Zero Trust - A buzz word or a strategy?
Over the last few years, there has been a lot of buzz around Zero Trust, you often hear CISOโs, CIOโs and CTOโs talking about it. Marketing teams love the term as well. From an IT professional and industry standpoint, it is a lot more than just a buzz word, it should now actively be part of your strategy.
So what exactly is Zero Trust?
Zero Trust is a set of principles, but it is also a change of perspective from a security standpoint.
Traditionally we only ever thought of protecting the internal network from external threats. Everything would be secure within a datacenter and sites would be joined using an MPLS Network, with users connecting in via a VPN or Remote Desktop Solution.
However, that has now changed dramatically since the explosion of the internet, which has transformed the way we do things. With user population no longer just your employees itโs now your partners, your clients and contractors, and they have started to use their own devices. The shift to the cloud, with Microsoft 365 and other cloud services, such as Azure and AWS, has seen data being stored across more locations and being shared in different ways. Tie this into the variety of devices now being deployed and connected to our networks across multiple locations, it becomes clear that we can no longer encapsulate and protect our network in the traditional bubble.
The explosion of Cloud Services and ways of working has changed our perspective on security
The change in the way we protect our organisations is daunting, which is why Zero Trust is made up of 3 real principles from a Microsoft perspective, to aid the transition from traditional to modern security. The 3 principles are:
Verify Explicitly
The first is very much around authentication and authorisation, now in a traditional sense, we always assumed that once had authenticated your credentials you would then be authorised to access resources, however under the principle Verify Explicitly, it means that you always authenticate and authorise, but not just based on user identity but all available data points. These could include location, device health, service or workload, data classification, and anomalies.
Use least privileged access
When I first started in IT, users would be given permissions they didnโt need. Some of which were shocking, in one role I saw Domain Admin rights being granted to a user so that to quote โThey could just work without bothering usโ. Now the concept of least privileged has been around for a long time, however often it is seen as something to hamper IT professionals from doing their job
Least privileged is now seen as something not just for end-users but for IT professionals as well, its around Just In Time Access and Just Enough Access. It is there to protect both data and productivity. In a Zero Trust strategy, it should not just include protecting within the application or data but should stretch to protecting all aspects, including the network.
Assume Breach
The principle of Assume Breach is potentially a scary prospect for most, however, itโs more around thinking about what would happen if you have been breached.
- Would your organisation be protected?
- Would your staff be protected?
- Would you be able to recover from it? and how long would it take?
All of the above are valid questions to in a breach scenario but they serve a purpose in changing your mindset around security and starting to ask different questions when you evaluate your current environment and implement new solutions. The principle is around thinking about how you can minimise the blast radius of a breach because you will get breached at some point. However, that breach happens you need to start thinking about how you could stop lateral movements across your environment. Segmenting access not just by networks, but users, devices and applications. Limiting the attack vectors which could affect your organisation and bringing visibility & analytics into your environment to help drive threat detection and improve your defences.
What Next?
The next stages are making a Zero Trust strategy, with Zero Trust not associated to a specific vendor but rather a multitude of vendors, itโs about ensuring that the security roadmap starts to align to the principles of Zero Trust. More specifically from the Microsoft view of Zero Trust, there are many tools which are already available to most organisations, who have started to adoptย Microsoft 365. These include tools such as:
- Azure AD Premium, with Multi-Factor Authentication, Conditional Access, Hello for Business,
- Microsoft Endpoint Management (MEM), formally known as Intune
- Cloud App Security
- Azure Information Protection
Microsoft also have a dedicated page with resources around Zero Trust - aka.ms/Zero-Trust.
NCSE Architecture Design Principles: Zero trust architecture design principles - NCSC.GOV.UK