What do you think of when you hear the word “security”? If you are anything like most people, the answer would come down to something that approximates: keeping threats and danger away, outside of your zone of highest vulnerability. There is notion of a border. But the traditional perimeter is no more…
Why do you need a Zero Trust approach?
In the modern workplace, the borders between work, home or anywhere else outside the office have faded. We jump from one device to the other and chances are we use all of them for at least some form of collaboration: e-mail communication, filesharing, logging on to work apps, accounts and cloud environments… You catch our drift.
We are vulnerable in many more places than before. Identities, devices, apps, networks, infrastructure, and data: they are all potential entry points for attackers. This new reality requires a Zero Trust approach.
What are the Zero Trust principles?
Standards and guidance for Zero Trust are developed by the National Institute of Standards and Technology (NIST). NIST has defined Zero Trust in terms of several basic tenets:
- Verify explicitly: all resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- Use least privilege access: access to trust in the requester is evaluated before the access is granted. Access should also be granted with the least rights needed to complete the task.
- Assume breach: assets should always act as if an attacker is present on the enterprise network.
Zero Trust is a security model that changes the perimeter from the network to identity. Instead of assuming that everything behind the corporate firewall is safe and trustworthy, the Zero Trust approach continuously validates all touchpoints in a system, identities, devices, and services, in and outside the corporate network, before considering them trustworthy and giving access to corporate data or applications.
For a company, the question is of course: how do you plan the implementation of such a model? It is after all affected by requirements specific to your organization, the existing technology you have already implemented and the different security stages
How to set up Zero Trust journey?
The importance of a readiness check
First, C-level and the entire IT organization must adopt a Zero Trust security mindset. The starting point should be when there is a shared vision for the future of the entire organization’s security posture and a clear understanding of the short-term and long-term benefits of starting the transition. An organization that does not understand the rationale for moving towards Zero Trust is not yet ready.
The different IT Teams (Infrastructure, network, security, development, operations) will need to work together for the strategy to be successful. Begin a Zero Trust project when all stakeholders understand that: Zero Trust is a journey supported by a mix of integrated technologies that can be implemented step-by-step.
From our experience at Xylos in helping organizations secure themselves, and implementing their Zero Trust model, we urge you not to take the evaluation of readiness lightly. You can only build something this complex if you have the right fundamentals. It’s a generally most effective to rely on an external partner to get your organization inspired, convinced and aligned on a Zero Trust plan.
Let’s get a little more concrete now. Microsoft 365 offers a range of services that help you apply Zero Trust security model from identity to network.
Protection of identity
Azure Active Directory is the Microsoft 365 platform to manage cloud identity and access. That means you can manage access to your cloud applications and protect the different user identities, on- and off-premise. The centralized role of Azure AD allows administrators to quickly make enterprise-wide modifications of user privileges and immediately revoke enterprise wide access when necessary.
The usage of conditional access policies to manage access requests are essential, and advanced functionality such as Privileged Identity Management (PIM) for identity governance and multifactor (MFA) or passwordless authentication are recommended. Microsoft Defender for Identity can help to identify risks and to contain them.
Protection of endpoints
This is where Microsoft Intune comes in. Both Microsoft Intune and Azure have management and visibility of device assets and data that is valuable to the organization.
Microsoft Intune is responsible for the enrollment of, registration of, and management of client devices, including mobile devices, laptops, and user’s personal or Bring-Your-own-Devices (BYOD). Intune combines the retrieved machine risk level from Windows Defender for Endpoint with other compliance signals to determine the compliance status of a device. Azure Active Directory leverages the compliance status to block then or allow access to corporate or cloud resources.
At the E3 level, Microsoft 365 provides the ability to identify and analyze potentially malicious activity, while the E5 service level allows you to automatically block and remediate security issues. Read more about Intune and endpoint/co-management here.
Protection of data & applications
Then there’s the Microsoft Information Protection suite. The purpose of this piece of technology? Prevent data exfiltration. It provides “in motion” encryption capabilities. That means the Information Protection suite protects information even after it leaves your protected environment. In addition there is Microsoft Cloud App Security. This gives you cloud access to security broker capabilities. Basically, it allows you to impose your organization’s security policies, no matter where your data are.
Allowing the use of applications that are not part of your organization is always a risk – but it’s 2021 so what are you going to do about?
Well, you can use Cloud Discovery along with Microsoft Cloud App Security. It will allow you to follow up on the traffic logs and evaluate them. The two first guiding principles of Zero trust are at play here (verify explicitly and least privileged access). They apply here on the level of access provided to applications over resources. You must use Conditional Access, if needed with Cloud App Security, to monitor and control apps.
By the way: cloud App Security can also be used to monitor and assess the risks across your cloud infrastructure.
Want some guidance on your Zero Trust Journey?
Xylos can offer to help you to start your Zero Trust Journey. We focus on guidance to assess your readiness and to help you build a plan to get to a tailored Zero Trust security model.