Adopting a Zero Trust security strategy using Microsoft
We all know a castle and moat security approach just doesn’t cut it anymore. That’s why you’re here, right? You’re ready to have a security strategy in place that’s aligned with the modern, hybrid work environment.
Zero Trust is an end-to-end security strategy that’s based on ‘never trust, always verify’, and has been adopted by millions of organisations across the world to protect their technology ecosystem. If you’d like to find out more about what Zero Trust is and why you should look at adopting it within your organisation then check out our Beginner’s Guide to Zero Trust.
In this blog, we’ll be running through the Microsoft technologies available to help you implement a Zero Trust security strategy. We’ll dive into the specific technologies you can use to start defending the six elements of Zero Trust; identities, devices, applications, data, infrastructure, and networks.
Identities representing people, services or IoT devices, are the common dominator across network, endpoint and applications. In a Zero Trust strategy, identities function as a powerful and flexible way to control access to data. Microsoft suggests that before an identity attempts to access a resource, you should:
- Verify the identity with strong authentication
- Ensure access is compliant and typical for that identity
- Follow least privilege access principles
There are a few tools available from Microsoft to help ensure you’re following these guidelines:
Azure Active Directory (AD) enables strong authentication, a point of integration for endpoint security, and the core of your user-centric policies to guarantee least-privileged access.
Multi-Factor Authentication (MFA) is an additional step built into your employee’s sign-in process. It’ll help protect your organisation against breaches due to lost or stolen credentials with strong authentication.
Conditional Access can be used to help evaluate the user trying to log in, the device they’re using, where they’re located and their behaviour.
Finally, there’s Privileged Identity Management (PIM) which can be used to ensure users are using minimal access rights by default and only have privileges for the tasks they need.
With the sharp rise of remote and hybrid working over the past 2 years, devices are now one of the biggest security risks to many organisations with employees using their personal devices. The Zero Trust strategy encourages the same security policies to be applied across all devices, whether they are corporate or personal devices through Bring Your Own Device (BYOD0).
What technologies are available to help you adopt Zero Trust? Microsoft has Endpoint Manager, which will provide you with the tools you need to manage and monitor mobile devices, desktops, virtual machines, embedded devices, and services. Allowing you to keep your data secure across all of these devices, whether they’re in the cloud or on-premises. Endpoint Manager combines popular Microsoft services such as Intune, Configuration Manager, Desktop Analytics and more.
As more businesses adopt a Hybrid Working approach, critical business applications are moving into the cloud so employees can access them whether they’re at home or in the office. To get the full benefit of cloud applications and services, you must be able to provide access whilst maintaining control to protect critical data accessed via applications and APIs. Now that your employees can access your resources and apps from outside your corporate network, it’s no longer enough to have rules and policies on your firewalls. You should instead start focusing on identifying app usage patterns, assessing risk levels and business readiness of apps, preventing data leaks to non-compliant apps, and limiting access to regulated data.
Microsoft has suggested enabling Cloud Discovery and integrating Defender for Endpoint so that you can start collecting data from Windows 10 devices on and off your network. You can then create policies that will allow you to detect, and be alerted of, any risky behaviour or suspicious activity in your cloud environment.
But that’s not all you can be doing to protect your applications. Most cloud applications provide an API for consuming tenant information and receiving corresponding governance actions. Microsoft recommends you use these integrations to monitor and alert when threats and anomalies occur in your environment. You can adopt Microsoft Cloud App Security, which works with services to optimize visibility, governance actions, and usage.
Data is one of your most valuable assets, and you must protect it at all costs. This is why it’s time you moved from perimeter-based data protection to data-driven protection. To help you implement effective information protection, we recommend you follow the below process, leveraging certain Microsoft technologies:
- Knowing your data – Understand your data landscape and identify important information across your cloud and on-premises environment.
- Protecting your data – Protect your sensitive data throughout its lifecycle by applying Microsoft sensitivity labels linked to protection actions like encryption, access restrictions, visual markings, and more. You can use the following tools to help protect your data; Sensitivity labels, Azure Information Protection, Cloud App Security, Double Key Encryption, Office 365 Message Encryption (OME) and SharePoint Information Rights Management (IRM).
- Prevent Data loss – Apply a consistent set of data loss prevention policies across the cloud, on-premises environments, and endpoints to monitor, prevent, and remediate risky activities with sensitive data. Leverage the following Microsoft technologies to help prevent data loss within your organisation; Data Loss Prevention Policy, Endpoint Data Loss Prevention and Microsoft Compliance Extension.
- Govern your data – Manage information lifecycle and records intelligently with in-place management, automated policies, defensible disposal, and pre-built data connectors.
Your Infrastructure, whether on-premises servers or cloud-based VMs, can open you up to threats. This is why it’s important you assess for version, configuration and Just-In-Time access to strengthen your defence. Start by detecting any attacks on your infrastructure and automatically block any risky behaviour to prevent any issues.
Microsoft suggested setting the Tenant Baseline, which is a way for you to set a baseline for how your Infrastructure is meant to be running. Leveraging Azure provides you with the ability to manage all your VMs in one place using Azure Arc. Using Azure Arc, you can extend your Security Baselines from Azure Policy, your Azure Security Center (ASC) policies, and Secure Score evaluations, as well as logging and monitoring all your resources in one place.
We all know the castle and moat approach isn’t enough anymore. Adopting a Zero Trust strategy means that you assume that nothing behind your corporate firewall is safe.
This has drastically changed. Now there isn’t necessarily a contained/defined network to secure as people are working from home off various devices. Instead, there is a vast portfolio of devices and networks, all linked by the cloud. It’s important that you verify each request as if it originates from an uncontrolled network. There are a few Microsoft tools available to support you in protecting your network, such as; Azure Web Applications Firewall (WAF), Azure Firewall, Azure Front Door, Azure VPN Gateway and Azure Bastian.
Those were just a few of the technologies available to support you in adopting Zero Trust. But as one of Microsoft’s closest partners, we understand that enabling these aren’t always as easy as they seem. Which is why we’re here to help.
Talk to the experts
Are you wanting to find out more about the Microsoft security technologies available and how you can adopt them to implement a Zero Trust strategy? We’re one of Microsoft’s closest partners and an Azure Expert MSP. Meaning we have the knowledge and expertise to help you transform your security. We have a Zero Trust Health Check available to help you understand what your next steps should be. Simply get in touch to talk with one of our experts.
Claim your complimentary Zero Trust Health Check
We're offering a complimentary Zero Trust Health Check where you’ll have the opportunity to sit down with a technical cloud consultant for a 60 minute 1:1 workshop. We’ll walk you through some exploratory health check questions to give an initial sense of your Zero Trust readiness, give you visibility of it and identify your likely areas to prioritise. From this assessment you'll benefit from:
- Walk through your Zero Trust readiness in an exploratory 1:1 workshop
- An initial view of your security estate
- Identify cost optimisation opportunities