internet screen security protection

Zero Trust – A buzz word or a strategy?

Over the last few years, there has been a lot of buzz around Zero Trust, you often hear CISO’s, CIO’s and CTO’s talking about it. Marketing teams love the term as well. From an IT professional and industry standpoint, it is a lot more than just a buzz word, it should now actively be part of your strategy.

So what exactly is Zero Trust?

Zero Trust is a set of principles, but it is also a change of perspective from a security standpoint.

Traditionally we only ever thought of protecting the internal network from external threats. Everything would be secure within a datacenter and sites would be joined using an MPLS Network, with users connecting in via a VPN or Remote Desktop Solution.

However, that has now changed dramatically since the explosion of the internet, which has transformed the way we do things. With user population no longer just your employees it’s now your partners, your clients and contractors, and they have started to use their own devices. The shift to the cloud, with Microsoft 365 and other cloud services, such as Azure and AWS, has seen data being stored across more locations and being shared in different ways. Tie this into the variety of devices now being deployed and connected to our networks across multiple locations, it becomes clear that we can no longer encapsulate and protect our network in the traditional bubble.

A model of the modern architecture around Cloud services and how the corporate network is just an element of protection we need to consider
The explosion of Cloud Services and ways of working has changed our perspective on security

The change in the way we protect our organisations is daunting, which is why Zero Trust is made up of 3 real principles from a Microsoft perspective, to aid the transition from traditional to modern security. The 3 principles are:

Verify Explicitly - The first principle of Zero Trust

Verify Explicitly

The first is very much around authentication and authorisation, now in a traditional sense, we always assumed that once had authenticated your credentials you would then be authorised to access resources, however under the principle Verify Explicitly, it means that you always authenticate and authorise, but not just based on user identity but all available data points. These could include location, device health, service or workload, data classification, and anomalies.

Use least privileged access - The second principle of Zero Trust

Use least privileged access

When I first started in IT, users would be given permissions they didn’t need. Some of which were shocking, in one role I saw Domain Admin rights being granted to a user so that to quote “They could just work without bothering us”. Now the concept of least privileged has been around for a long time, however often it is seen as something to hamper IT professionals from doing their job

Least privileged is now seen as something not just for end-users but for IT professionals as well, its around Just In Time Access and Just Enough Access. It is there to protect both data and productivity. In a Zero Trust strategy, it should not just include protecting within the application or data but should stretch to protecting all aspects, including the network.

Assume Breach - The third principle of Zero Trust

Assume Breach

The principle of Assume Breach is potentially a scary prospect for most, however, it’s more around thinking about what would happen if you have been breached.

  • Would your organisation be protected?
  • Would your staff be protected?
  • Would you be able to recover from it? and how long would it take?

All of the above are valid questions to in a breach scenario but they serve a purpose in changing your mindset around security and starting to ask different questions when you evaluate your current environment and implement new solutions. The principle is around thinking about how you can minimise the blast radius of a breach because you will get breached at some point. However, that breach happens you need to start thinking about how you could stop lateral movements across your environment. Segmenting access not just by networks, but users, devices and applications. Limiting the attack vectors which could affect your organisation and bringing visibility & analytics into your environment to help drive threat detection and improve your defences.

What Next?

The next stages are making a Zero Trust strategy, with Zero Trust not associated to a specific vendor but rather a multitude of vendors, it’s about ensuring that the security roadmap starts to align to the principles of Zero Trust. More specifically from the Microsoft view of Zero Trust, there are many tools which are already available to most organisations, who have started to adopt Microsoft 365. These include tools such as:

  • Azure AD Premium, with Multi-Factor Authentication, Conditional Access, Hello for Business,
  • Microsoft Endpoint Management (MEM), formally known as Intune
  • Cloud App Security
  • Azure Information Protection

Microsoft also have a dedicated page with resources around Zero Trust – aka.ms/Zero-Trust.

NCSE Architecture Design Principles: Zero trust architecture design principles – NCSC.GOV.UK

Latest Posts

Twitter Feed

1 thought on “Zero Trust – A buzz word or a strategy?”

  1. Pingback: Using Zero Trust to protect against Solorigate - Shifting to the Cloud

Leave a Reply

Windows 365 Banner Image

Windows 365 – A Quick overview

In the flurry of news yesterday from the Microsoft Partner Conference, MS Inspire, the big news of the day was undoubtedly about Windows 365 or as it has been dubbed for the last few months Cloud PC. Microsoft have announced it as a new era in hybrid personal computing, but what does that mean and

Read More »
Microsoft Ignite Digital Event Banner

Microsoft Ignite 2021 – Book of News

The Microsoft Ignite Book of News has been launched now, with the latest updates and news from across the Microsoft Stack, including Microsoft Azure, Microsoft 365, Power Platform, Dynamics and the Security Stack. The link to the Book of News is here- Microsoft Ignite 2021 Book of News Although only managed to have a brief

Read More »
Scroll to Top