Circle of Zero Trust
Today’s trend word with a nasty ring to it? COVID-19. The corona virus has been a global plague for a full year now, and even organizations’ IT departments have had their share of it. One of the biggest challenges has been to deliver functional, safe, and efficient remote working conditions.
Some organizations were already way ahead with remote work. For others remote work has been an exception, and some have turned it into a new normal model for information work. This means that users, devices, applications, information, infrastructure, and information networks need to be protected everywhere and at all times.
What is Zero Trust?
I for one think that Zero Trust security model has an integral part in remote work. Zero Trust is now on everyone’s lips, but it’s not a brand-new way of thinking. The thought of the Zero Trust model was first put to words by John Kindervag, the head analyst and vice president of the Forrester Research organization, as early as 2010.
Was Jack Byrnes in Meet the Parents a forerunner of Zero Trust model? I’d say most certainly not, as he has full trust in those inside his circle of trust. In Zero Trust security model, you by default do not trust anything, even within your organization’s internal network and inside the firewall. One of the main principles is never trust, always verify.
These are the three most important principles of the Zero Trust security model, as listed by Microsoft:
- Verify explicitly and authenticate the data
- Use least privileged access
- Assume breach
In the next chapters we’ll go through these principles in more detail.
Verification and authentication
In traditional security model there’s the tendency to trust an authentication if it’s done from a trusted device or within a trusted network. In Zero Trust model, you do not trust anything, but you verify everything. Whether it’s a user logging into a cloud service, a device authenticating itself into an internal network, or other similar action, with modern systems like Azure AD and firewalls it’s possible to view the background of a single event. This in turn enables real-time authentication and allowing an action only after a successful authentication.
Here’s a few examples to illustrate:
- With devices, background data includes matters related to the devices’ health or security policies. If the device meets a predefined set of conditions, it is given permission to proceed with an action.
- When a user is logging into a service, say Exchange Online, you can require the use of a multi-factor authentication (MFA).
- If there is anything unusual about the user and its recent behavior, you can block the action.
Principle of least privileged access
Microsoft has two concepts related to limiting access rights. These are the Just-in-Time (JIT) and the Just-Enough Administration (JEA) models.
The idea of the JIT model is to allow higher level access rights only when it’s necessary. Admin role or account is under no circumstances used constantly: instead, you create, activate, or elevate one to the required level when need be.
In Microsoft 365 ecosystem the solution for this is the Privileged Identity Management product, which activates a certain M365 admin level for a user account for a short period only. The activation can be done as self-service, or you can require a separate approval on each occasion. On Windows workstations and servers, you can enable a similar JIT model using for instance the Centero Carillon PAM product (Privileged Access Management).
The JEA model is a more evolved management model that makes use of Powershell. The idea is to
- decrease the number of admins on devices,
- limit the actions available to users, and
- improve the users’ understanding on what they are doing on their devices.
An admin can, for example, log into a Windows server with their regular user id, but thanks to JEA, they can use Powershell commands to edit a certain component on the Windows server. The admin doesn’t need extensive admin rights covering the entire server or even the entire domain to execute a single task.
Breaches do happen, and that’s why you should prepare your organization for a breach that’s
- already happened,
- going on right now, or
- waiting in the future.
If a breach should hit your organization, and your IT environment is built with the Zero Trust model, you can limit the breach and mitigate its impact. An important aspect here is to prevent the malicious intruder’s lateral movements. This means the intruder cannot move from device to device. Instead, the breach should stop in the first device under attack.
To achieve this, the networks the devices are in should be segmented and limited in an appropriate manner, based on so-called micro-segmenting. Encrypted sessions and better visibility into your own environment are good tools against breaches as well.
How do you implement Zero Trust security model?
Zero Trust is a security model and a concept, and it consists of different principles and security controls. When you want to implement the model, there’s one step that you cannot stress enough: you need the management’s support. And to gain this, you need to connect the security model to the benefits it brings to the business. Here a few obvious benefits:
- enabling remote work any time, any place,
- safe and fast migration to cloud solutions, and
- cost savings, as you can simplify your cyber security solutions.
Zero Trust is also a key to proactive risk management and risk evasion.
You should also understand that comprehensive use of the security model is a constant process. It covers several areas of cyber security, and this means it can take a while to fully benefit from it. This of course depends on how mature the company is to start using Zero Trust model in different business areas.
One good way to proceed with Zero Trust is to use Microsoft’s Maturity Model Assessment tool. With the tool it’s fast and easy to evaluate how ready your organization is to start using the Zero Trust security model in six different areas. The tool asks you questions and gives you guidance based on your answers.
You should also bear in mind that an organization shouldn’t start off with requirements out the wazoo, but instead proceed with moderate steps. The key is you want to develop matters into the right direction. You can start implementing Zero Trust one piece at a time.
Here’s Microsoft’s list on how to proceed:
- Strong Authentication
Make sure you are using MFA everywhere. You should also monitor and control the authentications.
- Policy-Based Access Management
Define the requirements for accessing each organization resource.
- Network Micro-Segmentation
The internal network should be segmented based on its intended use.
You should automate the alerts and exception recovery as much as possible.
- Cloud Intelligence
The breach models repeat. You can prepare for most of the breaches with the data on what has already happened somewhere else to someone else.
- Data Classification and Protection
Identify, classify, and monitor any confidential This diminishes the opportunities for deliberate and malicious data breaches.
Centero and Zero Trust
In another article I look at the ways Centero’s services can be of assistance in this security model. Since 2007, we’ve been developing our Centero Carillon product that helps you in safe management of Windows workstations’ local access rights. With Carillon, you can follow the Zero Trust model’s principle of least privileged access on Windows workstations.
We also have another Zero Trust compatible service, the Centero Software Manager. It’s an excellent companion for a standardized, managed application environment. With these two services you can make sure you get the applications you need on your devices, and keep the end-users from installing their own applications uncontrollably. So, stay tuned!
We also have strong knowhow on the security components of the entire Microsoft 365 ecosystem. Don’t hesitate to contact us. Maybe connect or message me in Linkedin?