Zero Trust architecture isn’t another security fad, and it’s not a technology you can implement, but rather a security model that’s foundational on every step of the journey we at Concurrency help our clients in travel along the path of modern workplace maturity.
Holistic Approach
At its core, Zero Trust is based on 3 paradigms:
- Verify explicitly
- Use least-privileged access
- Assume breach
Applying these paradigms of Zero Trust when you architect your security architecture at its core improves the efficiency of an organization's security operations. But a holistic approach to Zero Trust should extend to your entire digital estate covering the 6 pillars of Zero Trust: identities, endpoints, network, data, apps, and infrastructure. Zero Trust architecture serves as a comprehensive end-to-end strategy and requires integration across the elements.
Foundation
As a unified policy enforcement mechanism, Zero Trust policies should intercept all requests, explicitly verify signals from all 6 pillars (identities, endpoints, network, data, apps, and infrastructure) based on policy configuration, and enforces least-privilege access. Signals include the role of the user, location, device compliance, data sensitivity, and application sensitivity.
In additional to telemetry and state information, risk assessment from threat protection feeds into the policy engine to automatically respond to threats in real time. Policy is enforced at the time of access and continuously evaluated throughout the session.
Policy enforcement is further enhanced by policy optimization. Governance and compliance are critical to a strong Zero Trust implementation. Security posture assessment and productivity optimization are necessary to measure the telemetry throughout the services and systems.
Enforcement
A successful security posture not only relies on policies protecting the 6 pillars but telemetry and analytics from these pillars being fed into a threat protection system for enforcement. Large amounts of telemetry and analytics enriched by threat intelligent generates high-quality risk assessments that can either be manually investigated or automated. Attacks happen at cloud speed and because humans can’t react quickly enough or sift through all the risks, your defense systems must also act at cloud speed. Risk assessment feeds into the policy engine for real-time automated threat protection and additional manual investigation (if needed) decrease the need for human intervention.
Risk mitigation birthed the vulnerability assessment (VA) market, and many vendors provide capabilities to identify, categorize and manage vulnerabilities. This means that VA products help you identify insecure system configurations or missing patches. Such solutions offer support for your security operations by giving you the visibility on what weaknesses exist on your assets and help you stay compliant with your security policies and standards. But the ultimate objective of a threat and vulnerability management solution is to prevent security incidents from happening in the first place, because when they happen, it will cost you time, effort, money and even your customer’s trust. Therefore, investing in a proper Threat and Vulnerability Management solution is core at enforcing Zero Trust.
Zero Trust shouldn’t stop at identities and devices, and should apply to multi-platform, multi-cloud products that run your business. Protection provided thru classification, labeling, and encryption to emails, documents, and structured data should be automatic. Protection applied for access to apps should be adaptive, whether SaaS or on-premises. Runtime control applied to infrastructure with serverless, containers, IaaS, PaaS, and internal sites with just-in-time (JIT) and version controls actively engaged. Traffic filtering and segmentation is applied to the evaluation and enforcement from the Zero Trust policy before access is granted to any public or private network.
Business Value
Ultimately, the realized business value of Zero Trust leads to increased security & productivity.
Sources:
The Total Economic Impact™ Of Securing Apps With Microsoft Azure Active Directory, a commissioned study conducted by Forrester Consulting, August 2020.
The Total Economic Impact™ Of Microsoft Endpoint Manager, a commissioned study conducted by Forrester Consulting, April 2021.
Forrester based all savings estimates on the composite organizations developed for its TEI studies.
On top of the enhancing security, by streamlining and simplifying your security toolset through activities like simplifying your vendor approach, many organizations are seeing up to 60% savings by doing more with less - less license cost for multiple toolsets, less manpower, less strain on IT operations, and the less risk of cyberthreats.
Comprehensive security means adopting an end-to-end approach that harnesses the power of AI to protect against internal and external cyberthreats and secure multicloud environments. Protecting your organization, people, and data for a more secure future doesn’t have to be costly and satisfying increasingly intricate compliance regulations doesn’t have to be complex.
Applying Microsoft to Zero Trust
Consistently sacrificing security for gains in other areas isn't advisable because security risks tend to increase dynamically over time. Decreasing security risks typically results in three key strategies:
- Establish a modern perimeter: For the elements that your organization controls to ensure you have a consistent set of controls (a perimeter) between those assets and the threats to them. Perimeters should be designed based on intercepting authentication requests for the resources (identity controls) versus intercepting network traffic on enterprise networks. This traditional approach isn't feasible for enterprise assets outside the network.
- Modernize infrastructure security: For operating systems and middleware elements that legacy applications require, take advantage of cloud technology to reduce security risk to the organization. For example, knowing whether all servers in a physical datacenter are updated with security patches has always been challenging because of discoverability. Software-defined datacenters allow easy and rapid discovery of all resources.
- "Trust but verify" each cloud provider: For the elements, which are under the control of the cloud provider. You should ensure the security practices and regulatory compliance of each cloud provider (large and small) meet your requirements.
The Microsoft Security Product Portfolio addresses each of these 3 strategies by applying these to the 6 pillars of Zero Trust
Identity
The foundation of Zero Trust security is identities. Both human and non-human identities need strong authorization, connecting from either personal or corporate endpoints with compliant devices, requesting access based on strong policies grounded in Zero Trust principles of explicit verification, least-privilege access, and assumed breach.
At the core the Microsoft identity story is built on the Azure Active Directory (AAD) platform and is part of their Microsoft Entra story to secure EVERY identity – human and non-human. Microsoft's Zero Trust identity solution at its core offers features such as conditional access, multi-factor authentication, and device management but extends to secure access to resources, and extends to cloud infrastructure entitlement management (CIEM), decentralized identity credentials, and identity governance across clouds and on-prem.