An essential requirement for IT infrastructure is the ability to adapt flexibly to the current and future needs of the business, which often makes it necessary to use all kinds of hardware and software solutions. Organizations are using several cloud providers and a large number of cloud-based systems, and quite often access to company data must not only be provided from company-owned devices but from the employees’ personal devices as well. An infrastructure built on such complex systems can only be kept secure by using a proactive, integrated security approach.

Building on this approach, Microsoft’s Zero Trust model requires strong authentication for every access request, limits user access with just-in-time and just-enough access (JIT/JEA) based on the principle of least privilege, and employs end-to-end encryption and analytics while assuming breach.

Zero Trust’s controls and technologies must be applied to six key components—identities, devices, applications, data, infrastructure and networks. In the following summary, we focus on the first two pillars of the Zero Trust framework, identities and endpoints.

Identities

Implementing the Zero Trust model begins with identities: it must be explicitly verified that resources can be accessed only by people, devices and processes that are authorized to do so. Securing identities can be achieved using the following measures:

1. Multi-factor authentication: before granting access, it requires users to confirm their identity using a second authentication factor, such as by phone.
2. Passwordless authentication: provides a more seamless and secure authentication process on the web and mobile without the use of passwords, for example, by using the Microsoft Authenticator app with an Azure AD account.
3. Access control using adaptive, risk-based policies: goes beyond the traditional grant-or-deny type of decisions, so that decisions can be made that depend on risk tolerance, for example, to restrict access or verify identity using an additional factor.
4. Disabling legacy authentication: legacy protocols, such as POP, SMTP and IMAP, cannot use multi-factor authentication.
5. Automated threat detection and response: real-time risk assessment that can help to secure identities during user logins and sessions.
6. Enriching the identity and access management (IAM) solution using more data: the more insights the IAM solution uses, the more the company’s security posture can be improved.
7. Improving identity protection: Identity Secure Score available in Azure AD helps to assess the security of identities.

Endpoints

After verifying identities, security compliance of endpoint devices (hardware assets that request access to data) must be assessed, including IoT systems operating at the network perimeter. Zero Trust’s principles for endpoint protection are the following:

1. Enroll devices in Azure AD to enable oversight of all devices and endpoints.
2. Manage devices using Microsoft Endpoint Manager to control the use of information.
3. Ensure compliance using Microsoft Purview based on the minimum security requirements specified by the organization.
4. Provide access for non-managed devices using Microsoft Endpoint Manager to grant access to the required resources from non-managed devices, always keeping data protection in mind. 
5. Apply Data Loss Protection (DLP) policies to devices in order to ensure that once access to data has been granted, data can be used in a controlled fashion.
6. Enroll external users’ devices in Endpoint Manager to manage the devices of contractors, suppliers and other external parties.
7. Enable real-time risk assessment of devices to support more informed decision-making by registering devices with an identity provider.

How to Get Started

Zero Trust is a journey, not a destination. Noventiq’s team of experts can create a roadmap with key steps that require less effort from your company, while making an instant impact. After completing these tasks, the next steps can be clarified, so the overall strategy can be formulated and refined on the fly. If you are interested to know how your organization can embrace the Zero Trust model, please schedule an appointment with our team using the form below.