The Zero Trust concept, along with SD-WAN and SASE (Secure Access Service Edge) have become widely discussed in the last couple of years to meet the cybersecurity challenges of flexible working and widespread cloud adoption.
However, there is some confusion about what the concept means and how it can help address more intelligent and increasingly targeted cyberattacks such as phishing, ransomware and trojans. Should businesses have zero-trust on their radar, and does it bring the benefits it promises?
For a lot of businesses, cybersecurity is only seriously thought about when an incident or a threat occurs. Zero Trust encourages companies to reassess their approach to cybersecurity and the processes and technology that supports it.
What is Zero Trust?
Zero Trust fundamentally changes existing security practices. It is based on three concepts; verify implicitly, least privileged access, and assume breach. It is less about securing the connection, i.e. the traditional ‘once you’re through the gate, you’re in’ and ensures more granular, separate authentication based on multiple defined parameters to individual applications, services and resources.
It has been developed to support the modern workplace, where the explosion of mobile devices, cloud services and flexible working has fundamentally changed the workplace, and therefore increased security risks. Organisations now do not issue and cannot physically control every device used by employees, leaving a gap in security and opening organisations up to attackers.
Zero Trust is a security strategy that requires an organisations’ users to be authorised and individually validated to be able to gain access to business applications and data. Zero Trust’s mantra is to always treat your infrastructure as if it’s breached. It assumes that no user, workload, device, or network can be trusted and demands verification for every connection against defined security policies.
This could mean logging into a company account with biometrics or a hardware security key as well as the standard username and password making it harder for cybercriminals to impersonate users, plus location sensing to ensure the logon is from a known or trusted location. If from an unknown location, further validation checks will be required. This creates resilience as an organisation and removes opportunity for vulnerability. The ability to operate and be resilient if an attack occurs is significantly enhanced if the organization adopts Zero Trust principles.
As with all things IT, saying is much easier than doing. However, it is something worth investing in to avoid the wrong people getting hold of valuable data. We recommend that organisations embrace a Zero Trust approach to access control as they embrace remote work and use cloud technologies to digitally transform their business model, customer engagement model, employee engagement, and empowerment model.
There are many Microsoft technologies available to help businesses adopt a Zero Trust security strategy. The six elements of Zero Trust are identities, devices, applications, data, infrastructure and networks. We’ll take a dive into how the Microsoft elements stack up against each of these.
Identities, representing people, services, or IoT devices, are the common dominator across today’s many networks, endpoints, and applications.
Microsoft suggests that before an identity tries to access a resource, organisations should:
- Verify the identity with strong authentication
- Ensure access is compliant and typical for that identity
- Follows least privilege access principles
Under the Microsoft umbrella lies tools that exist to help companies follow these guidelines. This includes:
- Device authentication using Windows Hello to confirm user has authority to use and access the device.
- Azure Active Directory provides strong authentication, and helps employees access multiple services anywhere over the cloud with a single set of login details.
- Multi-factor authentication creates a layered defence for organisations. It is essentially a security technology that requires multiple methods of authentication in order to verify a user.
- Conditional Access is there to help clarify who the user is that is logging in from the device being used, to their location and behaviour.
- Privileged Identity Management ensures that users only have access to what they need to prevent information being accessed which isn’t necessary.
The rise of remote working during and post-pandemic has revealed holes in perimeter firewalls and VPNs. Devices are now one of the key challenges for cybersecurity, as the amount of employees using their personal devices for work purposes is on the rise. The zero trust strategy enforces the same security polices to be applied across devices, regardless of corporate or personal, through Bring Your Own Device (BYOD).
Microsoft offers Endpoint Manager, which includes the services and tools you use to manage and monitor mobile devices, desktop computers, virtual machines, embedded devices, and servers. This tool combines well-established Microsoft services such as Intune, Configuration Manager, Desktop Analytics and more, to create separate corporately controlled Work profiles on personal user devices, which are logically and securely separated from the personal profile, data and applications on the device.
As more business move into the hybrid working space, business systems are migrating to the cloud to ensure employees have access to perform their job whilst at home. It is essential businesses can maintain control and protect critical data accessed via applications. Businesses need to turn their attention to preventing data leaks to non-authorised apps and limiting access to regulated data. Microsoft offers Cloud Discovery, part of Defender for Cloud Apps, to identify and secure SaaS applications in use across your organisation, and Defender for Endpoint. This enables data to be collected from Windows 10/11 devices on and off your network. Policies can be built which allow risky behaviour to be detected and businesses to be alerted.
We talk about protecting your data a LOT. This is because it is a companies’ most valuable asset and can therefore be one of the biggest threats to the health of your business. Data-driven protection is the way forward, and the following Microsoft technologies can help you implement this: Sensitivity labels, Azure Information Protection, Cloud App Security, Double Key Encryption, Office 365 Message Encryption (OME) and SharePoint Information Rights Management (IRM).
Infrastructure whether on-premises or cloud-based, can leave your IT systems’ vulnerable to threats. Leveraging Azure helps you to manage systems in one place using Azure Arc. Azure Arc acts as a bridge that extends the Azure platform to other cloud providers and on premise systems to help you run applications and services flexibly across datacentres, at the edge and in multi-cloud environments.
Zero-trust takes the approach that nothing behind the corporate firewall is safe and verifies each request as if it originates from an open network. Microsoft offers tools to support you in protecting your network, including Azure Web Applications Firewall, Azure Front Door, Azure VPN Gateway and Azure Bastion Host.
We hope this guide has helped cut out the jargon surrounding the zero-trust approach. Although it can seem very complex, as a Microsoft Gold Partner specialising in authentication, security and connectivity, we can guide you through which tools you need to implement for a secure zero-trust architecture.
Book a Cloud and User Connectivity Assessment today
Fordway’s Cloud and User Connectivity Assessment will help map the changes needed to deliver enhanced security, and our Zero Trust Network Service provides a comprehensive service to help organisations migrate from ‘traditional’ WAN and VPN connectivity to an open access, internet based zero trust network.
We’ve also recently been featured in: