Zero Trust. Zero Trust. Zero Trust.

If you have spent any time reading the latest cybersecurity blogs, wandering the floors of trade shows (pre-COVID) or virtual conferences (during COVID), you have likely heard this term used over and over for the last 12-18 months. But Zero Trust is more than just a buzzword. It is real and it is about flipping the way we traditionally handled security in corporate environments on its head.

For the uninitiated, “Zero Trust” is a concept employed by security solutions providers that nothing should be trusted within an organization’s security environment, whether it comes from inside or outside the organization, and that anything trying to connect to its systems must be continuously verified and validated. You’ll often hear the phrase; “never trust, always verify” when speaking about the Zero Trust concept.

In this blog, we will discuss why developing a Zero Trust strategy is necessary in today’s modern workforce, what many security solutions providers get wrong about Zero Trust, and what Microsoft gets right about Zero Trust.

Back in the day, users on a traditional network sat behind a firewall when they were operating their devices. Once that device was properly authenticated via password to enter the network, it gained a level of implicit trust. If that device and identity existed in that network, it was trusted and could access everything within that soft core of the network.

Fast forward to modern day, and cloud services are being utilized widespread by almost every organization globally. In fact, 94% of organizations are using some level of services and applications hosted in the cloud.[1] Services are increasingly being launched outside of the traditional company perimeters, devices are mobile and sometimes owned by the employees, and Software as a Service (SaaS) applications are essential for nearly every team and user. With so many points of entry, the concept of “implicit trust” is no longer viable. This new age of modern and mobile work requires a new approach.

A Zero Trust model says, “Never trust, always verify.” With a Zero Trust approach:

  • Every access attempt is explicitly verified. – You cannot trust a single device, nor a user attempting to access your network. You must use all available data to always verify that they are who they say they are.
  • Users and admins have least privilege access – Develop strong governance policies by limiting user access with just-in-time and just-enough-access, risk-based adaptive polices, and data protection.
  • Assume a breach has already occurred – Have the mentality that the attacker is already in the network by segmenting access by network, user, devices, and app awareness.

When considering a Zero Trust solution, these are the principles that must guide every feature and policy.

Like I mentioned before, you have likely been hearing the term “Zero Trust” for a while across social media, webinars, and blogs. The term gets thrown around even if the product or service does not truly fit into the model of delivering on Zero Trust. Or some providers are delivering on a highly specific component to a much larger problem. Here are some questions to consider when evaluating a product or solution provider that is marketed as a Zero Trust Solution:

How does this solution take a zero trust approach to secure identities?

How does this solution authenticate those identities and devices when accessing the corporate resources both on and off the network? Are users and devices continuously validated as they access other network resources?

Is access control gated based on – at minimum – both user and device authentication?

Is endpoint threat detection used to monitor device risk?

Is access to applications and other resources governed by least-privilege access?

Is all network traffic encrypted? 

If the core of these questions is not baked into their model, then it is not a true Zero Trust security strategy or it may only be solving to a small subset of industry problems.

[1] Hosting Tribunal, November 12, 2020

The way Microsoft defines Zero Trust is: An integrated approach to securing access with adaptive controls and continuous verification across your entire digital real estate.

Microsoft views Zero Trust across the entire digital environment: identity, devices, apps, infrastructure, networking, and data. They approach Zero Trust in a way that covers all an organization’s core features and tools. They have built an aggregated ecosystem and infrastructure; integrated with the entire Microsoft Defender Security suite.

This makes it so a small business with limited resources does not have to think about going to ten different companies to get ten different solutions. They do not have to figure out on their own how to cobble those solutions together to get a coherent infrastructure. Now these businesses can go to one vendor and get all the tools that they need..

Additionally, a solution that affects end-users should also prioritize a positive user experience. With so many apps across work and personal-owned devices, constantly being asked for a password is not exactly user-friendly. With password-less authentication tools like Microsoft Authenticator app push notifications and Windows Hello biometric authentication, users’ identities and access are more secure, while simultaneously being easier to use.

By implementing a Zero Trust security strategy, you can embrace a modern environment and a mobile workforce by protecting your people, devices, apps, and data wherever they are located.

Our Microsoft Security Workshops can help you strengthen your organization’s security posture. Workshops include a threat check analysis of your environment, overview of Microsoft 365 security features, and actionable recommendations including a deployment plan for a protected and secure workforce. Additionally, workshops are conducted at no-cost to eligible customers through Microsoft programs. Learn More. >

[1] Hosting Tribunal, November 12, 2020