Zero Trust part 1: Identity and access management
Once in a while, a simple phrase captures our imagination, expressing a great way to think about a problem. Zero Trust is such a phrase. Today, I’ll define Zero Trust and then discuss the first step to enabling a Zero Trust model—strong identity and access management. In subsequent blogs, we’ll cover each capability of a Zero Trust model in detail and how Microsoft helps you in these areas and end the series of blogs by discussing Microsoft’s holistic approach to Zero Trust and our framework.
Zero Trust defined—everything is on the open internet
In some ways, the easiest way to think about Zero Trust is to assume everything is on the open internet, even resources we think are safe in our “walled gardens.” With Zero Trust, we move from the world of implicit assumptions made based on single elements to explicit verification of all elements of access.
Attacks are at an all-time high, and most are effective because of assumptions based on the idea that users are safe on corporate networks. These assumptions may have made sense 25 years ago because only email could flow beyond the corporate network, remote work was rare, and personal device use for work was virtually unheard of.
But even in the early days, hackers took advantage of these assumptions. From abusing dial-in numbers for remote work on FTP servers to stealing credentials for email, attackers have long known that once you have ports facing the outside world, your whole network is out there too.
You may have hardened your external access points by requiring Multi-Factor Authentication (MFA) or certifications to access your VPN, but in our investigations we see time and time again that either because of new exploits, or because of exceptions made to reduce friction with demanding (and sometimes VIP) workers, the assumption that “if they are on my network, it’s OK” is not good enough.
First step to enable a Zero Trust model—strong identity and access management
When we talk about a Zero Trust model—and assuming that all of our users, applications, machines, and users are on the internet—we move from a model of implicit trust to one of explicit verification, where:
- Rather than assuming we have a user that is in a high assurance session (for example: MFA) because of the network, we verify the claim explicitly.
- Instead of assuming the user has a valid machine because of the network, we verify the device explicitly.
- Instead of allowing access to file shares because the user is on the network, we explicitly classify and encrypt data—and so forth.
Increasingly, everything is on the open internet. When your users access their cloud-hosted email from a personal smartphone in a café on a business trip, virtually all elements of that interaction are outside of your traditional “walled garden.” The device, network, and application (code and hardware) fall outside and are not in your direct control, but your ability to validate and set policy on them is.
With the many networks, devices, and applications needed in daily business, the only common denominator is the user. This is why we’ve said, “Identity is the control plane.” It’s critical to establish who the user is as the core of trust for other transactions. If we aren’t sure who the user is, no other system access control or security matters. Once we are sure of the user, we can explicitly verify every element of access whether our resources are on-premises, in cloud-hosted servers, or managed by third-party SaaS apps like Office 365.
A robust Zero Trust strategy considers the full context of the session to determine its overall risk: the identity of the user plus the state of their device, the apps they’re using, and the sensitivity of the data they’re trying to access. It then applies holistic policies that define when to allow, block, or restrict access, or control it by requiring additional authentication challenges such as MFA, limiting functionality such as downloads, or applying compliance controls such as terms of use. This way, a hacker trying to gain access using stolen credentials on an unknown device will be blocked, as will a verified user running a healthy device trying to access data they don’t have permission to see. This strategy not only protects against external threats, but it also helps create guardrails so well-meaning employees can use organizational resources responsibly.
Azure Active Directory (Azure AD) provides the strong, adaptive, standards-based identity verification required in a Zero Trust framework. While Azure AD provides intrinsically strong authentication (including automatic adaptive protection against many attacks), it also allows admins to express their access requirements in simple terms. Virtually every aspect of each sign-in (including associated user or session risk) is available to define the conditions under which access policies are applied. A framework of controls such as additional authentication factors, terms of use, limited access, and other session semantics regulates access. This guarantees we are “secure at access” in our Zero Trust approach.
Azure AD conditional access applies intelligent policies to signals about users, devices, locations, and apps.
A successful Zero Trust strategy requires seamless and flexible access to applications, systems, and data while maintaining security for both users and the resources they need to do their jobs. It requires being cloud-ready, starting with identity, and then taking steps that will help secure all areas of your environment to:
- Strengthen your credentials. If users in your identity system are using weak passwords and not strengthening them with MFA, it isn’t a matter of if or when you get compromised—just how often you will be compromised.
- Reduce your attack surface area. To make life harder for hackers, eliminate using older, less secure protocols, limit access entry points, and exercise more significant control of administrative access to resources.
- Automate threat response. Reduce costs and risks by reducing the time criminals have to embed themselves into your environment.
- Increase your awareness. Use auditing and logging of security-related events and related alerts to help detect patterns that may indicate internal attacks or attempted or successful external penetration of your network.
- Enable user self-help. Reduce friction by empowering your users to stay productive, even as you remain vigilant.
Read Five steps to securing your identity infrastructure to learn more.
Next in our series on Zero Trust—keeping data safe
Identity and access management is one important element of your Zero Trust strategy—along with others such as data encryption, analytics, device verification, and automation. In part 2 of our Zero Trust series, we’ll talk about keeping data safe as part of your Zero Trust model. To learn more about how identity and access management enable a Zero Trust model, listen to our webcast.