Zero Trust. What is it and how does it work?
Traditionally, when you thought about the security of your company data and endpoints the first thing you’d think of was your physical servers and devices, which would be protected by a firewall. These days however, there’s more to protect and threats have become increasingly sophisticated, so businesses must go beyond that traditional approach to security and take additional steps to protect their data and reputation. As well as your servers and devices, there’s other company devices like mobiles, cloud technology and SaaS adoption, plus anything else that comes under the Internet of Things umbrella. Because the perimeter of what must be protected has changed, so must the approach and technologies that you rely on to keep your data safe.
Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorised and encrypted before granting access. Microsegmentation and least-privilege access principles are applied to minimise lateral movement. Rich intelligence and analytics are utilised to detect and respond to anomalies in real time.
What is Zero Trust?
A Zero Trust model is a proactive, integrated approach to security across all layers of the digital estate that explicitly and continuously verifies every transaction; asserts least-privilege access; and relies on intelligence, advanced detection and real-time response to threats.
The guiding principles of Zero Trust security are:
• Verify explicitly
• Use the least-privilege access
• Assume breach
Verify explicitly
Zero Trust mandates strict identity verification protocols for every user and device attempting to access resources, regardless of their location.
Use least privileged access
Users are only granted the minimum levels of access required to fulfil their roles, limiting potential damage in case of a breach.
Assume breach
Zero trust operates under the assumption that no network is completely secure, encouraging proactive threat hunting and remediation.
How does Zero Trust work technically?
As you can see from the image, a holistic approach to Zero Trust should extend to your entire digital estate—inclusive of identities, endpoints, network, data, apps and infrastructure. Zero Trust architecture serves as a comprehensive end-to-end strategy and requires integration across the elements.
The foundation of Zero Trust security is identities. Both human and non-human identities need strong authorisation, connecting from either personal or corporate endpoints with compliant devices, requesting access based on strong policies grounded in Zero Trust principles of explicit verification, least-privilege access and assumed breach.
As a unified policy enforcement, the Zero Trust policy intercepts the request, explicitly verifies signals from all six foundational elements based on policy configuration and enforces least-privilege access. Signals include the role of the user, location, device compliance, data sensitivity and application sensitivity. In addition to telemetry and state information, the risk assessment from threat protection feeds into the policy engine to automatically respond to threats in real time. Policy is enforced at the time of access and continuously evaluated throughout the session.
This policy is further enhanced by policy optimisation. Governance and compliance are critical to a strong Zero Trust implementation. Security posture assessment and productivity optimisation are necessary to measure the telemetry throughout the services and systems.
The telemetry and analytics feeds into the threat protection system. Large amounts of telemetry and analytics enriched by threat intelligence generates high-quality risk assessments that can be either manually investigated or automated. Attacks happen at cloud speed and, because humans can’t react quickly enough or sift through all the risks, your defence systems must also act at cloud speed. The risk assessment feeds into the policy engine for real-time automated threat protection and additional manual investigation if needed.
Traffic filtering and segmentation is applied to the evaluation and enforcement from the Zero Trust policy before access is granted to any public or private network.
Data classification, labelling and encryption should be applied to emails, documents and structured data. Access to apps should be adaptive, whether SaaS or on-premises. Runtime control is applied to infrastructure with serverless, containers, IaaS, PaaS and internal sites with just-in-time (JIT) and version controls actively engaged.
Finally, telemetry, analytics and assessment from the network, data, apps and infrastructure are fed back into the policy optimisation and threat protection systems.
What are Microsoft guiding principles of Zero Trust?
The Zero Trust model is based on the principle of verified trust—in order to trust, you must first verify—Zero Trust eliminates the inherent trust that is assumed inside the traditional corporate network. Zero Trust architecture reduces risk across all environments by establishing strong identity verification, validating device compliance prior to granting access and ensuring least privilege access to only explicitly authorised resources.
Zero Trust requires that every transaction between systems (user identity, device, network and applications) be validated and proven trustworthy before the transaction can occur. In an ideal Zero Trust environment, the following behaviours are required:
- Identities are validated and secure with multifactor authentication (MFA) everywhere. Using multifactor authentication eliminates password expirations and eventually will eliminate passwords. The added use of biometrics using software like Microsoft Hello ensures strong authentication for user-backed identities.
- Devices are managed and validated as healthy. Device health validation is required. All device types and operating systems must meet a required minimum health state as a condition of access to any Microsoft resource. Systems available from Microsoft like Intune and Autopilot makes these processes super simple, by allowing you to manage your devices and updates automatically, without the need to physically work on devices.
- Telemetry is pervasive. Pervasive data and telemetry are used to understand the current security state, identify gaps in coverage, validate the impact of new controls and correlate data across all applications and services in the environment. Robust and standardised auditing, monitoring and telemetry capabilities are core requirements across users, devices, applications, services and access patterns – this is where a sophisticated piece of software like Microsoft Defender comes in.
- Least privilege access is enforced. Limit access to only the applications, services and infrastructure required to perform the job function. Access solutions that provide broad access to networks without segmentation or are scoped to specific resources, such as broad access VPN, must be eliminated.