Keep your computer and communications secure with Zero Trust

Zero Trust is a timely approach to address the cyber security challenges originating from the rise in remote working, the proliferation of personal devices, and obsolete physical security perimeters.

The Zero Trust cyber security model is based on the principle of “never trust, always verify”. In a cyber security architecture based on Zero Trust, no user (person, device, or application) is trusted by default, whether the user is on the corporate network or remote. Every user request for access to resources is treated as a potential cyber security breach. Any access privileges are minimised to “just enough access” to satisfy the user’s request. In addition, in the Zero Trust model, there is continual adjustment of security to changes in the digital landscape.

In this series of digital events we show you how the principles of Zero Trust with a risk-based, step-by-step approach and associated cyber security tools can help you effectively protect your entire digital estate (on-premises and in the cloud) in today’s hybrid work environment.

Without infrastructure, no IT can run. Without a network, nobody can communicate. However, these essential items are also threat vectors. Attackers who pass through external layers of protection can do untold damage to an organisation if no further checks are made. Zero Trust addresses this risk by making every user, every request for access, suspect until proven otherwise. A broad range of Microsoft solutions enable you to apply a Zero Trust strategy to your organisation.

Once upon a time…

…There was an organisation that had a network and infrastructure in that network. Users would come to the edge of the network and say, “let us in!” The organisation would check the users. Those that were deemed responsible and trustworthy were allowed inside. Where they could then move north-south, east-west, compromise assets, exfiltrate data, and bring the organisation to its knees.

There is no inside or outside any more

But wait, this story doesn’t have to end that way! True, the trust model is broken. The network is no longer a static entity with well-defined physical limits. Users, devices, apps, and data can now be anywhere, as remote working and cloud computing has shown. So, instead of thinking of users as “inside” or “outside”, we consider them as equally unknown and untrustworthy, only to be granted access to resources if they continually prove they are entitled. Instead of the old model of “Verify, then trust”, we need a new approach of “Never trust, always verify”. In other words, we need Zero Trust.

Rethinking security architectures

Traditional network security is built with access controls like firewalls, virtual private networks (VPNs), intrusion detection and prevention systems (IDS/IPS), and email gateways. Valid user credentials are often enough to get past all these layers of protection.

Zero Trust turns this approach on its head. It assumes that every request for access is an attempted cybersecurity breach, unless proven otherwise. Users are not free to roam the organisation after access either. Access is limited to just-in-time (JIT), just-enough-access (JEA), to let them do their jobs, but no more.

Segmentation is smart

For network resources, a Zero Trust approach uses segmentation to create subnetworks for specific parts of an enterprise, for example. Each segment has its own entry and exit security controls to avoid unauthorised lateral movement. Segmentation can be highly granular, down to micro segmentation for workloads, micro services, or containers. Each segment should have real-time threat protection. Each communication in a network should have end-to-end encryption.

Resources are connected in a segment using a hub-spoke schema. For instance, the segments can be Azure Virtual Networks (VNets) with applications as the spokes to the VNet hub, and Azure Firewall controlling communications to other VNet hubs.

Zero Trust checklist for infrastructure

For infrastructure overall, a Zero Trust architecture needs to cover all the resources for delivering and supporting IT services on premises or in the cloud. That includes:

• All physical and virtual hardware, including IT and networking hardware
• All IT and networking software, including open source, PaaS, SaaS, microservices, and APIs
• Just-in-time and just-enough-access for system and network administrators, so that like other users, they can carry out their duties at minimal risk to the organisation.

Microsoft solutions to help turn a Zero Trust strategy into an operational reality include Azure Blueprints, Azure Policies, Azure Security Center, Azure Sentinel, and Azure Sphere.