Zero Trust security model imperative for resilience against identity threats

In the third of this three-part series, I share why organizations need to implement a Zero Trust security model to keep corporate and customer data secure.

(Source: Vintage Everyday)

Until the late 1980s, it was relatively common for employees to be physically located at a workstation, computer or kiosk, working inside offices, banks, factories, retail stores, gas stations, hospitals, hotels and so forth. As laptop computers and became mainstream from the early 1990s, there began a shift in the way people access information, where that information lives and also the devices are mobile (not fixed). Information no longer resides exclusively or at all within physical devices, data centers and other mediums (tape drives, floppy disks, DVDs, and thumb drives). It is more convenient and largely cost-effective long-term to save and share information (text, images, video) in and from the cloud. However, with this convenience comes risk — security risk.

(Source: College Info Geek)

Although it is convenient to access and manage information (phone numbers, passwords, photos, videos and other personal information) from mobile devices, such activity makes us vulnerable to cyber crime. Imagine leaving your personal device unlocked in a public venue (restaurant, library, or other place) and a stranger views your personal data within the Web browser, takes a photo, or worse, performs a malicious activity (purchases something on your behalf, sends a message/email on your behalf, installs malicious software, remotely access your computer to execute commands with nefarious intentions, or other). The possibilities are endless once someone has an entry point — your identity. Read part two of this series for information on some common identity attacks.

The bottom line is: not only should end users exert caution by, at minimum, logging out/locking the devices while not in control of them, organizations too should keep corporate resources and data resilient to threats by only allowing access based on a well defined set of conditions applicable to the device and user (location, device state, user/application, risk, and exceptions). They should implement a Zero Trust security model.

Why a Zero Trust security model is critical

(Source: Blue Secure)

As explained in this article, a Zero Trust approach based on the ideology of verifying and validating identity, user, device, and the health of devices and services, before allowing access, can help keep corporate resources resilient to cyber attacks by eliminating unknown and unmanaged devices and limiting lateral movement. For example, if a guest or contractor is visiting a company, connecting their personal device at the company premises, to minimize risk from unauthorized access to internal applications and resources, the organization should enforce a security policy that incorporates a Zero Trust model. This would extend limited network access to the user based on a security policy defined by the administrator (e.g. guest users can only browse Internet but cannot access any internal network).

Implementing such a model requires that all components — user identity, device, network, and applications — be validated and proven trustworthy. Zero Trust verifies identity and device health prior to granting access to corporate resources. When access is granted, applying the principle of least privilege limits user access to only those resources that are explicitly authorized for each user, thus reducing the risk of lateral movement within the environment. The following phases are important as part of the journey towards a Zero Trust security approach.

1. Employ strong identity authentication everywhere. It is important to first verify the user that is requesting access from a device. Microsoft began the Zero Trust journey by implementing two-factor authentication (2FA) via smartcards for all users to access the corporate network remotely. The rapid adoption of mobile devices for work — which require connection to corporate resources — drove the evolution of the 2FA experience from the physical smartcard to a phone-based challenge, and later to the more modern experience of Azure Authenticator. As we move forward, the largest and most strategic effort presently underway is eliminating passwords in favor of biometric authentication through services like Windows Hello for Business. By eliminating passwords, security is improved and employees have a much better user experience.
2. Enroll devices in a device management system and validate their health. Microsoft is working toward enrolling all user devices into a device management system, such as Intune, to enable device-health verification. This capability is essential to setting device-health policy for accessing Microsoft resources. For this phase, first we require that devices be managed (enrolled in device management via cloud management or classic on-premises management). Secondly, we require devices to be healthy in order to access major productivity applications (“hero” applications) such as Exchange, SharePoint, and Teams. These two requirements are intended to help reduce privacy and data compromise risks.
3. Enforce Conditional Access. As explained here, the modern security perimeter now extends beyond an organization’s network to include user and device identity. Managing malicious or otherwise unintentional risky user access necessitates that organizations employ Conditional Access policies. Such policies refer to applying the right access controls when needed to keep the organization secure and stay out of the user’s way when not needed. A Conditional Access policy is an if-then statement, of assignments and access controls, which brings signals together to make decisions and enforce organizational policies. In particular, Microsoft Azure AD Conditional Access enables Zero Trust by establishing identity as the new control plane (vs. the traditional network-based security perimeter approach). Not only are users verified before getting access, they may be subject to different tiers/levels of verification based on the risk rating derived from the Conditional Access policy implementation.
4. Enforce least-privilege user rights. Limiting access to only what is needed is critical. At the same time, security cannot be at odds with productivity. Microsoft has defined a plan to minimize the means of access to corporate resources and to require identity and device-health verification for all access methods. In our journey towards making primary services and applications that users require reachable from the internet, access methods will transition from legacy (corporate network), to internet-first (internet plus VPN when needed), then to internet-only (internet without VPN). This will reduce users accessing the corporate network for most scenarios. Despite the strong focus on implementing device health everywhere, some scenarios require users to work from unmanaged devices — for instance, in the cases of vendor staffing, acquisitions scenarios, and guest projects. We plan to address the needs of users with unmanaged devices by establishing a set of managed virtualized services that make applications or full Windows desktop environments available.
5. Verify the health of services. The primary goal in this phase is to expand verification from identity and device to service health, making it possible to ensure service health at the start of every interaction. The purpose would be to establish a strong security baseline prior to a user taking some action, such as accessing data. For Microsoft, this phase is in a proof-of-concept stage to validate the concept and potential operational capability.

Get some valuable tips for Zero Trust in this video featuring Microsoft Director of Identity Security, Alex Weinert. He speaks about and demonstrates what organizations can do using Microsoft Azure AD Conditional Access.