro-segmentation
• Deploy Machine Learning-based threat protection and filtering with context-based signals and encrypt all traffic
• Augment classification with smart machine learning models
• Make access decisions according to a cloud security policy engine
• Secure data loss prevention (DLP) policies by sharing with encryption and tracking
ProServeIT Academy: Cybersecurity Course
Did you know that there is a cybercrime gig economy out there? Rather than carrying out cyberattacks, some criminals are learning that there’s less work and less risk when they rent or sell their tools to others for a portion of the illicit profits. How can you protect your organization against sophisticated nefarious activities such as theft of highly valuable data, threats to publish your data or repeated extortions for payment once a cybercriminal gets access to your environment?
George Abou-Samra is the Principal Consultant and Security Practice Lead at ProServeIT. In his third Cybersecurity class scheduled on December 1st, he will deal with Ransomware as a Service: How to Protect Your Organization. Learn how you can harden your environment against ransomware threats. Reduce your attack surface by addressing security blind spots, modernizing your legacy configurations, removing easy entry points into your environment, and employing sophisticated tools that can detect and respond to imminent attacks. Register for the class here.
Edited by: Betty Quon & Hyun-Jin Im