Microsoft considers Zero Trust an essential component of any organization’s security plan. We have partnered with Cloud Security Alliance, a not-for-profit organization that promotes cloud calculating best practises, to bring together executive security leaders to discuss and share insights about their Zero Trust journeys.
In our first discussion, we sat down with 10 executive security leaders from prominent energy, finance, insurance, and inventing companies in a virtual roundtable, to understand what has worked and detect where they needed to adjust their Zero Trust security model. Our collective aim was to learn from one another and then share what we’ve learned with other organizations. Discussions like these give us valuable opportunities to grow and resulted us to publish an eBook to share those conversations with other cybersecurity professionals.
Today, we are publishing the “Examining Zero Trust: An executive roundtable discussion” eBook as a result of those conversations. The eBook describes how the Zero Trust security model involves imagining beyond perimeter security and moving to a more holistic security approach. The eBook complements other resources “were having” published to help organizations expedite their pilgrimages in this critical area, such as the Microsoft Zero Trust Maturity Model and adoption guidance in the Zero Trust Deployment Center. Zero Trust accepts breach and confirms each request as if it originates from an uncontrolled network. If Zero Trust had a motto, it “wouldve been”: never trust, always corroborate. That means never trusting anyone or anything–inside or outside the firewall, on the endpoint, on the server, or in the cloud.
Zero Trust strategies
Introducing Zero Trust into your organization necessitates implementing controls and technologies across all foundational components: identities, devices, applications, data, infrastructure, and networks. Roundtable participants offered successful Zero Trust strategies that respect the value of each of these foundational elements.
Strategy# 1- Use identities to control access
Identities–representing people, services, and IoT devices–are the common denominator across networks, endpoints, and applications. In a Zero Trust security model, they function as a powerful, flexible, and granular behavior to control access to data. Or, as one participant explained it, “The new perimeter is identity, and it is necessary to a strong identity that is validated.”
When any identity attempts to access any resource, security controls should verify the identity with strong authentication, ensure access is compliant and typical for that identity, and confirm that the identity follows least privilege access principles.
Strategy# 2- Elevate authentication
Incorporating multifactor authentication or continuous authentication into your identity management strategy can substantially improve your organization’s information security posture. One roundtable participate shared that by widening identity handling with continuous authentication capabilities, their organization can now validate identity when a user’s IP address or routine behavior pattern changes.
“Zero Trust will merely work if it is transparent to the end-user, ” said a participant. “You have to make it easy and transparent. If you want to authenticate every five minutes or every second, that’s fine, as long as the end-user doesn’t have to do anything–as long as you can validate through other methods. For example, the endpoint can be one of the factors for multifactor authentication.”
Strategy# 3- Incorporate passwordless authentication
Passwordless authentication replaces the traditional password with two or more verification factors fastened with a cryptographic key pair. When registered, the machine makes a public and private key. The private key can be unlocked utilizing a local gesture, such as a PIN or biometric authentication( fingerprint scan, facial acceptance, or iris recognition ).
Strategy# 4- Segment your corporate network
Network segmentation can be a pain point for business IT because firewalls represent early segmentation, and this can complicate development and testing. Ultimately, the IT team relies more on security teams to fix networking connectivity and access issues.
However, segmenting networks and conducting deeper in-network micro-segmentation is important for Zero Trust because in a mobile- and cloud-first world, all business-critical data is accessed over network infrastructure. Networking controls offer critical functionality to enhance visibility and help prevent attackers from moving laterally across the network.
Strategy# 5- Secure your machines
With the Zero Trust modeling, the same security policies are applied whether the device is corporately owned or a personally owned phone or tablet, also called a “bring your own device”( BYOD ). Corporate, contractor, partner, and guest machines are treated the same whether the device is fully managed by IT or only the apps and data are secured. And this is true whether these endpoints–PC, Mac, smartphone, tablet, wearable, or IoT device–are connected utilizing the secure corporate network, home broadband, or public internet.
“In a BYOD world, the device is the explosive piece, ” said one participant. “If you let unpatched devices to is attached to your network, it is, in essence, walking into your base with live regulation, and it can go bad speedily. Why wouldn’t you test outside to begin with? ”
Strategy# 6- Segment your applications
Benefitting fully from cloud apps and services involves finding the appropriate balance between providing access and maintaining control to ensure that apps, and the data they contain, are protected. Apply controls and technologies to discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behaviour, limit consumer acts, and confirm secure configuration options.
“It is becoming easier and more achievable to have segmentation between the applications, ” said the workshop participants. “Being able to provide excess privileges/ role-based access is becoming part of the policy engine. The application part of the puzzle seems to be solving itself more intelligently as time goes on. Such approaches gets validated every time I hear an end-user is able to dial in on the problem.”
Strategy# 7- Define roles and access controls
With the rapid rise in remote work, organisations must consider alternative ways of achieving modern security controls. It’s useful to operationalize roles and tie them to a policy as part of authorization, single sign-on, passwordless access, and segmentation. However, each role defined must be managed now and, in the future, so be selective about how many roles you create so there aren’t management challenges later.
“If you create a thousand roles in your organization to be that granular, you will have problems with management down the road, ” said a participant. “You’re going to end up with massive amounts of accounts that are not updated, and that’s where you have breaches.”
The jaunt toward Zero Trust
The foundational focus of organizations varies as they start their Zero Trust expedition. Some of the organizations represented by roundtable participates began their Zero Trust travel with user identity and access management, while others started with network macro- and micro-segmentations or application sides. These presidents agreed that developing a holistic strategy to address Zero Trust is critical and that you should start small and build confidence before rolling out Zero Trust across your organization.
That typically intends taking a phased approach that targets particular area based on the organization’s Zero Trust maturity, available resources, and priorities. For example, you could start with a new greenfield project in the cloud or experimentation in a developer and test environment. Once you’ve built confidence, we recommend extending the Zero Trust framework throughout the entire digital manor, while espouse it as an integrated security doctrine and end-to-end strategy moving forward. You’re not alone in this journey. Successful organizations have walked this path, and Microsoft is happy to be with you every step of the way.
To learn more about Microsoft Security answers visit our website . Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post Zero Trust: 7 adoption strategies from security leaders appeared first on Microsoft Security .
Read more: microsoft.com