Everything You Need to Know About Zero Trust

Zero Trust is a term being touted by all major security vendors, cloud platform providers, management suites, networking companies and identity platforms. Why is this concept/model/framework so important and what does it mean? Maybe you’ve been considering adopting it but aren’t exactly sure what kind of impact it will have on your business.

This article aims to answer questions such as:

• What is Zero Trust?
• Why is Zero Trust so important?
• How Zero Trust Works
• What kind of impact can Zero Trust have on your business?
• How can you begin to implement Zero Trust?
• How do you develop a long-term roadmap to build upon your Zero Trust strategy?

WHAT IS ZERO TRUST?

Zero Trust is a philosophy first invented by John Kindervag when he was a principal analyst at Forrester Research. His famous quote is: “When every user, packet, network interface and device is untrusted, protecting assets becomes simple”. This groundbreaking concept went against the outdated industry-standard approach at the time which suggested devices should be trusted by default. That standard approach was known as “Trust but Verify”. Trust was the default posture, and a user entering a correct password was sufficient to verify. Additionally, if access was verified, it meant the device would have unrestricted access to the entire infrastructure regardless of whether it was necessary or not for the user to perform their role.

Zero Trust is the opposite of the industry-standard approach and equates to a posture of “Never Trust, Always Verify”. The Trust but Verify method can be considered fundamentally flawed if the primary goal is to prevent a compromise. By flipping this concept on its head and instead saying a device is untrusted by default, protecting against a compromise becomes much easier.

To be fair, let’s first analyse how the old philosophy became commonplace. Once upon a time… all the valuable data in the kingdom was behind a beautiful walled garden and protected by a mighty firewall. To access the data, a user had to be inside the castle, using a managed device, plugged into a known network port and had to know their password. The armor of this strategy eventually began to crack when the bad actors realized people were inherently gullible, inquisitive and could be easily persuaded to click on things they shouldn’t. Once clicked, they could voluntarily install malware on their trusted devices thereby allowing uninvited guests inside the walled garden to pillage and plunder. In addition, the introduction of wireless networks removed the safety net that access required a physical connexion through a specified network port.

WHY IS ZERO TRUST SO IMPORTANT?

The proliferation of cloud computing in the early 2000s was a game-changer. It brought great benefits by relieving organisations from the burden of having to continuously manage more and more infrastructure and allowed them to enjoy the fruits of modern and always updated line of business applications through the Software as a Service (SaaS) model. However, from a security perspective, things got much more complicated very quickly. Now sensitive corporate data has left the building and is living in someone else’s network being accessed over the Internet, aka the most untrusted network ever!

Enter mobility

In addition to data now being distributed across cloud datacenters, technology advancements have equipped users to be more mobile. If the data lives in the cloud, then why should they be limited to being in an office building to access it? They can be more productive if they can work from home, on the road, in a hotel, at a coffee shop, or even at the gym. More productive workers equal more output and ultimately more profits for the business. So now we have users accessing sensitive corporate data from anywhere using any device at any time over the most untrusted network ever… what could possibly go wrong?

More sophisticated attacks

Now we have revolutionized how business can reduce their infrastructure footprint by leveraging cutting-edge cloud-based SaaS applications and enabling knowledge workers to be more productive by consuming data from anywhere, attackers have also revolutionized how they can attack organisations for profit. The relatively small attack surface of yesteryear has been exponentially increased to the far reaches of the globe. Money is the ultimate motivator, and the bad actors haven’t been resting on their laurels. They have been advancing alongside the rest of the industry. With more modern threats, come more evolved attacks such as spear phishing and ransomware. The attackers graduated from just creating short-term havoc to holding data hostage and employing clandestine spying tactics to execute very targeted and well-planned attacks which are much more devastating and costly to businesses.

Identity, Identity, Identity

Did you ever hear the real estate expression “Location, Location, Location”? It means that more than anything else, the location of a property determines its value. Well in a Trust but Verify approach, a credential would be the golden ticket and all which is required to impersonate an identity. If the identity verifies the trust, then the identity is the key to the kingdom. Whether it is to use the identity to steal data, lay malware, or gather exploitable intelligence from the birds-eye-view of an insider, identity theft has become the number one way organisations have been breached in the current day. For this reason, identity has been coined the “new perimeter”.

HOW ZERO TRUST WORKS

So now we’ve covered the why, let’s delve into how Zero Trust can help. A posture of Zero Trust requires every aspect of an attempt to access corporate applications and data to be scrutinized. If the default posture is Never Trust, Always Verify, then neither a hijacked device nor an identity alone would be enough to gain access to the kingdom. All touchpoints are forced to attest to their authenticity and level of trust. This is the fundamental concept behind Zero Trust and includes things like:

• Is the user who they claim to be?
• Is the device authorised and trusted?
• Is the application being used sanctioned by the organisation?
• Is the user allowed to access the resource?

When all the parameters of the request are satisfied, only then will access be granted. This cycle is then repeated for subsequent access requests and inherent trust is never implied.

Assume Breach

Another aspect of the principle of Zero Trust is to assume breach. This means rather than hoping the fortress will always remain secure and protected, we assume our castle walls will eventually be compromised. This allows organisations to incorporate layers of security to minimize the impact of an attack if/when it does happen. One example is segmenting networks to protect high-value workloads from user networks where breaches are likely to occur. Only necessary traffic should be allowed between the user segments and the server segments, and that traffic should be continuously monitored. Taken a step further, micro-segmentation, which is the concept of creating segmentation between specific network interfaces on specific nodes within the individual segments, is gaining a lot of popularity as well.

Let’s face it, the likelihood an organisation will never be breached at some point is extremely small. The cost of being prepared pales in comparison to the cost of an incident cleanup, which can include data recovery efforts, lost revenue during outages, and the reputation impact of lost confidence by Partners and clients. Benjamin Franklin once said: “By failing to prepare you are preparing to fail”, he also said: “An ounce of prevention is worth a pound of cure”. It seems Mr. Franklin would have made a great cybersecurity consultant had he been born 300 years in the future!

WHAT KIND OF IMPACT CAN ZERO TRUST HAVE ON YOUR BUSINESS?

By now you must be thinking this must be extremely disruptive to the poor end-users who will be challenged at every turn to prove themselves. Well, this doesn’t have to be the case. In fact, if Zero Trust is introduced to an organisation with well-thought-out and properly planned paths, it can complement the end-user experience.

Identity

Let’s take identity as an example. We all know Multifactor Authentication (MFA) must be at the heart of any organisation’s Zero Trust strategy if they want to be successful at preventing attacks. MFA is the process of requiring a user to present something they know, such as a password, and something they have, such as an identification device like a phone to gain access. While most users are accustomed to this already, it may be seen by some as burdensome to enter SMS codes to be granted access. To make this easier and more secure, most modern-day MFA products can leverage push notifications sent to authenticator applications running on smartphones and smartwatches which only require a tap to approve. Many of these applications can also be leveraged for MFA for many different sites and services in addition to the corporate assets. I leverage the Microsoft Authenticator application on my iPhone for tons of MFA enrollments including my company’s Microsoft 365 tenant, client tenants, VPN connexions, banking sites, benefits sites, password vaults and more. It has made my life easier since I can enroll all these different services into one convenient application to protect both my corporate as well as personal identity.

Devices

Next, let’s look at device verification. What would it take to verify my device is compliant with an organisation’s security standards? Well, this is easy, being managed. I help clients leverage Microsoft Endpoint Manager (Intune) to create a cloud-first modern management strategy. This allows them to control the security posture of the device, configure policies, push software, and require that the device attests to a predetermined list of compliance requirements such as being encrypted, having a firewall enabled, running endpoint security applications and more. While this makes the businesses IT, Security and Operations people happy by streamlining enrollments and management tasks, it also makes the end-users happy since they get to enjoy a modern device experience with automatically deployed software, single sign-on capability, consistent roaming data across devices, and over-the-air provisioning of new devices which can be drop-shipped directly to their homes using Autopilot.

Taking these two concepts a step further, let’s explore Windows Hello for Business. Windows Hello for Business, when users are required to register biometrics such as a fingerprint or facial recognition with Microsoft Endpoint Manager, is considered and accepted as a form of MFA since the user must present something they have (finger or face) to access the device. Once they have authenticated to the device with something they have, they will no longer be challenged for MFA from any Microsoft 365 or Azure Active Directory based resources, or any Azure Active Directory federated third-party SaaS applications.

Really want to see a happy end-user? Let them sign into their laptop by looking at the webcam and then have seamless access to all their line of business applications. They won’t even know this cutting-edge modern experience they are enjoying is also greatly enhancing the security posture of the organisation. It’s like pouring chocolate sauce on broccoli to have your kids eat a vegetable! These transformational projects provide value for all stakeholders, including business leadership, those responsible for risk management, operations teams and end-users. This is a win-win experience for all and is a fairly simple way to gain a strong foothold into the world of Zero Trust while greatly enhancing the way devices are managed all the while delighting the end-users with a truly modern platform and experience. It should be noted at this stage I am not only talking about PCs but also mobile devices such as iOS and Android. In addition to granular control of these mobile devices when fully managed, Microsoft Endpoint Manager also has a very well thought out and light-touch way of handling Bring Your Own Device (BYOD) scenarios to ensure corporate data is still secure even though the device itself may not be fully managed since is it owned by the end-user and not the business.

HOW CAN YOU BEGIN TO IMPLEMENT ZERO TRUST?

1. Start by taking an inventory of identities across the business and develop identity lifecycle processes to streamline onboarding and offboarding. Clean up user metadata and leverage dynamic group membership to manage entitlements. This prevents users who change departments from retaining access no longer needed for their role. Make sure you follow modern password policy guidance, which has changed over the recent years.
2. Work towards an approach of just-enough and just-in-time access. Do not provide more access than is needed for each business role. Separate administrative accounts from productivity accounts and challenge everyone for MFA all the time. Do not treat corporate networks as trusted IP ranges, this basically opens a gaping hole in a Zero Trust model should a user identity be compromised while on the internal network.
3. Leverage a robust and intelligent identity platform for accessing all line-of-business SaaS applications such as Azure Active Directory. This will allow you to grant and revoke access and entitlements from a single platform. Not only does this provide a simplified approach to provisioning and de-provisioning, it also combines security controls and signals across all these disparate systems into a single management platform with advanced threat detection capabilities.
4. Implement a modern device management strategy like Microsoft Endpoint Manager to gain full visibility and manageability of all devices which are allowed to access identities and data while ensuring they meet compliance requirements.
5. Segment workloads and monitor traffic within the network using the Zero Trust solutions offered by your favorite networking vendor (there are so many out there, do some research). Isolate the user networks, especially wireless, to limit access to sensitive workloads that serve no purpose and expose risk.
6. Develop an enterprise access model to separate admin accounts and Privilege Access Workstations (PAW) into tiers based on levels of sensitivity. Disallow higher-tiered privileged accounts from signing into lower-tiered devices. Do not use shared local administrator credentials across endpoints. Instead, deploy a tool like Microsoft Local Administrator Password Service (LAPS), which is free.
7. Across all of Microsoft cloud services, Conditional Access policies are the glue which hold all of this together. As the name suggests, they allow access to data and applications only when certain conditions are met. If those conditions are not met, access is not granted. This is the basis of Zero Trust and should be a fundamental part of any Microsoft 365 or Azure implementation’s security posture. If you own Azure Active Directory Premium 1 or 2 and you are not using Conditional Access policies, then you should start today. Review Common Conditional Access policies to start. If you do not own Azure Active Directory Premium 1 or 2, leverage Conditional Access Security Defaults.
8. Lastly, provide education to users on safe computing practices and why security controls are important for both corporate and personal identities.

HOW DO YOU DEVELOP A LONG-TERM ROADMAP TO BUILD UPON YOUR ZERO TRUST STRATEGY?

Rome wasn’t built in a day and your Zero Trust implementation won’t be either. This takes time, start with the higher value initiatives mentioned above and then look to enhance. For example, within the Microsoft ecosystem, there are more advanced features in the higher SKUs which can complement the initial rollout and provide little to no user impact. And of course, the Microsoft practice of bundling products into suites makes this a lot easier. Once your organisation is ready to mature its model, a level-up of SKU will bring loads of new functionality and features. Here are some of the features and services available:

Identity Protection

Identity Protection takes the fundamental identity controls and layers intelligent security and real-time analytics to make informed decisions about whether an identity has been compromised.

Defender for Identity

Defender for Identity is a product which runs inside of the on-premises Active Directory environment and monitors Domain Controllers for anomalous behaviour, common reconnaissance and attack techniques.

Defender for Office 365

Defender for Office 365 allows organisations to detect malicious links and attachments in emails and documents before users can get a chance to run them. It also includes Anti-Phishing protection.

Defender for Endpoint

Defender for Endpoint is a multifaceted enterprise security platform. It includes several components which can greatly improve the security posture of endpoint devices including:

• Threat and Vulnerability Management to discover, prioritize and remediate misconfigurations and vulnerabilities
• Attack Surface Reduction to harden known exploitable weaknesses in the endpoint
• Next-Generation Protection to detect modern zero-day threats
• Endpoint Detection and Response to add detection, automation and response to threats which have gotten past your defenses
• Automated Investigation and remediation to automate investigation activities and reduce the volume of alerts
• Microsoft Threat Experts offers a managed service providing proactive threat hunting, insights and rapid response to threats

Microsoft Defender for Endpoint also integrates with Microsoft Defender for Office 365 to enable security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked.

Privileged Identity Management

Privileged Identity Management (PIM) offers the ability to provide just-in-time administrative access to privileged accounts. The elevations are tied to a workflow which can do things like send alert notifications, require the requestor to state the nature and purpose of why they are asking for elevation, and even require the elevation request to be approved by other individual(s) within the organisation. This will serve to provide accountability and additional checks for privileged access usage.

Access Reviews

Access Reviews allow organisations to bundle entitlements into packages which can be applied to individuals within an organisation. This could include access to specific data and applications, Teams, SharePoint libraries, permission sets, etc. These access packages can then be configured for regularly scheduled reviews to ensure access to these entitlements is still warranted for the individual users.

Azure Active Directory Password Protection

Azure Active Directory Password Protection runs on-premises and integrates with Active Directory to disallow weak passwords by leveraging Microsoft’s real-time banned password lists as well as a custom list created by the customer.

Cloud App Security

Microsoft Cloud App Security (MCAS) is a cloud-native Cloud Access Security Broker (CASB) which supports various deployment modes such as log collection for the discovery of Shadow IT, broker for access to third-party SaaS applications with either API connectors or reverse proxy. It provides rich visibility and control over data movement, and sophisticated analytics to identify and combat cyber threats across all Microsoft and third-party cloud services.

In addition, MCAS can work in tandem with Defender for Endpoint to report on application usage and block access to applications unsanctioned by the enterprise.

Passwordless

It has been a long-known truth our passwords are the weakest link in modern cyber security. Passwordless technologies are still evolving, however, there are a few steps you can take to begin this journey. One is leveraging Windows Hello for Business mentioned earlier in this article.

THERE IS NO DAY BETTER THAN TODAY TO START

Technology and risks are always changing. Zero Trust is not a destination, but rather an ongoing process which should be taken in bite-sized chunks. It is a good idea to stay closely connected to industry sources and trusted Partners to make sure you are doing your best to leverage current tools to protect your organisation. Especially if you already own some of these tools as many organisations already do. Don’t wait any longer to secure your organization’s network. Reach out to Insentra today for a Zero Trust Assessment and get a comprehensive evaluation of your current security posture and actionable recommendations for a Zero Trust framework. We would be happy to work with you and your trusted partner to lend a hand.