Site icon TheWindowsUpdate.com

Zero Hype

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

 

At Ignite, I had the privilege of presenting “Zero Hype” with my colleagues Nupur Goyal (@nupur_11) who leads our Product Marketing, and Yinon Costica (@c0stica) who directs program management for Azure Security Center, Microsoft Cloud App Security, and Azure ATP for Users, among others. Concepts like Zero Trust are useful only if they are concrete. Despite years of the term being batted around, consistency and clarity on the term is still very poor among the folks I talk to. So, when Nupur asked me to do a talk on Zero Trust, I suggested we do everything we could to clear away the fog on the concept. I hope we achieved that. For those of you who weren’t able to see the session, I wanted to capture the essence here.

 

In a Nutshell

Zero Trust, conceptually, asserts that traditional security models based on “the walled garden” are outdated, and that security models should assume that all requests should be treated as though they originate from an uncontrolled (external or compromised) network. Whether you think of this as “assuming breach” and operating as though the enemy is inside your perimeter or you think of this as operating in a perimeter-less environment, it’s all about operating as though you are in a pervasive threat environment. This is a simple concept, we don’t need to complicate it or dress it up because it has powerful implications. Let’s dig in a bit.

 

Once Upon a Time

In 1990, I started a company that was (among other things) helping people build out networks for their offices. Fundamentally, there was very little in the way of connectivity between these networks. If you had two offices, you used a Wide Area Network – a leased line – to get between them. In this world, you could very safely assume that any access to any resource came from within a building you owned, from a machine you owned, by someone you employed. As a result of these assumptions, file shares were wide open, apps were accessible by anyone with a username/password combo, and almost all of the companies I worked with centered their strategy on “we trust our employees.” Yes, there were outliers, but even advanced security wasn’t very advanced then, and was centered more on building access than network access.

 

Over the next few years, with the advent of better modem speeds and cheaper PCs, telecommuting became more popular and VPNs (that you dialed in to, remember?) became a thing. By 1994, the Internet was gaining broad traction in academia and corporations were starting to forego leased lines in favor of public infrastructure. Suddenly, all those private networks were connected to the big world outside. Firewall companies took off, trying to keep all the unexpected or malicious traffic out. The walled garden – a network defended at the perimeter, but essentially open once inside – was born. I think of this as us “defending our assumptions.”

 

The years that followed brought dizzying changes – Netscape became big in 1995; Microsoft went “Internet first” in December of that year. Salesforce launched their SaaS offering in 2000. Starbucks put WiFi in all their stores in 2002. The iPhone Launched in 2007. Office 365 launched in 2011. With each of these changes, the assumptions we’d been making about access to resources – that they were from our network, on devices we owned, to apps we’d deployed, by people we worked with – became less and less valid. IT today looks nothing like the world the walled garden model was intended for. None of the assumptions are valid anymore – attackers have known this for years.

 

Evolving Our Thinking

Fortunately, there were thought leaders who saw these changes happening and reacted. In 2003 the Jericho Foundation introduced the concept of de-perimiterization. In 2010 John Kindervag at Forrester wrote “Build Security Into Your Network’s DNA: The Zero Trust Network Architecture” and the term Zero-Trust was born. In 2013, Microsoft coined “Identity Driven Security” and introduced the Enterprise Mobility Suite (EMS) to address the core security and compliance needs of enterprises – Secure Access, Secure Devices, and Secure Data. That same year, Google implemented a no-network trust model in “BeyondCorp”, providing a “demonstrator” which inspired tremendous interest.

 

 

This interest fueled a massive surge in hype. By this year’s RSA, virtually all booths were touting their Zero Trust-ness. One analyst told me “the age of Zero-Trust-washing has arrived.” Smart people simultaneously realized there was something there they should be paying attention to, and were completely unable to find a consistent, crisp definition. When I ask folks to raise their hands if they are confident in what Zero Trust means I’m lucky if 5% of folks are willing to venture a guess.

 

But the essence of Zero Trust remains simple – security models which assume safety based on network location are inadequate. Modern security models must assume all access requests come from uncontrolled networks.

 

De-FUD’ing Zero Trust

I sometimes use the slang term “FUD” – Fear, Uncertainty, and Doubt. I want to attempt to de-FUD Zero Trust by blowing away some of the fog surrounding the term. Here’s what Zero Trust isn’t:

 

The Zero Trust Mindset

I believe the most useful thing about Zero Trust is the mindset it creates. The mindset to adopt is that you are operating in a pervasive threat environment. An environment that demands that you continuously assess and re-assess the viability of your security strategy. Here are some key behaviors you might exhibit if you accept that you are operating in a pervasive threat environment:

 

We can distill all this down to three key principles:

Conceptual Architecture

We have seen that successful adoption of a Zero Trust approach benefits from some critical elements. We pulled this together conceptually in a conceptual architecture, pictured below.

 

 

The critical elements are as follows. First, the key resources:

 

Then, the key tools to tie it together:

 

Next Steps

Here are some next steps and related on demand sessions to help you go deeper on how to get started today:

Identity Teams:

  1. Connect all your apps for single sign-on – Identity is your control plane, but only for apps and users that are visible to it!
  2. Ensure strong identity with multi-factor authentication and risk detection.
  3. Enforce policy-based access and least privileged access for breach containment.
  4. Check out these sessions:
    • BRK2132: How Microsoft uses Azure Active Directory Identity Protection and Conditional Access to protect its assets
    • BRK4017: The science behind Azure Active Directory Identity Protection

 

Device Management Teams:

  1. Register your devices with your Identity provider so you can consider device context in your policies.
  2. Implement MDM security baselines with compliance reporting.
  3. Implement role-based access control that allows view access for impact assessment.
  4. Check out this session:
    • DEP50: Why Microsoft 365 device management is essential to your Zero Trust strategy

 

Network and Infrastructure Teams:

  1. Enable a cloud workload protection solution across your hybrid and multi-cloud estate.
  2. Use cloud-native controls to create micro perimeters.
  3. Reduce attack surface by implementing just-in-time application and network segmentation.
  4. Check out these sessions:
    • BRK3188: Protect your cloud workload from threats using Azure Security Center
    • BRK3185: Securing your cloud perimeter with Azure Network Security

 

Application and Data Teams:

  1. Perform shadow IT discovery and implement a cloud control program – you can’t manage what you can’t see.
  2. Agree on a label taxonomy and classify documents and emails – use default taxonomy for initial classifications.
  3. Apply protections to high risk scenarios such as sensitive data and unmanaged access in apps.
  4. Check out these sessions:
    • BRK2108: Top CASB use cases to boost your cloud security strategy
    • BRK2119: Secure your sensitive data! Understanding the latest Microsoft Information Protection capabilities

 

Finally, check out our Zero-Trust center and especially the maturity model which we hope will help you think about next steps on your journey.

I really hope this blog has helped make Zero Trust clear and actionable for you – but if you have questions or feedback, please reach out to me on Twitter at @alex_t_weinert

Stay safe out there!

-Alex

 

 

 

Exit mobile version