Zero Trust: Redefining Security in Microsoft 365

Zero Trust is a security strategy and framework that follows the principle “Never Trust, Always Verify”.

It assumes that the request, user or device is not secured and should not be trusted by default, no matter if it is inside or outside organization’s network perimeter. Zero Trust model continuously authenticate users and devices (instead of just once), encrypt everything, provide the minimum access needed and limit access duration, and use segmentation to limit the damage of any breaches. It is a holistic approach to safeguard identities, endpoints, applications, network, infrastructure and data.

Most of the organization uses multicloud and Hybrid (on-premise and cloud). They may focused on the strategy to protect network access with on-premise firewalls and VPNs assuming that everything inside the network was safe. The corporate data may reside in the cloud or hybrid or across both.

In order for the user, process or app to access the data, everything including identity, app, network, device are verified and encrypted. Microsoft uses Zero Trust security layers to enforce Zero Trust framework within Microsoft products.

Microsoft’s approach for Zero Trust is not to disrupt end users, but work behind the scenes to keep users secure as they work.

In the Zero Trust approach, identity, endpoints, applications, network, infrastructure, and data are important components that work together to provide end-to-end security. It is also known as Zero Trust security layers.

Microsoft Entra ID can act as a unified directory service to authenticate users, devices, and processes to your resources, apps, and services, across multicloud and Hybrid (on-premise and cloud).

When a user attempts to access a data, Microsoft Entra ID will verify the credentials, two factor authentication and Conditional Access to confirm if the data can be accessed or not. It checks for real-time user and sign-in risk detections when evaluating data access requests.

Once user has been granted access to a data, the user can use different devices to access data. The device may not be owned and managed by the organization. What if the device used to access the data is not updated? it poses a great security risk of data leakage and exposure to unwanted people.

With conditional access policy, we can limit the data access to only corporate or personally-owned computers and mobile devices, we can block the data access on unmanaged device or force the device to register or join the directory service.

Using Microsoft Endpoint Manager, we can make sure that the devices and the installed apps, which access the data meet your security and compliance policy requirements of the organization regardless of whether the device is owned by your organization or the user.

Using Applications and APIs, the user access the data. The application can be cloud application or it can be legacy application hosted on the on premises of the organization.

Microsoft Endpoint Manager can be used to configure and enforce policy management for both desktop and mobile apps, including browsers. For example, we can prevent work related data from being copied and used in personal apps.

Microsoft Cloud App Security can help us discover and manage Shadow IT services, with catalogue of more than 17,000 apps. With MCAS, the organization can block actions within a cloud app, example: downloading the files is blocked on unmanaged devices.

The application and the users will use a network to access the data. To enhance visibility and help prevent attackers from moving laterally across the network, organizations should segment networks.

Using network access controls and monitoring user and device behaviour in real time can provide insights and visibility into threats (ML-based threat protection and filtering with context-based signals).

An infrastructure can be anything from an on-premises servers to cloud-based virtual machines.

The main focus and consideration for infrastructure is to manage the configuration and keep software updated. It should also meet the organizations security and policy requirements.

Azure Sentinel is a cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution that will allow your Security Operations Center (SOC) to work from a single pane of glass to monitor security events across your enterprise.

Microsoft Defender for Identity enables signal collection to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.
security orchestration, automation, and remediation (SOAR) tooling to reduce manual effort in threat response.

Microsoft Defender for Endpoint Advanced Threat Protection includes automated investigation and remediation capabilities to help examine alerts and take immediate action to resolve breaches.

Privileged Identity Management (PIM) in Azure AD enables you to discover, restrict, and monitor access rights for privileged identities. PIM can help ensure your admin accounts stay secure by limiting access to critical operations using just-in-time, time-bound, and role-based access control.

Understanding your data and then applying the correct level of access control is essential if you want to protect it. But it goes further than that. By limiting access, and by implementing strong data usage policies, and using real-time monitoring, you can restrict or block sharing of sensitive data and files.

At the end of the day Zero Trust is all about understanding and then applying the right controls to protect your Data. Microsoft will provide an organization the controls to limit data access only to the people and processes that need it. The policies the organization set, along with real-time monitoring, can then restrict or block the unwanted sharing of sensitive data and files. Zero Trust in the cloud encrypts anything stored in the cloud, manages access, helps identify any breaches to cloud infrastructure, and speeds up remediation.