Zero Trust is a model that focuses on strict identity verification for any person or device trying to access resources with the corporate network. It does not matter whether the person or device is within the network, sitting at home, or working remotely from anywhere in the world. Zero Trust is not a product that you buy off the shelf and install or configure. It is a mindset that you need to get into by using various technologies and principles.
The most common network security utilized today is summed up in this old phrase, “I am the king of the castle.” Most organizations focus on blocking people coming into the network, but users who are already in the network are inherently trusted. In the past, corporate data lived within the local network, in purpose-built server rooms, or even racks of servers located close to the physical locations. The apparent problem with enforcing security this way is that when I am inside the network, I would potentially have access to all the data. Today, however, content is stored locally and in cloud services, which makes it harder to protect. There is no single security control that can protect both internal, external, and cloud services.
Zero Trust Principles
The philosophy for Zero Trust Security assumes that malicious attackers, bad actors, and even hackers are both within and outside of the network. With this assumption in mind, this creates the idea that no user or device should be automatically trusted. Another fundamental principle of zero-trust security is least-privilege user access. Only assigning users the required access they need, can minimize each user’s exposure to sensitive parts of the network.
Zero Trust requires network segmentation. Creating the network into smaller micro-segments allows for more granular control and administrative management and control. Organizations can enable users or devices access to the required segments, instead of allowing full access to the entire network. IT Administrators can control access to micro-segments much more straightforward and be assured that they are better secured.
Another part of Zero Trust is Multi-factor Authentication, which requires more than a piece of authentication evidence during a user authentication process. In addition to the standard password, users who enable 2-factor authorization (2FA) receive either a code via text, or use an application designed to validate the authentication request.
The last principle for Zero Trust requires device controls. Of course, this isn’t very easy with the Bring-Your-Own-Device (BYOD) methodology. However, there are approaches available, such as “Mobile Application Management,” which allows for application protection within a non-trusted device.
Each principle of Zero Trust is about minimizing the ability for users or devices to move throughout the network, which in turn reduces the attack surface.
Microsoft 365 Zero Trust
Organizations can achieve Zero Trust within Microsoft 365, by using the following features:
Windows Defender Advanced Threat Protection
Windows Defender Advanced Threat Protection (ATP) serves as an endpoint protection platform (EPP) and endpoint detection response (EDR) technology. In combination with built-in behavioral sensors, machine learning, and security analytics, ATP provides intelligence-driven protection, post-breach detection, investigation, and automatic response capabilities. Organizations can continuously monitor the state of devices and take remedial actions automatically. Windows Defender ATP mitigates breaches by automatically isolating compromised machines and users from additional cloud resource access.
Windows Defender System Guard Runtime Attestation
Windows Defender System Guard not only protects but also maintains the integrity of a system as it boots up as well as during use. Security admins can remotely attest to the security state of a device. The main objective of the Windows Defender System Guard process is to validate that system integrity is not violated.
Azure Active Directory
Azure Active Directory is the central cloud identity and access management platform allowing organizations to manage access to applications and protect user identities within the cloud and on-premises. Azure Active Directory provides the following features:
- Single sign-on
- Automatic provisioning of application access
- Group and user permissions
- The device used to sign in
- The operating system of the device used to sign in
- Geographic Location or IP ranges at sign-in
- The client application used to sign in
- Time of sign-in
- Sign-in risk
- User risk
Conditional access policies are evaluated in real-time using these features, and enforced for any access request to Azure Active Directory connected applications
Microsoft Intune can manage mobile devices, PCs, and applications in the organization. Both Microsoft Intune and Azure have management and visibility of device assets and data that is valuable to the organization. Microsoft Intune is responsible for the enrollment of, registration of, and management of client devices, including mobile devices, laptops, and user’s personal or Bring-Your-own-Devices (BYOD).
Intune combines the retrieved machine risk level from Windows Defender ATP with other compliance signals to determine the compliance status of a device. Azure Active Directory leverages the compliance status to block then or allow access to corporate or cloud resources.
What does it mean?
Adopting a Zero Trust mindset is no small task. It requires organizations to adopt new ways of thinking, removing old technology, and preconceived notions of security.
It means that as an organization, you need to adopt the following things:
- Least-privilege Application Access Model
- Provide proactive protection against conventional and zero-day malware
- Eliminate traditional Virtual Private Network (VPN) for some users and groups
For Microsoft 365, it means it is to time to perform an assessment and review of current configuration and features, as well as current licensing. It also involves the configuration and deployment of policies that cover all areas of access control, authorization, and device access.