Zero Trust is a security model that can be applied to Microsoft 365. Should your organization be considering it? Explore the steps to get started?
By Chris Perrey, Principal Architect – Americas, sa.global
2022 will continue to be an extremely security focused year. COVID-19 accelerated digital transformation, but it also accelerated cybercrime. Attackers are moving their focus to the cloud, and we all need to implement better security models. Zero Trust is an approach to security that can be applied both on-prem and in the cloud, and Microsoft 365 was built to provide this security model for you, with the right configuration of course.
In this column, I will explain what Zero Trust is and provide links to some of the best Microsoft Zero Trust resources. Use them to learn, to get started, or to complete your Zero Trust journey. I believe that this is essential for every organization.
“A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end-to-end strategy. This is done by implementing Zero Trust controls and technologies across six foundational elements. Each of these is a source of signal, a control plane for enforcement, and a critical resource to be defended.” -The Microsoft Zero Trust Deployment Center
The Three Principles of Zero Trust
These three guiding principles explain the concept of Zero Trust and what we need to do to provide a more modern security model.
- Verify explicitly
- Use least privileged access
- Assume breach
Verify explicitly means that we need to always authenticate and authorize based on all available data points. Don’t trust a user or a device; verify that it is what it claims to be!
Use least privileged access means that we must limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
Assume breach means that we must minimize blast radius and segment access. It should be difficult for an intruder to move laterally throughout the environment. Also, verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
When we can adopt these three principles throughout our digital estate, then we have reached Zero Trust. However, every part that we implement increases our security posture. Zero Trust is a journey, and for some organizations, a long one. Everything we do raises the bar, and that’s the goal!
Zero Trust Assessment Tool
The Microsoft Zero Trust Assessment Tool is a wizard driven questionnaire that answers the question: Where are we today? You answer questions pertaining to different areas like identity, device, data, and infrastructure to assess where you are on your Zero Trust journey. Please start off by going through this assessment.
Zero Trust Business Plan
Microsoft provides a great business guide to implement Zero Trust. It explains why Zero Trust is a requirement to secure the rapid digital transformation that is happening right now. Make no mistake that the transformation will speed up even more in the next couple of years. Everyone is going to the cloud, and it’s happening right now, whether you like it or not.
Use this material to sell the concept of Zero Trust to the leadership in your organization. Here are some business arguments (not so much security-related) mentioned in the guide:
- Support work from anywhere at any time
- Enable secure and rapid cloud migration
- Realize cost savings through simplification of the security stack
The Zero Trust business plan explores the three phases of the journey and explains why each phase is important and how to execute it. Each phase includes guidance, best practices, resources, and tools to help you drive your implementation. The phases are Plan, Implement, and Measure.
Microsoft Zero Trust Deployment Center
The Microsoft Zero Trust Deployment Center is a one-stop-shop for all Microsoft Zero Trust content. It is divided by area and explains why and how you should implement certain security features and products to enable Zero Trust. The different areas are:
- Secure identity with Zero Trust
- Secure endpoints with Zero Trust
- Secure applications with Zero Trust
- Secure data with Zero Trust
- Secure infrastructure with Zero Trust
- Secure networks with Zero Trust
- Visibility, automation, and orchestration with Zero Trust
The Zero Trust Deployment Center provides a complete road map/checklist for each area, which helps you save many hours in planning your Zero Trust journey. I strongly encourage everyone who is working with security in Microsoft 365, and on Microsoft products overall, to read the guides in the Zero Trust Deployment Center. It is an eye opener if you haven’t read up on Zero Trust before!
Zero Trust is the future of cloud security, and it is a terrific way of making it hard for attackers to reach their goals. I also want to mention password-less as this will also be an important topic this year, especially in increasing the security around identities.
Have any questions on how sa.global can help protect you against cybercrime? Contact us to get in touch with our experts.