The security landscape has changed with remote work and cloud applications. Employees are working remotely and using their own devices to get work done. Data is being accessed and shared outside the corporate network and data and applications are moving to the cloud. Security now extends beyond the physical location of the office.
If your organization relies on on-premises firewalls and VPNs, you may lack the visibility and agility to deliver efficient, comprehensive security coverage.
What does this mean?
Quite simply, it means that organizations need a security plan that adapts to modern environment challenges, embraces the mobile workforce, and protects people, devices, applications, and data, regardless of location.
This is the notion of Zero Trust.
Zero Trust overview
A Zero Trust model assumes breach and verifies every request as though it started from an uncontrolled network. Zero Trust teaches us to "never trust, and always verify".
In a Zero Trust model, every access request is strongly authenticated, authorized and inspected before access is granted.
Organizations need to provide secure access to their resources regardless of the user and their application environment. Before access is allowed, the following are assessed:
- User’s location
- User’s role
- Device health
- Type of service
- Data classification being requested
A Zero Trust security model relies on automated enforcement of security policy to ensure compliant access decisions. The framework of controls built into your security solutions enables your organization to fine-tune access policies with contextual user, device, application, location, and session risk information to better control how corporate resources are accessed. These policies are used to decide whether to:
- Allow access
- Deny access
Building Zero Trust into your organization
A Zero Trust approach should extend throughout your organization and serve as an integrated security policy. This can be done by implementing Zero Trust controls across six elements: Identities, Devices, Applications, Data, Infrastructure, and Networks.
- Identities | This refers to people, services and IoT devices that define the Zero Trust control plane. When someone attempts to access a resource, you need to verify that identity with strong authentication and ensure access is compliant and typical.
- Devices | Once an identity has been granted access, data can flow to a variety of different devices. This diversity creates a large attack surface area, requiring you to monitor and enforce device health and compliance for secure access.
- Applications | Applications provide the interface for how data is consumed. Controls and technologies should be applied to ensure appropriate permissions, gate access based on real-time analytics, monitoring for unusual behavior and validation of secure configuration options.
- Data | Ultimately, security teams are focused on data protection. Where possible, data should remain safe even if it leaves the devices, apps, infrastructure, and networks controlled by the organization. Data should be labeled, classified and encrypted.
- Infrastructure | This represents a critical threat. It’s important to assess the version, configuration, and access to strengthen defense, using telemetry to detect attacks, and automatically block and flag dangerous behavior and take protective actions.
- Networks | Networking controls provide critical mechanisms to enhance visibility and prevent attackers from moving laterally across the network. Networks should be segmented, and real-time threat protection, end-to-end encryption, monitoring, and analytics employed.
While a Zero Trust security model is most effective when integrated across the entire organization, most companies will need to take a phased approach that targets specific areas for change based on their Zero Trust maturity, available resources, and priorities.
It will be important to carefully consider your investment and align them with current business needs.
Want to learn more? Sign up for our Azure Security Virtual Immersion Experience to get started.