Don’t take anything for granted, don’t trust anything or anyone ; This is the slogan of Zero Trust , a cybersecurity model that consists of completely eliminating trust from the equation.
Goodbye to the perimeter
Until recently, security models had always sought to generate an environment defined by a perimeter where the interior of the network was protected from an exterior full of potential threats, assuming that everything that was within that perimeter o network was considered trusted by default.
Today and in the current context, conventional ways of securing access to the corporate network, applications and data are no longer adequate. With an increasingly dispersed workforce, the boundaries of the perimeter are expanding, there is no longer a contained or defined network to protect, and critical business data is located outside the corporate firewall. So, instead of assuming that your organization is safe behind a firewall, you need to consider that there will be a security breach, either through malicious intent or carelessness.
In addition, cyberattacks are increasing day by day with more virulence than ever, with more impact for companies and with more and more millionaires rescued . What can we do in this increasingly complex situation?
“Traditional perimeter-based security cannot keep up with the complexity of hybrid work and the proliferation of multiple devices from which users access”
The solution: Zero Trust
The Zero trust model is the best defensive approach your organization can take. With this model, all users and devices are classified as untrustworthy on principle. Access to the network and all services and resources is not granted until the person requesting it can verify their identity or their device through multi-factor authentication.
Zero Trust adopts three key principles:
- Verify: Explicitly, authenticating and continually authorizing access. The fact that, for example, we have a username and password does not prove that we are the user to whom those credentials belong. For this reason, every request for access to a resource in your organization should always be verified.
- Access with minimum privileges: Limit the access of users by granting the minimum privileges to work and fulfill their function.
- Assume the gap: With this strategy it is assumed that there may be attackers both within our network and outside it and that an attack is going to occur. For that reason, no user or device should be trusted by default.
With Zero Trust you always know who , what , when , where and how someone is trying to access corporate resources and applications , providing IT with the information it needs to properly assess risk and limit access.
Zero Trust through the company’s digital assets
The Zero Trust approach must extend throughout the digital environment and function as an integrated security philosophy from start to finish. The following diagram shows how to implement this methodology:
This system, through continuous risk assessment and a real-time security policy validation engine at its core, offers protection through signal analysis and threat intelligence, ensuring that identities are verified and authenticated and that devices be safe before granting access to data, applications, infrastructure and networks. In addition, visibility, analysis, automation, and remediation are applied continuously and comprehensively.
Now that we know how this methodology works, we are going to go into detail in each of the areas to protect:
Verify and secure each identity with strong authentication
Identities, whether they represent people, services, or devices, define the core of Zero Trust’s strategy and control. With this model it is assumed that all users are not trusted, so that it is required to confirm and authenticate the identity not only to ensure the first access to the platform and the information it contains, but at each new level of access, so that you are only granted sufficient privileges to perform a certain job or task.
Before an identity attempts to access a resource, the organization must:
- Verify identity with strong authentication. Today it is essential that all accounts are protected with double factor authentication (MFA). Likewise, if we use a unified identity (the same identity for all applications), we will establish a much simpler and more robust security strategy.
- Ensuring that access is consistent and customary for that identity, using machine learning analytics intelligence, which analyzes and learns from user behaviors creating a pattern of normality that helps quickly detect any unusual user behavior.
- Follow the principles of least privilege access mentioned above.
By adopting this security strategy, companies can more easily adapt to changes; for example, by removing access privileges from departing employees or adjusting the privileges of those whose responsibilities have changed.
Allow only trusted devices to access company resources
Once an identity has been granted access to a resource, the data can be distributed to a variety of different devices, from IoT devices to smartphones, BYOD to managed devices, and on-premises workloads to cloud-hosted servers. This diversity creates a very broad attack surface that requires us to continually verify health status from a corporate policy compliance standpoint.
There are a few key rules for protecting devices on a Zero Trust model:
- The platform, as well as the applications running on the devices, are securely provisioned, properly configured, and kept up-to-date.
- There is a quick and automated response to contain access to corporate data in the event that the security of a device is compromised.
- The access control system ensures that all policy controls are in place before the data is accessed.
Ensure applications are always available, visible and secure
Applications provide the interface through which data is consumed, so control policies must be applied to:
- Discover the use of non-IT-approved user applications (Shadow IT)
- Guarantee adequate access permissions.
- Monitor and detect unusual behaviors.
- Control user actions.
- Validate the secure configuration options.
Protect sensitive data wherever it is located or travels
Data protection is one of the primary responsibilities of security and compliance teams. Data must remain protected while at rest, in use, and as it leaves the devices, applications, infrastructure, and networks that are under the organization’s control. To guarantee protection and that access to data is restricted to authorized users, the data must:
- Inventory and Sort
- Label yourself and apply restricted access based on attributes.
When data and sensitive content are controlled by the right tools, organizations can:
- Report and enforce policy decisions to block or delete emails, attachments, or documents.
- Encrypt files with sensitivity labels on devices.
- Automatically classify content with sensitivity labels using policies and machine learning.
- Track and monitor sensitive content using policies as content travels in and out of your digital environment.
Strengthen defenses to detect and respond to threats in real time.
Infrastructure – be it on-premises servers, cloud-based virtual machines, containers, or microservices – represents a critical threat vector. Modern security with an end-to-end zero trust strategy makes it easy to:
- Employ Just-In-Time and Just-Enough-Access (JIT / JEA) administrative privileges to strengthen defenses.
- Use telemetry to detect attacks and anomalies.
- Automatically block and flag risky behavior and take protective measures.
Go beyond traditional network security approaches.
Ultimately, the data is accessed through the network infrastructure. Rather than believing that everything behind the corporate firewall is secure, a Zero Trust strategy assumes that breaches are inevitable. That means you must verify each request as if it originated from an uncontrolled network; As we have discussed before, identity management plays a crucial role in this.
In the Zero Trust model, there are three key objectives when it comes to protecting the network:
- Apply critical controls to improve visibility and prevent attackers from moving laterally across the network.
- Be prepared to detect attacks before they happen and minimize the extent of damage and how quickly it spreads, in the event of an attack.
- Employ end-to-end protection, encryption, monitoring, and analysis.
- Networks must be segmented (including micro-segmentation deeper within the network)
How do Microsoft solutions help?
To be successful, Zero Trust relies heavily on signal integration and interpretation; the environment must be connected in order to provide the signals needed to make decisions and offer end-to-end coverage. Attacks can come from anywhere; from the outside, but also from the inside, so it is essential to have a transverse safety system that can move from top to bottom and from left to right.
In this sense, Microsoft considers the Zero Trust strategy as the cornerstone of effective protection and has a differential element compared to other manufacturers of security solutions since it is the only company that considers identity, device management, data infrastructure in the cloud and defense against modern attacks as a whole, offering integrated and connected solutions that span all the key points of cybersecurity:
- Identities: Through Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) and Azure Active Directory that manage and protect hybrid identities, and simplify employee access. Microsoft Defender for Identity uses Active Directory cues to identify, detect, and investigate advanced threats, compromised identities, and harmful indirect actions directed at the organization. More details
- Devices: Through Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection), a solution that combines Windows 10 technology and Azure cloud service to offer businesses proactive protection , post-violation detection , investigation automated response and response to advanced threats on your networks. More details
- Data: Through Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection), protects your organization from malicious threats posed by email messages, links (URLs), documents, and collaboration tools. More details . Also, through Microsoft Information Protection, you can classify, label and protect documents and emails as they are created or modified. More details
- Applications: Through Microsoft Cloud App Security , a complete SaaS solution that provides IT departments with visibility and control over the cloud applications used by the users of your organization (those allowed and those not allowed). More details
- Infrastructure: Through Azure Defender, an evolution of Azure Security Center with threat protection capabilities to protect infrastructures wherever they are, including virtual machines, databases, containers, IoT and much more, whether they are hosted in the hybrid cloud (Azure and / or other clouds) as if they still reside in a classic on-premises datacenter. More details
A long-term project in which Softeng can help you
While the Zero Trust model is most effective when integrated throughout the environment, implementing it is a gradual journey that requires planning and executing correctly so that the impact on the user experience is minimal.
Most companies positively value a phased approach due to the complexity of this journey, with expert accompaniment and this is where Softeng can help you by offering our experience and knowledge to help you gradually implement the Zero Trust model.
Do you want to know more about how we can help you? Contact us!