CloudAssist Staging

Zero Trust Strategy

Zero Trust Strategy

Deploy least privileged access across your tenant and adopt a protective approach of always authenticating before granting access to sensitive resources.

Instead of believing everything inside the organization’s firewall is safe, the Zero Trust model assumes breach and a “never trust, always verify” access approach.

Every request, regardless of whether it originated internally or externally, is strongly authenticated, authorized, and inspected for anomalies.

In a Zero Trust framework, all users and devices inside and outside the organization perimeter seeking access are verified in real time.

CloudAssist is offering a Microsoft-funded passwordless authentication workshop.

Instead of believing everything inside the organization’s firewall is safe, the Zero Trust model assumes breach and a “never trust, always verify” access approach.

Every request, regardless of whether it originated internally or externally, is strongly authenticated, authorized, and inspected for anomalies.

In a Zero Trust framework, all users and devices inside and outside the organization perimeter seeking access are verified in real time.

CloudAssist is offering a Microsoft-funded passwordless authentication workshop.

Guiding Principles

The core tenets to ensure a successful zero trust strategy across your organisation.

Verify explicitly

Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification.

Use least privileged access

Limit user access with Just-In-Time and Just-Enough Access (JIT/JEA), risk-based adaptive policies, and data protection to protect both data and productivity.

Assume breach

Segment access by network, user, devices. Verify end-to-end encryption for all. Use analytics to get visibility, drive threat detection, and improve defences.

Verify explicitly

Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification.

Use least privileged access

Limit user access with Just-In-Time and Just-Enough Access (JIT/JEA), risk-based adaptive policies, and data protection to protect both data and productivity.

Assume breach

Segment access by network, user, devices. Verify end-to-end encryption for all. Use analytics to get visibility, drive threat detection, and improve defences.

Graphical Overview of a Zero Trust Approach

Microsoft Passwordless Workshop with CloudAssist

Strengthen your organisation's security posture with SSPR, MFA, and more

Check your enterprise's eligibility for this Microsoft-funded workshop:

Complete the short survey below on your interest in the Microsoft Passwordless workshop, and we will assess your enterprise’s eligibility.

Please note that a minimum of 250 Microsoft-licensed end-user accounts is a basic requirement for Microsoft-funded eligibility.


Evolution of Security Strategy

The central challenge of cybersecurity is that the IT environment we defend is highly complex, leading security departments (often with limited budgets/resources) to find efficient ways to mitigate risk of advanced, intelligent, and continuously evolving attackers.

Planning and Prioritising Your Strategy

Microsoft recommends rigorous prioritization of Zero Trust efforts to maximize security return on investment (ROI). This default prioritization is based on learnings from our experience, our customers, and others in the industry.
  1. Align strategies and teams—Your first priority should be to get all the technical teams on the same page and establish a single enterprise segmentation strategy aligned to business needs. We often find that network, identity, and application teams each have different approaches of logically dividing up the enterprise that are incompatible with each other, creating confusion and conflict.
  2. Build identity-based perimeter—Starting immediately (in parallel to priority #1), your organization should adopt identity controls like Multi-Factor Authentication (MFA) and passwordless to better protect your identities. You should quickly grow this into a phased plan that measures (and enforces) trustworthiness of users and devices accessing resources, and eventually validating trust of each resource being accessed.
  3. Refine network perimeter—The next priority is to refine your network security strategy. Depending on your current segmentation and security posture, this could include:
    • Basic segmentation/alignment—Adopt a clear enterprise segmentation model (built in #1) from a “flat network” or fragmented/non-aligned segmentation strategy. Implementing this is often a significant undertaking that requires extensive discovery of assets and communication patterns to limit operational downtime. It’s often easier to do this as you migrate to the cloud (which naturally includes this discovery) than it is to retrofit to an existing on-premises environment.
    • Micro-segmenting data centre—Implement increasingly granular controls on your data centre network to increase attacker cost. This requires detailed knowledge of applications in the data centre to avoid operational downtime. Like basic segmentation, this can be added during a cloud migration or a net new cloud deployment easier than retrofitting to an on-premises data centre.
    • Internet first clients—A simple but significant shift is when you move client endpoints from being on the internet part-time to full-time (versus sometimes on corporate network and sometimes remote). This is a straightforward concept, but it requires having already established a strong identity perimeter, strong endpoint security and management over the internet, publishing legacy applications to your internet clients, and potentially other initiatives before “rolling back” the firewalls from clients.

What Good Security Looks Like

Zero Trust is a model that will ultimately be infused throughout your enterprise and should inform virtually all access decisions and interactions between systems.

The key hallmarks of a good enterprise Zero Trust strategy include:

  • Continuously measure trust and risk—Ensure all users and devices attempting to access resources are validated as trustworthy enough to access the target resource (based on sensitivity of target resource). As technology becomes available to do it, you should also validate the trustworthiness of the target resources.
  • Enterprise-wide consistency—Ensure that you have a single Zero Trust policy engine to consistently apply your organizations policy to all of your resources (versus multiple engines whose configuration could diverge). Most organizations shouldn’t expect to cover all resources immediately but should invest in technology that can apply policy to all modern and legacy assets.
  • Enable productivity—For successful adoption and usage, ensure that the both security and business productivity goals are appropriately represented in the policy. Make sure to include all relevant business, IT, and security stakeholders in policy design and refine the policy as the needs of the organization and threat landscape evolve.
  • Maximize signal to increase cost of attack—The more measurements you include in a trust decision—which reflect good/normal behaviour—the more difficult/expensive it is for attackers to mimic legitimate sign-ins and activities, deterring or degrading an attacker’s ability to damage your organization.
  • Fail safe—The system operation should always stay in a safe state, even after a failed/incorrect decision (for example, preserve life/safety and business value via confidentiality, integrity, and availability assurances). Consider the possible and likely failures (for example, mobile device unavailable or biometrics unsuccessful) and design fall-backs to safely handle failures for both:
    • Security (for example, detection and response processes).
    • Productivity (remediation mechanisms via helpdesk/support systems).
  • Contain risk of attacker movement into smaller zones—This is particularly important when you’re reliant on legacy/static controls that cannot dynamically measure and enforce trustworthiness of inbound access attempts (for example, static network controls for legacy applications/servers/devices).