Guide: Getting Started with Zero Trust Security in Microsoft 365
Zero Trust is a security model that can be applied to Microsoft 365. It focuses on improving security by verifying and testing both the identity and device before granting access to resources. You can think of Zero Trust as a way of working, wherein you take it for granted that every user and device accessing your environment – in or out the network – to be compromised, and hence, take actions to confirm the validity of each of those.
In these times when the usage of devices, applications to access internal resources from different locations has increased due to the pandemic situation, securing yourself from threats through aggressive and proactive policies is important.
This is the first article in the Microsoft 365 Zero Trust series. Here, you will be introduced to the various concepts of Zero Trust in Microsoft 365, along with several pieces of information to help you to gain an adequate level of understanding of this security model.
Zero trust follows the idea of “never trust, always verify”. Microsoft has defined 3 principles on which zero trust operates:
- Verify Explicitly: Every point like user identity, location, device state, and health must be taken into consideration before granting anyone access to resources. The emphasis is on always authenticating and then authorizing based on the points mentioned here.
- Use Least Privileged Access: Admin roles must be granted with limitations like just-in-time and just-enough-access strategy.
- Assume Breach: Security experts must assume that resources are breached and take measures to limit the damage. Use of analytics to detect threats and harden security is important.
The Pillars of Zero Trust in Microsoft 365
Let take a brief look at the deployment approach for Zero Trust Security for Data:
- Access decisions are governed by encryption – Sensitive data must be encrypted to secure it in every stage. Sensitivity labels can be used to classify them.
- Data is automatically classified and labeled – Azure Information Protection can be used to achieve this. You can also configure auto-labeling for Office apps and apply sensitivity labels automatically.
- Classification is augmented by smart machine learning models – You can leverage machine learning capabilities to label massive amounts of data. At present this can be done manually, or by using automated pattern matching and also via the trainable classifiers method.
- Access decisions are governed by a cloud security policy engine – Cloud app security can be used to govern the sensitivity labels.
- Prevent data leakage through DLP policies based on a sensitivity label and content inspection – DLP policies should be used to identify and protect sensitive data across Microsoft 365.
Securing the infrastructure is another critical requirement for any environment. IT infrastructure is categorized as hardware, software, network infrastructure among others. These can be either on-premises or in the cloud.
The strategy is to assess the compliance of the infrastructure, observe the gaps, decide the mitigation actions, test those and then deploy them.
Now let’s run through the crucial points in the deployment of Zero Trust Security in Infrastructure:
- Workloads are monitored and alerted to abnormal behavior – You must ensure that newly created infrastructure is configured with policies to monitor and raise alerts. Azure Security Center, Azure Advanced Threat Protection, and Advanced Threat Analytics should be used to identify and investigate threats, compromised identities, and attacks originating from external sources. These reports and findings must then be integrated with Azure Sentinel to have a single place to view all the information and take action.
- Every workload is assigned an app identity and configured and deployed consistently – Every newly created resource must be assigned a policy designed as per your organization’s compliance requirements.
- Human access to resources requires Just-In-Time – Identities must be provided with access to only those resources which are needed for their work and the access must be for a limited duration.
- Unauthorized deployments are blocked, and alert is triggered – Azure Blueprints can help you to define policies for new infrastructure deployment. If an unapproved resource is deployed, it would result in an alert notifying the admins.
- Granular visibility and access control are available across workloads – RBAC permissions can be assigned to resources and removed, ensuring uniformity.
- User and resource access segmented for each workload – You can use network segmentation, Network Security Groups, Azure Firewall among others to segment workloads.
The zero trust principle of testing and verifying every identity and endpoint even if it’s within the network is applied here too. The approach is to pre-empt attacks and prepare for them.
Deploying Zero Trust Security in Networks involves the following points in brief:
- Network segmentation: Many ingress/egress cloud micro-perimeters with some micro-segmentation – This method uses different segments for each workload. Every segment has its own ingress and egress traffic controls thereby ensuring that its bandwidth is not abused by unauthorized access. This removes the dependency of having a single pipe in the network.
- Threat protection: Cloud-native filtering and protection for known threats – Applications in the cloud that have connections with external environments or with on-premises need to be monitored for threats originating from those areas. Traffic from these can be scanned using Azure Web Application Firewall. You can also setup rules for such traffic using Azure Front Door and Azure Application.
- Encryption: User-to-app internal traffic is encrypted – The user-to-app internal traffic must be encrypted.
- Network segmentation: Fully distributed ingress/egress cloud micro-perimeters and deeper micro-segmentation – The network components can be further segregated. Now you should segment it into different subnets using virtual network subnets and network security groups rules.
- Threat protection: Machine learning-based threat protection and filtering with context-based signals – Azure DDOS Standard Protection should be enabled to monitor your Azure traffic. It uses Machine learning techniques to detect traffic loads and to take mitigation actions.
- Encryption: All traffic is encrypted – Encryption of traffic will boost security.
Zero Trust Assessment Tool
This tool poses some questions about your organization’s setup and then provides feedback on the basis of those. You can take a different assessment for each of these Identity, Endpoint, Data, Applications, Networks, and Infrastructure.
Most of the security measures talked about in this article would already be in use in a majority of organizations. The Zero Trust security model provides a plan of action to combine all your splintered efforts into an organization-wide template. Teams that are working in silos on these security aspects can be taken on board via this security model.
In the next post, we will explore how Zero Trust Security for Identity can be deployed effectively.