Preparing exam SC – 900 – Microsoft Security, Compliance, and Identity Fundamentals – Explaining Zero Trust model concept – Part 3

by · Published · Updated

SC-900 - Zero Trust Model - Data security
SC-900 - Zero Trust Model - Data security

Hi All,

Greetings for the day!!!

We are continuing discussing security related concepts and preparing study material for exam SC – 900 – Microsoft Security, Compliance, and Identity Fundamentals

In last two articles

In this article we will discuss – Zero Trust model concept

Take away from this article

  • What is Zero Trust model
  • Zero Trust guiding principles
  • Six Foundational pillars of Zero Trust model
  • Building Zero Trust in our organization
  • Reference to implementation of Zero Trust model in Microsoft

Zero Trust model

  • Methodology which assumes breach and verifies each request considering it originated from untrusted / uncontrolled network
  • The Zero Trust model operates on the principle of “trust no one, verify everything.
  • Even the requests from resources behind the firewalls of our corporate network, those are not trusted
  • This also means that only user name and password is not sufficient to identify users but multifactor authentication is also there to have additional checks
  • Neither giving direct complete access to the devices of users but only for specific apps or data which users needed

Zero Trust guiding principles

  • Verify explicitly
    • Always authenticate and authorise user based on available data
    • Available data includes – user identity, location, device, service or workload, data classification
  • Least privileged access
    • Limit user access with
      • just-in-time and just-enough-access (JIT / JEA)
      • risk based adaptive policies
      • data protection to protect data
  • Assume breach
    • Use encryption to protect data
    • use analytics to get visibility
    • detect threats and improve security

Six Foundational pillars of Zero Trust model / Building Zero Trust in our organization

In our organization we could implement “Zero Trust model” by implementing / automating / enforcing security policies

  • Identities
    • Users, Devices, Services
    • When any identity try to access resource, there should be very strong authentication mechanism
    • Strong multifactor authentication
    • Use of biometrics ensures strong authentication for user-backed identities – password less authentication
    • Least privilege access principal is followed
    • We need to ensure access is compliant and for the respective identity only
    • User, device, location, and behavior is analyzed in real time to determine risk and deliver ongoing protection
  • Devices
    • Monitoring devices for health and compliances for secure access
    • End point threat detection is used to monitor device risk
  • Applications
    • Finding all applications
    • Managing permissions and access
    • Ensuring appropriate app permissions
    • All apps are available using least privilege access with continuous verification
  • Data
    • Should be classified, encrypted and labeled
    • Access should be restricted based on these above attributes
SC-900 - Zero Trust Model - Data security
fig : SC-900 – Zero Trust Model – Data security

How Microsoft implemented Zero Trust model

please have a look at articles – Implementing a Zero Trust security model at Microsoft – very nice article, must read once 🙂

SC-900 - Zero Trust Model - The major goals for each Zero Trust pillar
fig : SC-900 – Zero Trust Model – The major goals for each Zero Trust pillar (diagram – from MS site – Implementing a Zero Trust security model at Microsoft)

Thanks for reading the article !!! Please feel free to discuss in case any issues / suggestions / thoughts / questions !!!

HAVE A GREAT TIME AHEAD !!! LIFE IS BEAUTIFUL 🙂

Tags:

Prasham Sabadra

LIFE IS VERY BEAUTIFUL :) ENJOY THE WHOLE JOURNEY :) Founder of Knowledge Junction and live-beautiful-life.com, Author, Learner, Passionate Techie, avid reader. Certified Professional Workshop Facilitator / Public Speaker. Scrum Foundation Professional certificated. Motivational, Behavioral , Technical speaker. Speaks in various events including SharePoint Saturdays, Boot camps, Collages / Schools, local chapter. Can reach me for Microsoft 365, Azure, DevOps, SharePoint, Teams, Power Platform, JavaScript.

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Microsoft 365

Subscribe now to keep reading and get access to the full archive.

Continue reading