Your essential guide to Zero Trust security

Cybersecurity

What’s your network’s weakest link? The answer is simple: your users.

That’s why there’s a lot of talk about Zero Trust security.

It seems it is on everyone’s radar right now. But what does it actually mean?

“Don’t trust those on the other side!”

“Don’t trust any precautions!”

“Don’t trust anyone!”

… or something else?

All of the above answers are valid on their own.

But Zero Trust security refers specifically to the way you set up your IT environment. And from this point of view, Zero Trust means “I don’t trust this user, on this device, accessing this resource”.

Some time ago we’ve had a webinar, where we discussed this exact topic. Watch it here

Ok, that’s quite specific, so let’s unpack it.

What is Zero Trust Security?

It’s a type of security approach that assumes risk coming from the inside of your environment, just as much as the outside. 

Security is no longer a single-action process, where you allow a user to access a resource, and things end there. On the contrary – here, security measures are enforced constantly. 

More importantly, you don’t use the same processes for everyone. Every user has a different risk profile, depending on their permissions (e.g. standard vs administrator), device (laptop vs mobile), location, etc., and what they access.

This ecosystem is then divided into segments, each with its own policies and services for protecting it. But you still need to monitor the whole, gather all the signals, and have these services perform automatic actions to keep the entire environment secure.

What’s the difference between Zero Trust and traditional security?

This evaluation is a constant process on every access to the resource, be it file or application, and in the context of each resource. I as a user reading a file is much different than I as a user with Global Admin rights reading the file.

What we need here is a constant loop feeding the information in a cycle of “Observe – Orient – Decide – Act”, supported by technology. Here are the two latest things added to this process:

  • Continuous Access Evaluation, to make sure that access is enforced and verified not every few hours but on every access attempt
  • Authentication Context, to apply the right access verification in the right situation while making it easier for users when there is no risk.

We got to the point where technology delivers. Now it is your move.

Want more updates like this? Leave your email address to get the latest insights every two weeks. Subscribe

Why choose Zero Trust?

Every user is an entry point to your network. It’s no longer just the firewall or the access ports. Any user on your network, accessing one of the gazillions of apps on the internet, creates a potential vulnerability. 

At this point, many companies (94% according to Microsoft Digital Defense Report 2020) are now stepping up their game and implementing the Zero Trust approach. If you haven’t looked at it yet – now is the time to get started.

How to implement Zero Trust Security?

To apply Zero Trust principles, you need to introduce protection across four areas:

  1. Identity – each user has to be securely authenticated. MFA and passwordless are the key mechanisms to help you here.
  2. Device – access requests should come from authorized devices. This is super important e.g. for those accessing their company email on a personal mobile phone (bad idea anyway but happens all the same). Services like Microsoft EM+S and Intune can help you manage them and execute consistent policies (e.g. for regular patching and updates).
  3. Pervasive telemetry – this is the process of gathering all signals from across your environment. Which user tried to access which resource, when, and from where? Are there any anomalies in logon attempts? Any strange patterns emerging? If you’re not gathering monitoring and auditing logs yet (if only for compliance reasons), this is the time to start. You can read about it in this article about Azure monitoring. And if you’d like to take it a step further, our Managed SOC service can help.
  4. The least privilege principle – in simple terms, don’t allow users (or services) to access anything more than they need to. Admin accounts are especially vulnerable here – don’t just give those away! Check out my post on protecting admin accounts for additional tips.

If you’d like to know more, here are some resources to get you started:

  1. A Microsoft guide to Zero Trust, based on their own implementation: Implementing a Zero Trust security model at Microsoft
  2. 4 areas of Microsoft approach to Zero Trust: 4 ways Microsoft is delivering security for all in a Zero Trust world
  3. Setting up passwordless in Azure AD: Azure Active Directory passwordless sign-in with FIDO2 Security Keys

There’s a lot more we could discuss on this topic. What do you think about it? Have you got any questions? Let me know and I’ll include it in the next post.

Key takeaways:

  1. The Zero Trust approach is about assuming that every user is an access point to your network, and is able to (unintentionally) break its security with a single, wrong click.
  2. The two main principles are: to assign the risk profile to every user and then, for every risk profile, create processes involving constant enforcement of security measures.
  3. Zero Trust should apply to four areas: identity and authentication of users, device authorization, monitoring and auditing logs, and the least privilege principle.