A Holistic Approach to Zero Trust

Zero Trust architecture isn’t another security fad, and it’s not a technology you can implement, but rather a security model that’s foundational on every step of the journey we at Concurrency help our clients in travel along the path of modern workplace maturity.

Holistic Approach

At its core, Zero Trust is based on 3 paradigms:

1.     Verify explicitly
2.     Use least-privileged access
3.     Assume breach

Applying these paradigms of Zero Trust when you architect your security architecture at its core improves the efficiency of an organization’s security operations.  But a holistic approach to Zero Trust should extend to your entire digital estate covering the 6 pillars of Zero Trust: identities, endpoints, network, data, apps, and infrastructure. Zero Trust architecture serves as a comprehensive end-to-end strategy and requires integration across the elements.

Foundation

As a unified policy enforcement mechanism, Zero Trust policies should intercept all requests, explicitly verify signals from all 6 pillars (identities, endpoints, network, data, apps, and infrastructure) based on policy configuration, and enforces least-privilege access. Signals include the role of the user, location, device compliance, data sensitivity, and application sensitivity.

In additional to telemetry and state information, risk assessment from threat protection feeds into the policy engine to automatically respond to threats in real time. Policy is enforced at the time of access and continuously evaluated throughout the session.

Policy enforcement is further enhanced by policy optimization. Governance and compliance are critical to a strong Zero Trust implementation. Security posture assessment and productivity optimization are necessary to measure the telemetry throughout the services and systems.

Enforcement

A successful security posture not only relies on policies protecting the 6 pillars but telemetry and analytics from these pillars being fed into a threat protection system for enforcement. Large amounts of telemetry and analytics enriched by threat intelligent generates high-quality risk assessments that can either be manually investigated or automated. Attacks happen at cloud speed and because humans can’t react quickly enough or sift through all the risks, your defense systems must also act at cloud speed. Risk assessment feeds into the policy engine for real-time automated threat protection and additional manual investigation (if needed) decrease the need for human intervention.

Risk mitigation birthed the vulnerability assessment (VA) market, and many vendors provide capabilities to identify, categorize and manage vulnerabilities. This means that VA products help you identify insecure system configurations or missing patches. Such solutions offer support for your security operations by giving you the visibility on what weaknesses exist on your assets and help you stay compliant with your security policies and standards. But the ultimate objective of a threat and vulnerability management solution is to prevent security incidents from happening in the first place, because when they happen, it will cost you time, effort, money and even your customer’s trust. Therefore, investing in a proper Threat and Vulnerability Management solution is core at enforcing Zero Trust.

Zero Trust shouldn’t stop at identities and devices, and should apply to multi-platform, multi-cloud products that run your business. Protection provided thru classification, labeling, and encryption to emails, documents, and structured data should be automatic. Protection applied for access to apps should be adaptive, whether SaaS or on-premises. Runtime control applied to infrastructure with serverless, containers, IaaS, PaaS, and internal sites with just-in-time (JIT) and version controls actively engaged. Traffic filtering and segmentation is applied to the evaluation and enforcement from the Zero Trust policy before access is granted to any public or private network.

Business Value

Ultimately, the realized business value of Zero Trust leads to increased security & productivity.

Sources:
The Total Economic Impact™ Of Securing Apps With Microsoft Azure Active Directory, a commissioned study conducted by Forrester Consulting, August 2020.
The Total Economic Impact™ Of Microsoft Endpoint Manager, a commissioned study conducted by Forrester Consulting, April 2021.
Forrester based all savings estimates on the composite organizations developed for its TEI studies.

On top of the enhancing security, by streamlining and simplifying your security toolset through activities like simplifying your vendor approach, many organizations are seeing up to 60% savings by doing more with less – less license cost for multiple toolsets, less manpower, less strain on IT operations, and the less risk of cyberthreats.

Comprehensive security means adopting an end-to-end approach that harnesses the power of AI to protect against internal and external cyberthreats and secure multicloud environments. Protecting your organization, people, and data for a more secure future doesn’t have to be costly and satisfying increasingly intricate compliance regulations doesn’t have to be complex.

Applying Microsoft to Zero Trust

Consistently sacrificing security for gains in other areas isn’t advisable because security risks tend to increase dynamically over time. Decreasing security risks typically results in three key strategies:

• Establish a modern perimeter: For the elements that your organization controls to ensure you have a consistent set of controls (a perimeter) between those assets and the threats to them. Perimeters should be designed based on intercepting authentication requests for the resources (identity controls) versus intercepting network traffic on enterprise networks. This traditional approach isn’t feasible for enterprise assets outside the network.
• Modernize infrastructure security: For operating systems and middleware elements that legacy applications require, take advantage of cloud technology to reduce security risk to the organization. For example, knowing whether all servers in a physical datacenter are updated with security patches has always been challenging because of discoverability. Software-defined datacenters allow easy and rapid discovery of all resources.
• “Trust but verify” each cloud provider: For the elements, which are under the control of the cloud provider. You should ensure the security practices and regulatory compliance of each cloud provider (large and small) meet your requirements.

The Microsoft Security Product Portfolio addresses each of these 3 strategies by applying these to the 6 pillars of Zero Trust

Identity

The foundation of Zero Trust security is identities. Both human and non-human identities need strong authorization, connecting from either personal or corporate endpoints with compliant devices, requesting access based on strong policies grounded in Zero Trust principles of explicit verification, least-privilege access, and assumed breach.

At the core the Microsoft identity story is built on the Azure Active Directory (AAD) platform and is part of their Microsoft Entra story to secure EVERY identity – human and non-human. Microsoft’s Zero Trust identity solution at its core offers features such as conditional access, multi-factor authentication, and device management but extends to secure access to resources, and extends to cloud infrastructure entitlement management (CIEM), decentralized identity credentials, and identity governance across clouds and on-prem.

Endpoints

Looking at the security products industry, most products focus on providing a secure network infrastructure and visibility into network activity. While they offer features such as network segmentation, intrusion prevention, and threat intelligence to secure access to resources, in order to integrate protections for devices or identities the purchase of additional features is necessary, and the deployment of agents on devices is required in order to provide a comprehensive security solution.

Threat and Vulnerability Management (TVM) in Microsoft Defender for Endpoint is a game changer. It helps you discover vulnerabilities using the sensors built into ever modern version of the Windows operating system: Windows 10/11 on the workstation, Windows Server 2019/2022 in the datacenter. This can be deployed WITHOUT ANY additional agents or to rely on periodic (network) scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on devices, and business context.  

Network

Improving the efficiency of an organization’s network by extending the validation of authentication and authorization to the network layer, adding microsegmentation and least-privilege access principles minimize lateral movement. If a device or user is compromised, or an unauthorized devices connects to you the network, access to sensitive data or corporate resources without going through the proper authentication and authorization process fails. Add on rich intelligence and analytics to detect and respond to anomalies in real time.

When implementing an end-to-end Zero Trust framework for securing networks, focus first on initial deployment objectives: apply network segmentation ingress/egress to cloud micro-perimeters with some micro-segmentation, apply cloud native filtering and threat protection for known threats, and ensure user to application traffic is applied internally

After these are completed, additional deployment objectives should be addressed: fully distributed ingress/egress cloud micro-perimeters and deeper micro-segmentation, Machine learning-based threat protection and filtering with context-based signals, and finally All traffic is encrypted.

Using the Azure Well-Architected Framework makes it easier to meet these objects using a Hub-Spoke model.

• The “Hub” VNet on the left here contains both Firewalls, WAFs & some Virtual Machines, with each deployed to it’s own subnet, providing segmentation within the VNet itself.
• The “Spoke” VNet on the right hosts the actual workload – in this scenario its an AKS cluster.
• Peering connects the Vnets together to allow for network data flow, and the UDR (user defined route) routes all traffic outbound from the VNet to the firewalls (providing full control of all traffic leaving the Vnet) in the Hub
• An Azure policy forces the use of both peering and UDR.
•  A Private Endpoints allow us to use PaaS based services as if they were part of are VNet, restricting and control access to internal resources only.

One established, delegation of control of the spoke VNet can be provided to the required department, and provides greater control and governance of the environment.

Microsegmentation in Azure using  Hub n Spoke – Gil Gross 

Data

In today’s world of hybrid work, organizations face an increasing volume of data, ever-evolving regulations around how that data is protected, and an evolving complexity and frequency of data security breaches.  Your information protection strategy should be driven by your business needs, and in an organization that adheres to Zero Trust principals much protect its data through a cycle of discovery, classification, protections, and governance – no matter wherever it lives or travels.

Security and compliance are tightly integrated for most organizations. It’s important that your organization addresses basic security, threat protection, and identity and access management areas to help provide a defense in-depth approach to both security and compliance – from how best to manage risks, protect your data, and remain compliant with regulations and standards with a newly remote workforce. Employees are now collaborating and connecting with each other in new ways, and this change means your existing compliance processes and controls need to adapt. Identifying and managing these new compliance risks within your organization is critical to safeguarding your data and minimizing threats and risks.

Knowing what to prioritize and where to apply controls can be a challenge, and creating a well-designed data classification framework / data taxonomy is a journey where a crawl-walk-run approach is crucial. Data classification frameworks are meant for a broad audience, including your average staff member, your legal and compliance teams, and your IT team. A good balance of security against convenience alongside easy-to-use tools usually lead to wider user adoption and use.

Microsoft Purview’s solutions provide a unified data governance service that helps you manage your on-premises, multicloud, and software-as-a-service (SaaS) data, allowing you to:

• Create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage.
• Enable data curators and security administrators to manage and keep your data estate secure.
• Empower data consumers to find valuable, trustworthy data.

Applications

Enterprise organizations typically have a large application portfolio, but not all applications have equal importance. Applications can be classified based on a criticality scale. For example, business-critical applications are designed to prevent financial losses, safety-critical are focused on costs associated with loss of human life. Mission-critical applications cover both aspects that can be impacted by unavailability or underperformance.

With cloud apps existing a large number of organization’s portfolio of services, you most likely need a Cloud Access Security Broker (CASB) to address the additional, unique challenges of regulating and securing your environment. For example, there are many ways for malicious actors to leverage cloud apps to get into your enterprise network and exfiltrate sensitive business data.

You need a CASB to better understand your overall cloud posture across SaaS apps and cloud services and, as such, Shadow IT discovery and app governance are key use cases. Additionally, an organization is responsible for managing and securing its cloud platform including IAM, VMs and their compute resources, data and storage, network resources, and more.

Microsoft Defender for Cloud Apps includes log collection, API connectors, and reverse proxy capabilities. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.

By using a 4-pronged lifecycle management strategy, organizations can ensure configurations, exclusions, and policies for Microsoft Defender for Cloud Apps remain up to date and are reviewed on an established cadence.

1. Discover and control the use of Shadow IT: Identify the cloud apps, IaaS, and PaaS services used by your organization. Investigate usage patterns, assess the risk levels and business readiness of more than 31,000 SaaS apps against more than 80 risks. Start managing them to ensure security and compliance.
2. Protect your sensitive information anywhere in the cloud: Understand, classify, and protect the exposure of sensitive information at rest. Leverage out-of-the box policies and automated processes to apply controls in real time across all your cloud apps.
3. Protect against cyberthreats and anomalies: Detect unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications, analyze high-risk usage and remediate automatically to limit the risk to your organization.
4. Assess the compliance of your cloud apps: Assess if your cloud apps meet relevant compliance requirements including regulatory compliance and industry standards. Prevent data leaks to non-compliant apps, and limit access to regulated data.

Infrastructure

Extending Zero Trust into your infrastructure focuses on bolstering security across multicloud, hybrid environments with cloud security posture management (CSPM) and cloud workload protection (CWP). This not only allows you to strengthen your security posture and protect cloud workloads with a unified platform, deep signal intelligence, and streamlined administration, but Reduce risk with contextual security posture management, prevent/ detect/ respond quickly to modern threats, but also unify security management for DevOps.

Complementary to the network security story in Azure, outside of as subnets or application groups, infrastructure protections are provided by using NSGs and ASGs. You can also use Network Virtualized Appliance (NVAs) from Azure Marketplace or Azure Firewall to enforce and secure segmentation.

Microsoft Defender for Cloud can provide security posture monitoring, attack path analysis, workload protection, vulnerability scanning, and DevOps visibility while providing remediation guidance, DevOps configuration improvements, and adherence to Regulatory compliance.

With Microsoft Sentinel, you get a single solution for attack detection, threat visibility, proactive hunting, and threat response. With a bird’s-eye view across the enterprise, you can alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.

With Identity being at the heart of every authentication and authorization, controlling access to your infrastructure is critical. Layer on Entra Permissions Management to enhance your security posture by ensuring the principle of least privilege is automated across identities and resources in your IaaS infrastructure – across compute resources, container clusters, serverless functions, and databases across Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

Conclusion

What is your organization doing to super charge their Zero Trust story?

While applying a Zero Trust architecture is proved to improve the security posture of an organization’s network and can help with cost savings costs, it also improves the efficiency of your organization’s security operations – without just focusing on network infrastructure. While both Microsoft and their competitors offer “Zero Trust” solutions to organizations, the Microsoft approach different with identity and device health at the core while  focuses on providing secure access to resources.

To traverse this journey, picking a partner with a proven track record of securing the 6 pillars of Zero Trust to Fortune 1000 companies and can take you tactfully down that journey is critical. Let Concurrency and our team of Microsoft-certified Modern Workplace architects help with you design the blueprint that fits right for your organization.