The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
Microsoft considers Zero Trust an essential component of any organization’s security plan. We have partnered with Cloud Security Alliance, a not-for-profit organization that promotes cloud computing best practices, to bring together executive security leaders to discuss and share insights about their Zero Trust journeys.
In our first discussion, we sat down with 10 executive security leaders from prominent energy, finance, insurance, and manufacturing companies in a virtual roundtable, to understand what has worked and discover where they needed to adjust their Zero Trust security model. Our collective goal was to learn from one another and then share what we’ve learned with other organizations. Discussions like these give us valuable opportunities to grow and led us to publish an eBook to share those conversations with other cybersecurity professionals.
Today, we are publishing the “Examining Zero Trust: An executive roundtable discussion” eBook as a result of those conversations. The eBook describes how the Zero Trust security model involves thinking beyond perimeter security and moving to a more holistic security approach. The eBook complements other resources we have published to help organizations expedite their journeys in this critical area, such as the Microsoft Zero Trust Maturity Model and adoption guidance in the Zero Trust Deployment Center. Zero Trust assumes breach and verifies each request as if it originates from an uncontrolled network. If Zero Trust had a motto, it would be: never trust, always verify. That means never trusting anyone or anything—inside or outside the firewall, on the endpoint, on the server, or in the cloud.
Zero Trust strategies
Introducing Zero Trust into your organization requires implementing controls and technologies across all foundational elements: identities, devices, applications, data, infrastructure, and networks. Roundtable participants offered successful Zero Trust strategies that respect the value of each of these foundational elements.
Strategy #1 – Use identities to control access
Identities—representing people, services, and IoT devices—are the common denominator across networks, endpoints, and applications. In a Zero Trust security model, they function as a powerful, flexible, and granular way to control access to data. Or, as one participant explained it, “The new perimeter is identity, and you need a strong identity that is validated.”
When any identity attempts to access any resource, security controls should verify the identity with strong authentication, ensure access is compliant and typical for that identity, and confirm that the identity follows least privilege access principles.
Strategy #2 – Elevate authentication
Incorporating multifactor authentication or continuous authentication into your identity management strategy can substantially improve your organization’s information security posture. One roundtable participant shared that by extending identity management with continuous authentication capabilities, their organization can now validate identity when a user’s IP address or routine behavior pattern changes.
“Zero Trust will only work if it is transparent to the end-user,” said a participant. “You have to make it easy and transparent. If you want to authenticate every five minutes or every second, that’s fine, as long as the end-user doesn’t have to do anything—as long as you can validate through other methods. For example, the endpoint can be one of the factors for multifactor authentication.”
Strategy #3 – Incorporate passwordless authentication
Passwordless authentication replaces the traditional password with two or more verification factors secured with a cryptographic key pair. When registered, the device creates a public and private key. The private key can be unlocked using a local gesture, such as a PIN or biometric authentication (fingerprint scan, facial recognition, or iris recognition).
Strategy #4 – Segment your corporate network
Network segmentation can be a pain point for business IT because firewalls represent early segmentation, and this can complicate development and testing. Ultimately, the IT team relies more on security teams to fix networking connectivity and access issues.
However, segmenting networks and conducting deeper in-network micro-segmentation is important for Zero Trust because in a mobile- and cloud-first world, all business-critical data is accessed over network infrastructure. Networking controls provide critical functionality to enhance visibility and help prevent attackers from moving laterally across the network.
Strategy #5 – Secure your devices
With the Zero Trust model, the same security policies are applied whether the device is corporately owned or a personally owned phone or tablet, also called a “bring your own device” (BYOD). Corporate, contractor, partner, and guest devices are treated the same whether the device is fully managed by IT or only the apps and data are secured. And this is true whether these endpoints—PC, Mac, smartphone, tablet, wearable, or IoT device—are connected using the secure corporate network, home broadband, or public internet.
“In a BYOD world, the device is the explosive piece,” said one participant. “If you allow unpatched devices to connect to your network, it is, in essence, walking into your base with live ordinance, and it can go bad quickly. Why wouldn’t you test outside to begin with?”
Strategy #6 – Segment your applications
Benefitting fully from cloud apps and services requires finding the right balance between providing access and maintaining control to ensure that apps, and the data they contain, are protected. Apply controls and technologies to discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behavior, restrict user actions, and validate secure configuration options.
“It is becoming easier and more achievable to have segmentation between the applications,” said a participant. “Being able to provide excessive privileges/role-based access is becoming part of the policy engine. The application piece of the puzzle seems to be solving itself more intelligently as time goes on. This approach gets validated every time I hear an end-user is able to dial in on the problem.”
Strategy #7 – Define roles and access controls
With the rapid rise in remote work, organizations must consider alternative ways of achieving modern security controls. It’s useful to operationalize roles and tie them to a policy as part of authorization, single sign-on, passwordless access, and segmentation. However, each role defined must be managed now and, in the future, so be selective about how many roles you create so there aren’t management challenges later.
“If you create a thousand roles in your organization to be that granular, you will have problems with management down the road,” said a participant. “You’re going to end up with massive amounts of accounts that are not updated, and that’s where you have breaches.”
The journey toward Zero Trust
The foundational focus of organizations varies as they start their Zero Trust journey. Some of the organizations represented by roundtable participants began their Zero Trust journey with user identity and access management, while others started with network macro- and micro-segmentations or application sides. These leaders agreed that developing a holistic strategy to address Zero Trust is critical and that you should start small and build confidence before rolling out Zero Trust across your organization.
That usually means taking a phased approach that targets specific areas based on the organization’s Zero Trust maturity, available resources, and priorities. For example, you could start with a new greenfield project in the cloud or experiment in a developer and test environment. Once you’ve built confidence, we recommend extending the Zero Trust model throughout the entire digital estate, while embracing it as an integrated security philosophy and end-to-end strategy moving forward. You’re not alone in this journey. Successful organizations have walked this path, and Microsoft is happy to be with you every step of the way.
To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.