Zero Trust Security – Behind the Buzz
These days, everyone is talking about Zero Trust Security. A simple Google search will return pages of ads from vendors pushing their Zero Trust product, with promises of instant and foolproof security. Some vendors even claim to include fairy dust and magic rainbows. While their claims may be somewhat accurate (fairy dust and magic rainbows notwithstanding), one thing that remains unanswered is “what exactly IS Zero Trust Security?”
In this blog, I will explain the concept of Zero Trust Security and why it matters. I will also provide some examples as to how it pertains to your Microsoft 365 environment, and to your everyday life.
Historically, the focus of cybersecurity, was on the perimeter. The IT team wanted advanced, next-gen firewalls with intrusion detection and intrusion prevention systems, and the Security Operations Center (SOC) watched those perimeter devices like a hawk. We believed that anything inside our office was safe because we scanned, blocked, and monitored EVERYTHING at the border. The premise was that if we invested heavily at the border and followed all the best practices to ensure the bits and bytes coming through the network perimeter were safe, the bad guys (and gals) wouldn’t get in. And yet, they did: companies were still impacted by malware, ransomware, and compromised identities. Why?
The problem with the old model is that it assumes the environment inside the firewall is clean. Further, it assumes that only company owned devices that reside inside the firewall will connect to company systems. This approach has several weaknesses:
- It provides limited to no verifications or visibility on ancillary systems such as printers, computers, or servers.
- Organizations only required authentication from users and assumed the user would only connect a company-owned computer to the company system.
- More and more devices no longer stay behind firewalls: laptops and cell phones travel back and forth across the security border daily.
- “Friendly” third party systems and devices such as those from management companies and subcontractors that are permitted access to the environment bypass the firewall protections.
These vulnerabilities and more underscore the necessity of a cyber security approach with a “defense in depth” or Zero Trust model. With this approach, we assume breach at every layer of the network and require multiple facets of verification.
Understanding Zero Trust
With a Zero Trust Security model, the concept of potential attack changes from existing only at the border, to potentially existing everywhere. The same strong perimeter defenses are leveraged, but now strong internal defenses are added at every layer of the environment. For example, where the old model would only require a user to sign in and receive access based on their authentication, now the user is authenticated AND a requirement is added to verify the computer as well. So now, when a worker connects to the office network, both the user and the computer must pass security checks before connection is authorized. If either one fails, automated actions take place to ensure any risks on the device can be mitigated before accessing systems and resources.
Zero Trust goes beyond simple user and device authentication: it includes email scanning, connected applications, APIs, and user behavior to identify, alert, and prevent malicious activity, regardless of where the threat exists. Zero Trust is an in-depth approach to securing an environment from the myriad of threats that exist today.
Fortunately, has made significant investments in support of the Zero Trust Security model. Their product stack, including Azure Active Directory, Microsoft Endpoint Manager (Intune), Cloud App Security, and Defender for Endpoint within Microsoft 365 provide comprehensive coverage to secure your environment. There are several layers of security applied when leveraging Microsoft’s security stack. When fully leveraged, these products provide the layers of security required for Zero Trust. Microsoft’s stack includes the following products:
Azure Active Directory – this is the foundation of authentication in the cloud. With Azure Active Directory one can configure multi-factor authentication (MFA) and conditional access policies to add access control rules such as requiring specific applications based on a device operating system. In addition to conditional access is Privileged Identity Management, SAML-based application authentication integration, heuristic authentication rules, machine learning, and a suite of identity governance sources to ensure identities are properly managed.
Microsoft Endpoint Manager (aka Intune) – Intune has come a long way in recent years. What was once a light endpoint management tool is now full-featured and highly capable. In addition to offering thousands of Windows 10 configuration options (with an additional 1400 being released in September 2021) Intune has full support for Android and iOS devices. One of the more relevant features of Intune are compliance policies. The device compliance policies. When implemented, access to systems like SharePoint, OneDrive or Teams can be controlled based upon criteria defined in the device compliance policy. This means we are no longer providing access to an employee on ANY device. The device must be company managed and properly configured to access critical systems.
Defender for Endpoint – Defender for Endpoint is often thought of as an anti-virus solution. While it provides advanced anti-virus and enhanced detection and response (EDR) capabilities frequently ranked at or near the top of Gartner’s magic quadrant, it offers far more. Defender for Endpoint also includes a threat and vulnerability pack which closely align to Zero Trust security. For example, the threat and vulnerability pack includes information about missing patches, poor configurations, and a heuristic evaluation of the device which is assigned a risk score. This risk score can also be leveraged in the Intune device compliance policies to determine the access an employee may have based on the security level of their device.
Defender for Office 365 – Defender for Office 365, formally known as Advanced Threat Protection (ATP), provides an advanced set of capabilities to secure email entering and exiting the environment. Since email has become a common attack vector, email sanitization features protecting against spam, phishing, malware, and impersonation are critical to Zero Trust as they ensure the data entering the system is clean.
Cloud App Security – This is the action-based monitoring system for the Microsoft 365 tenant. It leverages events imported from Microsoft 365 to monitor for potential compromised identities, nefarious data movement activities, and newly used applications.
Sentinel – Azure Sentinel becomes the central repository for the logs from each of these services. When properly configured, Sentinel will ingest all Microsoft 365 logs and provide correlation across the events to provide not only event-based alerts but also dashboards with multiple data views. Beyond Microsoft 365, logs from additional network components such as firewalls and servers can be ingested providing a comprehensive view of the overall environment. This becomes important with Zero Trust as administrators can now use the dashboards and alerts to identify anomalies and risky trends.
Bottom line on Zero Trust? Overall, the buzz is both real and justified. Today’s world requires an approach that assumes breach and validates security at every interaction within the environment. Microsoft’s comprehensive approach to security provides an excellent foundation for businesses of all sizes to deploy Zero Trust and mitigate today’s threats.
The C3 Team brings the knowledge and experience required to configure the entirety of Microsoft’s security services to achieve a Zero Trust Security model. With over 250 clients under management, C3 has the experience to ensure your environment is properly secured. To learn more about how C3 can help you deploy a Zero Trust model in your environment, contact us at email@example.com.