Zero Trust Security Transformation: Zero Trust Implementation: Microsoft
Today, organizations need a new security model that more efficiently and effectively adapts to the complexity of the modern environment, embraces the mobile workforce, and protects people, devices, applications, and data wherever they are located. This is the core of the Zero Trust Model or Zero Trust Architecture — a term that echoed from 2010 and is now a hot topic after 10 years in the world of security. In this article, we are going to discuss the need for adopting this model in the current scenario.
Almost all the corporates have a dedicated firewall and proxy setups to control and secure the network. It was considered safe but now instead of blindly believing in corporate firewall’s safety, the Zero Trust model anticipates breaches and verifies each request, regardless of request origination or which resource it accesses. Zero Trust teaches us to “never trust, always verify”
COVID-19 has drastically changed the work culture of many IT companies. Almost 80% of the entire workforce is working from home and 50% are using their own devices, which increases the risk of cyberattacks and data loss to many of the organizations. This calls for the importance of the Zero Trust Model. The cyberattack surface widens and becomes an overhead task for the SOC team, as individual users are connecting to the organization network from various locations, networks, and devices.
In a Zero Trust Model, every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before granted access. Everything from the user’s identity to the application’s hosting environment is used to prevent the breach. Zero Trust applies micro-segmentation and least privileged access principles to minimize lateral movement. Finally, rich intelligence and analytics help identify what happened, what was compromised, and how to prevent it from ever happening again.
Fundamental elements of building Zero Trust
Zero Trust architecture can be incorporated within the existing security model. It is considered as a transition model that slowly helps to transform any traditional security model.
We considered passwords as the most secure way of authentication and an essential ingredient used to verify our identity. Imagine a scenario where your password is compromised, allowing hackers to authenticate into your account impersonating you. Therefore, passwords are no longer safe in the advanced world. In order to mitigate scenarios like this, we use MFA or Multi-Factor Authentication mechanisms which help to add an additional security layer on top of passwords to verify the user.
Conditional Access Policy in Azure Active Identity Protection helps organizations enforce access policies such as MFA (OTP or Auth Code bases access) and Location-Based Access, which improve the existing security measures by guaranteeing the user will only access certain resources from a defined physical location. Another factor that must be considered is providing the least and required privileges to the users, thereby reducing surface attacks and eliminating the chance of identity attacks. Identities are considered as the Zero Trust Control Plane.
After identity confirmation, the data is transferred to devices like smartphones, personal desktops, and laptops. It becomes crucial to monitor and safeguard the compliance of these devices. If the devices are provided by the organization, they will probably have all security tools already pre-installed. What about the employee using private devices to access company resources? In that case, the device must be registered with the organization, and defender tools should be added.
Microsoft tools like Intune and Defender help for easy registration of personal devices within an organization. Intune adds the users’ device to the trusted devices list and provides conditional access, whereas Defender makes sure the device is compliant enough to be used.
Organizations rely heavily on applications for their business. These applications can be custom applications or SAS applications provided by other vendors, such as Salesforce (CRM tools) or Microsoft 365 (Office tools). Even though these applications are secured by the vendors, we cannot leverage them from the organization’s security environment. SAS applications cannot be disconnected from the eyes of the SOC team, as they are handling immense amounts of private data, therefore requiring to be secured and monitored.
Microsoft Cloud App Security, a Cloud Access Security Broker, helps to monitor different cloud services and provides an extra layer of security. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across cloud services. It can operate on organizations having multiple cloud workloads as well.
Data, on the other hand, is an important entity that must be secured. Data needs to be safe and protected both at rest and on leaving to devices, applications, infrastructures, and networks that are in the control of the organization. Data should be classified, labeled, encrypted, and access-restricted based on those attributes.
Organizations are concerned about how data is being handled by employees’ personal devices. That includes copying data to other devices, sending data to personal emails, or uploading personal data to the company’s SharePoint or OneDrive. Malware in personal devices will affect the entire storage space and spread across others as they access such storage. Microsoft Cloud App Security and Microsoft Advanced Threat Protection resolve such cases. Cloud App Security monitors each file present in SharePoint and OneDrive and provides alerts if malicious files are found. Policies can also be put in place to restrict certain file formats to be uploaded.
Many organizations are prone to threats and attacks through email. Phishing and malicious-attachment mails are the most common threats seen nowadays. Microsoft Advanced Threat Protection filters and isolates malicious emails, alerting end-users. Security administrators have access to detailed reports of users, as well as insights such as the top ten users most prone to attacks.
Infrastructure includes on-premise or cloud-based VM’s, containers, and micro-services. They are prone to cyberattacks and are critical threat vectors. Even though the application running on the infrastructure is secure, a misconfigured infrastructure can lead to risks. For example, maintenance tasks on the servers carried by an administrator. Ports such as the DRP port or the SSH port, required to access the servers, will be opened from the internet or a specific IP. Once the work is completed the administrator must close these ports. Otherwise, the system is vulnerable to brute-force attacks. This is a manual process and therefore a risk because it is prone to failure.
Azure Security Center is a CSPM (Cloud Secure Posture Management) and CWPP (Cloud Workload Platform Protection) tool that mitigates the threats mentioned above. It provides detailed compliance reports and misconfiguration details of both cloud and on-premise workloads.
Just-in-time (JIT) VM Access is a feature that allows access to VMs for a limited amount of time rather than allowing unrestricted access. JIT helps administrators access to VMs by opening and automatically closing the maintenance ports, which helps mitigate brute-force attacks.
The network must be secured and monitored because all data is ultimately accessed over it. There are many approaches to secure a network, like micro-segmentation by implementing virtual networks or access to different networks through peering. Even if best practices are in place, it is required to monitor the network for real-time threat protection and deep network analysis.
When using Azure-native networking infrastructure, Azure Security Center provides end-to-end details of the network and the devices attached to it. It helps in understanding how different devices are connected and allows to add or remove any devices from the network.
The Zero Trust Security Model evolves daily. We have covered some of the entities involved in building the end-to-end Zero Trust Security Model. Once these entities are secured using the appropriate security tools, they can be monitored using cloud-native SIEM tools like Azure Sentinel. Azure Sentinel is a platform that consolidates all the events and alerts from these different entities, analyzes detailed logs for further investigation, and even monitors third-party network infrastructures, helping the SOC investigate any issues in no time.
While a Zero Trust Security Model is most effective when integrated across the entire digital estate, most organizations will have to take a phased approach that targets specific areas for change based on their Zero Trust maturity, available resources, and priorities. The first step of the journey does not have to be a large lift and shift to cloud-based security tools. Fortunately, each step forward will make a difference in reducing risks and returning trust in the entirety of your digital estate.
Here are interesting titles you may link!