Getting Started with Zero Trust Security

More than ever, organizations need a new security model that more effectively adapts to the growing intensity and sophistication of cyberattacks, embraces the hybrid workplace, and protects people, devices, apps, and data wherever they’re located.

Taking basic security precautions can help your organization prepare for – and mitigate – the overwhelming majority of modern cyber threats and helps to prepare for the evolution of threats as technology advances.

Why Zero Trust?

Today, many IT security leaders and IT departments are embracing zero trust security as an effective approach in today’s cloud-first world to improve their organization’s overall security posture against evolving threats.

Cloud applications, public cloud services, and the mobile workforce have redefined the security perimeter – rendering perimeter-based security models obsolete so organizations can no longer rely on traditional network controls for security.

Even more than two years into the pandemic, many organizations are likely to have applications and data exist both inside the traditional firewall and beyond it. Security and IT teams can no longer assume that users and their devices (both personal and corporate) on the network are any safer than those on the outside. Perimeter controls do little to prevent an attacker from moving laterally on the network after gaining initial access to it.

What’s needed is a pivot to “boundaryless” security – known more commonly as Zero Trust. Zero Trust is important to reduce the exposure of sensitive data by limiting the inherent trust within an organization that an attacker would exploit – especially when people are connecting from everywhere and will not necessarily be coming from a “trusted” location.

That is why adopting a Zero Trust approach is now a top priority for most organizations. In a world where it’s harder to predict or prevent the attacker, it’s important to assume they will get in and limit their exposure.

What is Zero Trust?

Despite what the name implies, a Zero Trust approach empowers organizations to grant employees greater freedom across all data, apps, and infrastructure. It is designed to adapt to the complexities of the modern environment that embraces the mobile workforce – and protects people, devices, applications, and data wherever they are located.

An important note: Zero Trust is not a technology, product, or service – it’s an approach to managing risk. You may hear Zero Trust interchangeably referred to as a model, approach, strategy, or framework.

Microsoft describes it as “a proactive, integrated approach to security across all layers of the digital estate that explicitly and continuously verifies every transaction, asserts least privilege access, and relies on intelligence, advanced detection, and real-time response to threats.”

Zero Trust Guiding Principles

When implementing Zero Trust, organizations should adhere to the following three guiding principles:

Verify Explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies. Note: Microsoft has expanded it to include verifying the software in your supply chain.

Use Least Privileged Access: Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive policies, and data protection to help secure both data and productivity.

Assume Breach: Minimize blast radius with micro-segmentation, end-to-end encryption, continuous monitoring, and automated threat detection and response.

Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to “never trust, always verify.”

Zero Trust Defense Areas

According to Microsoft, a Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end-to-end strategy. How? This is done by implementing Zero Trust controls and technologies across six foundational technology pillars: identity, data, endpoints, applications, network, and infrastructure.

Each pillar is a source of signal, a control plane for enforcement, and a critical resource to be defended. Here’s a broad overview:

By adopting a Zero Trust framework in one or all of these areas – you can effectively modernize your security technology and processes – and start to maximize protection in the face of modern threats.

However, each organization will have different priorities depending on its current capabilities and the level of risk represented by a given security area.

Zero Trust Architecture

Microsoft recommends the following Zero Trust architecture and provides the primary elements that contribute to a Zero Trust approach.

After the lessons learned over the past two years, Microsoft now emphasizes the critical importance of integrating policy enforcement and automation, threat intelligence, and threat protection across security pillars. These integrated elements act upon telemetry across every pillar to inform decisions with real-time signals.

Where Are You in Your Zero Trust Journey?

Gauge where your organization is in its Zero Trust journey with the following questions:

Zero Trust is a Journey – Not Destination

It’s important to point out that Zero Trust is a journey with a flexible framework. There is no one-size-fits-all approach to Zero Trust implementation – giving organizations permission to start anywhere.

How easily an organization can adopt these principles varies depending on its individual security challenges, needs, and capabilities. In other words, the journey to Zero Trust is unique to your business.

Organizational requirements, existing technologies, and security stages all affect the planning for a Zero Trust implementation. While Zero Trust security is most effective when integrated across the entire digital estate, it’s recommended that organizations take a phased approach that targets specific areas based on their Zero Trust maturity, available resources, and priorities. Each investment must be carefully
considered and aligned with current business needs.

Start Small & Build Confidence

We recommend you start small and build confidence before rolling out Zero Trust across your organization.

The first step in the journey does not have to be a large lift and shift to cloud-based security tools. Likewise, starting with Zero Trust doesn’t require a complete reinvention of infrastructure. According to Microsoft, the most successful solutions should layer on top of and support a hybrid environment without entirely replacing existing investments. No matter the size of the organization, deploying Zero Trust should start with the small pieces since completing multiple larger changes simultaneously often isn’t feasible.

After the first steps are taken and confidence is established, the Zero Trust model should be extended throughout the entire digital estate – while also serving as an integrated security philosophy and end-to-end strategy.

Ready to Get Started?

Whether your organization is considering a Zero Trust approach or already started, our team can help evaluate, recommend and implement the best security solutions to keep your organization secure. Contact Us Now »

Sources:

• Microsoft’s Zero Trust Overview »
• Microsoft Security White Paper: The Comprehensive Playbook for Implementing Zero Trust Security
• Microsoft White Paper: Evolving Zero Trust – How Real-World Deployments and Attacks Are Shaping the Future of Zero Trust Strategies
• Microsoft White Paper: Examining Zero Trust – An Executive Roundtable Discussion