Preparing exam SC – 900 – Microsoft Security, Compliance, and Identity Fundamentals – Explaining Zero Trust model concept – Part 3
Hi All,
Greetings for the day!!!
We are continuing discussing security related concepts and preparing study material for exam SC – 900 – Microsoft Security, Compliance, and Identity Fundamentals
In last two articles
- Preparing exam SC – 900 – Microsoft Security, Compliance, and Identity Fundamentals – Explaining few terms related to Security – Part 1 we discussed few terms related to Security
- Preparing exam SC – 900 – Microsoft Security, Compliance, and Identity Fundamentals – Explaining defense in depth concept – Part 2 we discussed “defense in depth” concept
In this article we will discuss – Zero Trust model concept
Take away from this article
- What is Zero Trust model
- Zero Trust guiding principles
- Six Foundational pillars of Zero Trust model
- Building Zero Trust in our organization
- Reference to implementation of Zero Trust model in Microsoft
Zero Trust model
- Methodology which assumes breach and verifies each request considering it originated from untrusted / uncontrolled network
- The Zero Trust model operates on the principle of “trust no one, verify everything.”
- Even the requests from resources behind the firewalls of our corporate network, those are not trusted
- This also means that only user name and password is not sufficient to identify users but multifactor authentication is also there to have additional checks
- Neither giving direct complete access to the devices of users but only for specific apps or data which users needed
Zero Trust guiding principles
- Verify explicitly
- Always authenticate and authorise user based on available data
- Available data includes – user identity, location, device, service or workload, data classification
- Least privileged access
- Limit user access with
- just-in-time and just-enough-access (JIT / JEA)
- risk based adaptive policies
- data protection to protect data
- Limit user access with
- Assume breach
- Use encryption to protect data
- use analytics to get visibility
- detect threats and improve security
Six Foundational pillars of Zero Trust model / Building Zero Trust in our organization
In our organization we could implement “Zero Trust model” by implementing / automating / enforcing security policies
- Identities
- Users, Devices, Services
- When any identity try to access resource, there should be very strong authentication mechanism
- Strong multifactor authentication
- Use of biometrics ensures strong authentication for user-backed identities – password less authentication
- Least privilege access principal is followed
- We need to ensure access is compliant and for the respective identity only
- User, device, location, and behavior is analyzed in real time to determine risk and deliver ongoing protection
- Devices
- Monitoring devices for health and compliances for secure access
- End point threat detection is used to monitor device risk
- Applications
- Finding all applications
- Managing permissions and access
- Ensuring appropriate app permissions
- All apps are available using least privilege access with continuous verification
- Data
- Should be classified, encrypted and labeled
- Access should be restricted based on these above attributes
- Infrastructure
- Threat vector – for more details about Threat Vector please have a look our first article – Preparing exam SC – 900 – Microsoft Security, Compliance, and Identity Fundamentals – Explaining few terms related to Security – Part 1
- May be On-Premises, Cloud (VMs), Containers, Micro-Services
- Use telemetry to detect attacks
- Automatically block risky behavior and take protective action
- Unauthorised deployments should be blocked and alerts should be triggered
- Networks
- Real time threat protection, end-to-end encryption, monitoring and analytics should be employed
- Network should be segmented – including micro segmentation
How Microsoft implemented Zero Trust model
please have a look at articles – Implementing a Zero Trust security model at Microsoft – very nice article, must read once 🙂
Thanks for reading the article !!! Please feel free to discuss in case any issues / suggestions / thoughts / questions !!!
HAVE A GREAT TIME AHEAD !!! LIFE IS BEAUTIFUL 🙂
You must log in to post a comment.