Adopting a Zero Trust Approach to Security – Part 2

Welcome back! Our last blog on adopting a Zero Trust approach to security gave you a high-level overview of the core principles in a Zero Trust security model. In this blog, we’ll start by discussing o the first and most important pillar, identity. Identity is the primary control plane for the Zero Trust model, which acts as the front door for users, service accounts, and devices that require access to resources.

Verify Identity

Identity is at the core of Zero Trust concepts which involves verifying explicitly and granting the appropriate level of access through a least privilege approach. Identity as a whole defines our security boundaries and is used as the driving factor in how the organization chooses to allow (or deny) access to its corporate resources. So what do we mean by this exactly? For example, if we have an identity (whether it be a person, service account, IoT device, etc.), we check the following:

1. Verify that identity with strong authentication
2. Ensure that access is compliant and abides by typical access patterns for that particular identity
3. Verify the identity follows least-privilege access principles

Enforce Strong Identity

One of the most important steps in your journey to Zero Trust relates to identity is establishing a common and unified directory service, such as Azure Active Directory (AAD). By doing this, we can then authenticate users, devices, and processes to your resources, applications, and services. This means that every employee who needs access to your corporate resources will be assigned an identity synchronized to Azure AD. That identity will give users access to the corporate resources, Microsoft 365, Microsoft’s SaaS applications, and even third-party PaaS/SaaS applications. With all that being said, you must enforce a strong identity that can be fulfilled through solutions like:

• Microsoft Defender for Identity
  • Microsoft Defender for Identity (formerly known as Azure Advanced Threat Protection (Azure ATP)) allows you to monitor on-premises Active Directory signals so you can identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
• Integrate Microsoft Defender for Identity with MCAS
  • Microsoft Cloud App Security (MCAS) integrates with Microsoft Defender for Identity, which provides user entity behavioral analytics (UEBA) across hybrid environments. This hybrid offering will analyze activity and alerts to determine risk behaviors and provide investigation priority scores so you can streamline your incident response if one of your identities is ever compromised.
• Application Integration with Azure AD
  • Microsoft requires that all applications integrate with Azure AD via OAuth 2.0 with the latest Microsoft Authentication Library (MSAL). In addition, Microsoft uses an extensive SSO store to enforce strong authentication for any third-party applications.
• Multifactor Authentication
  • Multifactor authentication is one of the most important aspects of a strong identity. By requiring multifactor authentication to verify a user’s identity before giving them access to corporate resources, you significantly reduce the risk of that identity being compromised. So much so that based on Microsoft’s studies, your account is 99.9% less likely to be compromised if you use MFA. In short, long passwords aren’t enough anymore, and if you’re not using MFA today, stop reading this article now, and come back once it is in place!

Stop depending on passwords

Unleash the Potential of Power Platform With a Center of Excellence

Business innovation often comes from within. Discover how to empower innovation from non-traditional developers with the Microsoft Power Platform.

Learn More

By reducing password dependency, you can begin to eliminate password usage within the organization. “Why would an organization want to reduce password dependency,” you may ask? The goal is not to eliminate password data but to reduce the need for a user to repeatedly use that password as part of the authentication process. Microsoft themselves are eliminating passwords within the organization by utilizing several different platforms and technologies. Some of those including:

• Multifactor Authentication
  • As we alluded to earlier, MFA is one of the most critical pieces used to protect your identity. In Azure Active Directory, MFA will allow your organization to remove password requirements for authentication. Microsoft uses Azure AD MFA, the Microsoft Authenticator app, and Windows Hello for Business to facilitate this authentication within their environment. Still, they also use other technologies like Fast Identity Online (FIDO) to replace biometric data in Windows Hello and utilize smart cards for administrative access control scenarios.
• Windows Hello for Business
  • As mentioned, Microsoft utilizes Windows Hello for Business as a two-factor biometric authentication method. In essence, Windows Hello for Business allows all users on Windows 10 devices to replace their password data with biometric data, such as a fingerprint. In addition, Microsoft uses Windows Hello for Business to support “smart card-like” scenarios such as certificate-based deployments, which allows them to easily provide certificate renewal and remote-access capabilities.
• Modernized hardware
  • Last but certainly not least, it is always important to keep your hardware as modernized as possible. Modernizing your hardware portfolio is a crucial part of your MFA journey, especially since MFA and Windows Hello for Business rely on technologies like Trusted Platform Module (TPM) 2.0 and FIDO 2.0 for biometrics support. This may seem like a big investment to modernize your hardware, but this will likely be a drop in the bucket compared to what a breach to your environment would cost you otherwise, especially with the latest ransomware attacks that have been happening far too often.

Only granting least-privilege access

One key way of reducing the attack surface area of your identities is by granting them the least privileged access required to carry out their job. By default, all identities begin with no access. We then expand on this by using the least-privilege access model, which means our systems only grant access when needed. This means that all applications, services, and infrastructure will only provide the minimum set of access required by its users. This involves the following key factors:

• Eliminating unnecessary access to reduce any impact from the compromised identity
• Follow the KIS (Keep it Simple) method towards your implementation. This method can be used for about 90% of scenarios, and you should only pursue more complex implementations when necessary, i.e., with administrative accounts or high-risk environments.
• Simplify your access-administration solutions for users and application owners
• Aim for central preventative controls versus distributed manual configurations
• Look at things from a cloud-first approach where the Zero Trust model thrives the most.

To begin this journey of least-privilege access, I suggest you identify and classify the roles that require elevated access. Once determined, look at each identity and determine the level of elevated access required, as not all elevated access is created equal. For example, does your Teams administrator really need to have Global admin privileges? Probably not! In short, to successfully reduce your organization’s attack surface, you should be looking to reduce the number of elevated privilege accounts and provide those elevated privilege accounts with the least privilege access needed to get their tasks done within their respective role. On top of that, we can require conditional access to applications by granularly enforcing MFA at the application level. This flexibility allows you to target specific people or groups and apply access requirements based on where they reside (internal or external to the organization’s network). For example, many organizations may want to only enforce single-factor authentication for users accessing resources while on the corporate network. In contrast, users not on the corporate network will require multifactor authentication.

Wrapping things up

I’ll say it until I’m blue in the face, but identity is the most important factor in your Zero Trust model. Identity is the most important factor when determining your access to your organization’s resources, so it is crucial to get identity down before looking at the other pillars of the Zero Trust model. To recap, if you are just beginning your Zero Trust journey, start by implementing the things we discussed today:

• Enforcing strong identities
• Reducing dependency on passwords
• Limiting access to data based on leave-privilege access

Once you’ve tackled these identity tasks throughout the organization, you can begin to strengthen and build out the remaining pillars by securing your endpoints, applications, data, infrastructure, and network! Just keep in mind, this is not a 40-yard dash. This is a marathon. So start with one area, secure it to the best of your ability, and then proceed to the next pillar. The last thing you want to do is jump around from one pillar to the next, and as a result, you’re left with a half-baked security solution with multiple gaps that can easily be exploited. I hope you have found this article helpful, and I encourage you to check back soon, as we’ll take a look at endpoints next in our journey towards adopting a Zero Trust security strategy!