Zero Trust Architecture

Digital Transformation

Most organizations are profoundly challenged by the emergence of all types and sizes of disruptive actors in their markets and are forced to transform to survive. Improving agility and developing a culture of continuous change to become able to continuously redefine what is possible and be able to deploy new optimized operating models, is vital for those organizations. Those are the indispensable foundations to become able to better understand the customer expectations, to improve existing and create new customer experiences, to invent new business models and, ultimately, to generate new sources of revenue.

Digital transformation is therefore a key factor of growth, innovation and differentiation in a market with heightened competition.

In this context, the increasing usage of the cloud by these organizations, the use of more and more varied types of device, and more and more mobility scenarios, present new challenges to provide adequate security, as parts of the processing and data, are now, de facto, outside the reassuring boundaries of the firewalls.

Zero Trust Approach

In the face of the explosion of the number of attacks, the awareness of the digital risk remains very inadequate today. In a context marked by the massive digitization of data and the increasing interconnectivity of networks, securing computer systems becomes an imperative and a crucial issue for our companies, now exposed to very real systemic risks.

Forrester coined the phrase "Zero Trust" in the context of a model that is summarized by the following quotation:

“In Zero Trust, all network traffic is untrusted. This means that security professionals must ensure that all resources are accessed securely regardless of location, adopt a least privilege strategy, strictly enforce access control, and inspect and log all traffic”.

Zero Trust, & Micro-Segmentation Approach

• All resources must be secure. The term resources here is taken in a broad sense and encompasses the resources accessed (data, applications, services, etc.) as well as the resources accessing them (devices, services, etc.). The notion of managing resources according to their sensitivity, will only appear later.

• Communication flows must be considered unreliable unless proven otherwise. All traffic must be inspected to detect suspicious behaviors and logged.

• The location or hosting model is irrelevant. This means that, wherever the resource is accessed from or wherever the resource itself is located, access control must be the same.

• Access to resources must be limited and significantly reinforced, with special consideration for privileged identities (power accounts). This implies that access control will be implemented in a holistic manner and that privileged accounts will be more particularly protected and scrutinized.

Forrester also introduced the Zero Trust approach aiming to address lateral threat movement and exfiltration within the infrastructure by using micro-segmentation.

• Segmentation of the network to isolate resources in different zones according to their sensitivity;

• Access control to the different zones by a central gateway, in which access control strategies are defined according to the users and resources accessed;

• A network flow control system.

Micro-Segmentation

It allows specific communications to occur while denying all others.

The promise of the micro-segmentation is straightforward; By creating very granular segments within an IT infrastructure, an organization effectively limits the size of their network’s attack surface by breaking it into a lot of small pieces.

If a particular segment gets compromised, the other segments are “walled-off” and protected. Conversely, when an unsegmented network is penetrated, attackers have free reign to move laterally within it.

The more granular your organization can make these segments, the less of an impact a security incident will have, since only that segment and the limited resources and data it contains will be exposed. Less exposure and less to remediate.

Micro-segmentation aligns with principles of zero-trust security, which enforces proper authorization and validation for limited access to applications, data or systems. With a zero-trust approach, all devices, networks and resources are micro-segmented and individual access is restricted to give users only what they need access to.

Granular micro-segmentation can be complex to deploy and manage, but the finer an enterprise can make its segments, the greater the security benefits it will accrue.

The Benefits Of Micro-Segmentation

Micro-Segmentation offers organizations a number of benefits:

• Reduced attack surface: Micro-segmentation limits attackers’ ability to move laterally through a network, ultimately reducing the potential attack surface.

• Threat detection and response: Even with optimized security practices in place, breaches are inevitable. But micro-segmentation can drastically improve threat detection and response times. When policy violations are detected, micro-segmentation tools can generate real-time alerts and even block unsanctioned activity.

• Regulatory Compliance: Micro-segmentation can strengthen organizations’ regulatory compliance posture by creating segments that specifically store regulated data, typically the personally identifiable information (PII) of customers covered under laws such as General Data Protection Regulation (GDPR) and The California Consumer Privacy Act (CCPA). Compliance-focused policies can then be created for these segments. This also greatly simplifies the auditing process.

By isolating environments and segmenting workloads, a zero trust framework using micro-segmentation greatly reduces the overall attack surface of a network by limiting movement from one potentially compromised workload to another.

Once micro-segmented, fine-grained security policies can be applied to workloads, all the way down to single machines, users or applications. These policies can be defined according to real-world constructs, such as user groups, access groups and network groups, and can be applied across multiple applications or devices.

Zero Trust model

• Be ready to handle attacks before they happen.

• Minimize the extent of the damage and how fast it spreads.

• Increase the difficulty of compromising your cloud footprint.

To make this happen, we must follow Zero Trust principles:

• Verify explicitly. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

• Use least-privileged access. Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive polices, and data protection to protect both data and productivity.

• Assume breach. Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility, drive threat detection, and improve defenses.

The Zero Trust model includes automated security policy enforcement to ensure compliant behavior throughout the entire organization.

Azure Zero Trust Implementation

The Blueprint Deployment Model

"Never Trust, Always Verify"

Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access.

Micro-segmentation and least privileged access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real time.

Microsoft recommends rigorous prioritization of Zero Trust efforts to maximize security return on investment (ROI).

• Align strategies and teams

  • The first priority should be to get all the technical teams on the same page and establish a single enterprise segmentation strategy aligned to business needs.

• Build identity-based perimeter

  • The organization should adopt identity controls like Multi-Factor Authentication (MFA) and passwordless to better protect identities.

• Refine network perimeter

  • Basic segmentation/alignment—Adopt a clear enterprise segmentation model. Implementing this is often a significant undertaking that requires extensive discovery of assets and communication patterns to limit operational downtime. It’s often easier to do this as you migrate to the cloud (which naturally includes this discovery) than it is to retrofit to an existing on-premises environment.

• Micro-segmenting datacenter—Implement increasingly granular controls on your datacenter network to increase attacker cost. This requires detailed knowledge of applications in the datacenter to avoid operational downtime. Like basic segmentation, this can be added during a cloud migration or a net new cloud deployment easier than retrofitting to an on-premises datacenter.

• Internet first clients—A simple but significant shift is when you move client endpoints from being on the internet part-time to full-time (versus sometimes on corporate network and sometimes remote). This is a straightforward concept, but it requires having already established a strong identity perimeter, strong endpoint security and management over the internet, publishing legacy applications to your internet clients, dedicated administrative workstations, and potentially other initiatives before “rolling back” the firewalls from clients.

Zero Trust architecture

A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security end-to-end strategy.

This is done by implementing Zero Trust controls and technologies across six foundational elements. Each of these is a source of signal, a control plane for enforcement, and a critical resource to be defended.

Securing Identity

Identities, representing people, services, or IoT devices, are the common dominator across today's many networks, endpoints, and applications. In the Zero Trust security model, they function as a powerful, flexible, and granular way to control access to data.

Before an identity attempts to access a resource, organizations must:

• Verify the identity with strong authentication.

• Ensure access is compliant and typical for that identity.

• Follows least privilege access principles.

Once the identity has been verified, we can control that identity's access to resources based on organization policies, on-going risk analysis, and other tools.

Secure Network

• Network segmentation in Azure

On Azure, there are a wide and diverse set of segmentation controls available to help create isolated environments. Here are the five basic controls we can use to perform network segmentation in Azure:

• Segmentation patterns

There are three common segmentation patterns when it comes to organizing your workload in Azure:

1. Logical isolation by subscription segmentation

2. Multiple Virtual Networks with peering

3. Multiple Virtual Networks in hub-and-spoke model

Each of these provide a different type of isolation and connectivity. As to which one works best for your organization is a planning decision based on your organization’s needs. Here’s where you can read about Segmenting Virtual Networks in more detail and learn how each of these models can be done using Azure Networking services.

• Logical isolation by subscription segmentation

• Multiple Virtual Networks with peering

• Multiple Virtual Networks in hub-and-spoke model

• Generic Approach Diagrams

• Specific Approach Diagrams