Zero-trust: A leading security principal

As October is Cybersecurity Awareness Month, I thought I’d talk about the primary security principal that all users, be it at home or in the enterprise should be aware of; Zero-trust.

Zero-trust is the leading security principal and is a journey that all organisations should be on. This principal is vendor agnostic and is recognised by the key security groups to be the gold standard of cyber-security frameworks. For the purpose of this blog, we will be focusing on how Microsoft’s tooling helps us on this journey, but the overarching theme applies to all vendors.

Microsoft’s interpretation of the zero-trust model is as follows:

• Verify explicitly
  • Always authenticate and authorise based on all available data points
• Use least privileged access
  • Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection
• Assume breach
  • Minimise blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defences

Their guiding principles apply to the following key technology pillars: 

• Identities
  • Whether they represent people, services, or IoT devices – define the Zero-Trust control plane. When an identity attempts to access a resource, verify that identity with strong authentication, and ensure access is compliant and typical for that identity. Follow least privilege access principles.
• Endpoints
  • Once an identity has been granted access to a resource, data can flow to a variety of different endpoints – from IoT devices to smartphones, BYOD to customer owned devices, and on-premises workloads to Cloud-hosted servers. This diversity creates a large attack surface area. Monitor and enforce device health and compliance for secure access.
• Apps
  • Applications and APIs provide the interface by which data is consumed. They may be legacy on-premises, lifted-and-shifted to Cloud workloads, or modern SaaS applications. Apply controls and technologies to discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behaviour, control user actions, and validate secure configuration options.
• Infrastructure
  • Whether on-premises servers, Cloud-based VMs, containers, or micro-services – they all represent a critical threat vector. Assess for version, configuration, and JIT access to harden defence. Use telemetry to detect attacks and anomalies, and automatically block and flag risky behaviour and take protective actions.
• Data
  • Ultimately, security teams are protecting data. Where possible, data should remain safe even if it leaves the devices, apps, infrastructure, and networks the organisation controls. Classify, label, and encrypt data, and restrict access based on those attributes.
• Network
  • All data is ultimately accessed over network infrastructure. Networking controls can provide critical controls to enhance visibility and help prevent attackers from moving laterally across the network. Segment networks (and go deeper in-network micro-segmentation) and deploy real-time threat protection, end-to-end encryption, monitoring, and analytics.

I will below explain how you can use the zero-trust principal against each of the key technology pillars listed above, and which technologies can be used to enforce this. These security controls do not complete the zero-trust framework, but should be implemented as soon as possible, as they span multiple pillars and are ultimately the most impactful at deterring cyberattacks.

First and foremost, and one that I have written about many times before is multifactor authentication (MFA). I can’t emphasise enough the importance of using MFA at every authentication point. Organisations need to ensure they are explicitly verifying and securing each and every identity with strong authentication.

Multi factor authentication protects your organisation by having users confirm their identity by using something they have, such as the Microsoft Authenticator App, hardware token or SMS message, before they are permitted access, in conjunction with another factor of authentication.

However, an attack vector that is often overlooked is the vulnerability of legacy authentication, which can be leveraged by an adversary to circumvent MFA. Legacy authentication refers to all protocols that use basic authentication such as MAPI, IMAP4, POP3, Authenticated SMTP and ActiveSync.

Once you have identified and remediated the clients using basic authentication then it is advised you enforce blocking of legacy authentication using Conditional Access or by enabling the Azure AD Security Defaults.

It is common to use conditional access policies to remove the MFA requirement for known locations, often deemed as trusted locations. Trusting your network is a mistake and explicit verification should occur at every entry point, with the assumption that users will abuse your network trust. Using trusted locations should be a requirement for access to resources, but MFA and the other security controls in this article should also be enforced. Yes, this can cause user friction, but unfortunately this is the nature of a strong security posture.

Access controls should be implemented using adaptive, risk-based conditional access policies to allow or block access or perform more advanced functions such as limiting access, requiring additional verification such as MFA, device compliance / health, location, session risk, user context, or forcing the user to reset their password via self-service password reset (SSPR).

Moving to passwordless authentication requires a great deal of planning, but once complete it enables users to easily authenticate, whilst being substantially more secure than using a password. Using biometrics in Windows Hello fulfils the “something they have” factor of authentication. The Microsoft Authenticator App can also be used for passwordless authentication, but this should be used in conjunction with another factor of authentication. Windows Hello is based on the FIDO2 standard and is incredibly secure and doesn’t require the user to remember a password!

SSO should be put into effect by using Azure Active Directory (Azure AD) against SaaS and on-premises applications. By implementing single sign-on (SSO) you vastly increase your organisation’s security posture, whilst streamlining the user experience by removing the need to manage multiple credentials and reducing the number of sign-in prompts.

Azure AD Application Proxy provides secure remote access to your on-premises applications, and should be deployed to apply the same SSO, MFA and conditional access security controls you have in Azure, all without your application being public facing to further reduce the attack surface.

By using Azure Identity Protection, an organisation’s identities can be protected against compromise and potential vulnerabilities in real-time by using continuous detection either at login or during sessions. Automated remediation and connected intelligence can be used to investigate sign-ins and risky users, which can be further enriched by leveraging user session data from MCAS post authentication. MCAS can also be used to discover shadow IT activities that may be occurring inside your organisation.

Least privilege access should be applied across all security controls and key technology pillars. Organisations should start with zero access and then only provide the users access to what they need, using only the minimum permissions they need and only for the time they need.

Technologies such as Azure AD privileged identity management (PIM) and entitlement management can be used to enforce this least privilege access, including: justification, approval, and a verbose audit trail.

Finally, you should assume that any security controls you implement will fail (assume breach). Therefore, gaining maximum visibility into your organisation’s security posture is critical.

Microsoft Secure Score (available in Azure, M365, MDfI, and MDfE) allows you to quickly identify your current security posture and any improvement actions including the priority and impact. Secure Score enables you to improve your organisations digital security landscape and report on the measure of impact, along with quickly identifying any regressions.

A security information and event management (SIEM) system provides your organisation with a holistic view of the security tooling implemented. Azure Sentinel provides the resources for security analysts to quickly identify and react to threats across the entire digital estate.

It is clear that the traditional perimeter defence model no longer provides sufficient security for your organisation. With Zero Trust, your organisation can move away from a trust-by-default principal to a trust-by-exception one.

If you’d like to check how far your organisation is along the zero-trust journey, Microsoft have a free to use assessment tool that can help identify your maturity and plan your security roadmap.

By Shawn Wilkin, Technical Lead: Security at Transparity

Transparity also offer a Managed Security Service that is built on three core security principles; Zero Trust (never trust, always verify), Least Privilege (provide only the access required, and only for the duration needed) and Assume Breach (always assume users or systems will fail). Click here to find out more.