Zero Trust - Apparently its a Security thing!
When I joined the Security team at Microsoft, I had an entirely new business to learn. That meant I had to learn all about several products that were new to me and the respective customer challenges and needs that they were designed for. I had to meet new people to work with on this new business, both at Microsoft as well as at our Partner and Customer organizations. That is when I first came across the term Zero Trust.
I assumed that outside of the Security professionals community, I couldn't be the only one thinking at first glance that this Zero Trust thing had a strange name:
Zero Trust? That doesn't sound like a name that inspires a sense of security at all!
A little over a year has passed since I moved to the Security team, and the world we live in has literally changed. The global pandemic that we are still collectively trying to overcome has changed the way people around the entire world work. Organizations that resisted or delayed digital transformation for years on end, due to all sorts of reasons, were now forced to transform overnight.
The information we have available, leads us to believe that the lockdown story might not be over yet. Common sense will forever remind us that in the globalized society and threatened planet that we live in, similar world events with the potential to disrupt our daily routines are not only likely, they are inevitable.
Today I realize that in many ways we live in a Zero Trust world.
We all benefit from this wealth of information and capabilities that are enabled by the cloud - as individuals as well as professionals. That means that, both at work as well as at home, we now have an added responsibility as individuals to stay secure in the digital world. We must validate information that is available to us from infinite sources before using it, we must protect our data and the access to our devices, and we need to take privacy and data management controls seriously.
I hope I am not loosing you, because we didn't even get to the Microsoft Security stuff yet. You don't need to be a Security professional to understand the importance of Zero Trust. I argue that you are already living it even in your personal lives.
For Microsoft, a Zero Trust strategy is built on 3 fundamental principles:
Principle #1: Verify explicitly
Rather than trusting users or devices implicitly because they’re on the corporate network, we want to assume that the request originates from an uncontrolled network. We should authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
Would you willingly grant access to your Wi-Fi and all the information contained in the devices that you and your family have at home? Surely not! You protect it with a strong password, and every device has a variety of controls in place to restrict access and transfer of information across the network.
Principle #2: Use least-privileged access
Rather than providing any authenticated user broad access to corporate resources, we should grant access to people only when they need it, for as long as they need it, and for the specific task at hand. This helps protect against cases where, for example, a password with Admin privileges gets stolen. Least-privileged access grants just-in-time and just-enough access, with risk-based adaptive polices that protect both data and productivity.
Many parents create dedicated accounts within their devices, to limit their children's access to information on that device, but also to the potential of access within it (i.e. prevent unwanted Amazon, Netflix purchases, or simply to restrict access to online content. Alternatively, just because you shared your phone location with a friend that you were meeting for dinner, you don't really want that friend to have access to your location forever.
Principle #3: Assume breach
Given enough time and resources an attacker will get in, so we must operate with the expectation that a breach will occur. We can apply techniques such as microsegmentation, and then we use real-time analytics to detect and respond to attacks quickly.
You are well aware that all the information you put out there in the digital world is potentially at risk unless you take action to protect yourself and you data. That is why you have turned on that option to get a text message with a code every time you access your Facebook account from a new device. Or why you receive a text message with a code from your bank when you want to make a transfer - This multi factor authentication is there to ensure that someone can't take all your money in the bank just by gaining access to your Online banking username and password.
I started to realize that my short sighted opinion about Zero Trust and its name was wrong, but I still had to understand better what all the fuss was about.
Since I work at Microsoft, surrounded by some of the greatest modern IT Security experts on the planet, I figured that I could do a bit more than just searching Goggle for the answers to my questions. I wanted to take an approach that would empower every person and organization on the planet. Perhaps even create something others could Google in the future!
And so, I embarked on my journey to learn more about Zero Trust, and today I want to share the output of that learning experience with you!
The Zero Trust Deployment Center, is a repository of information that will help anyone understand what Zero trust is and why it is so important to follow this approach to secure your organization's Identity, Endpoints, Data, Applications, Network and Infrastructure.
For those who might want to go even further, and start working on your Zero Trust modern security strategy, we did a thorough job and identified different sets of objectives for each of its pillars, always supported by the guidance that you need to achieve these objectives.
The content on this page will give you access to all the information that you need to start planning and deploying your Zero Trust strategy, following a maturity journey that suits the needs of your organization.
Check it out! https://aka.ms/ZTGuide
WW SMC Security GTM Programs Director
4 年The direct link to the Zero Trust Deployment center is https://aka.ms/ZTGuide
WW SMC Security GTM Programs Director
4 年Tagging some Microsoft friends to help me share the good news: Nupur Goyal, Irina N., Adam Baron, Andrew Conway, Vasu Jakkal, Jennifer Mount, Tarek Dawoud, Clay Taylor, CISSP, Mekonnen Kassa, Barbara Ogden, Joanna Harding, CISSP, PMP, Scott Walton, Dilip Lukose, Alex Weinert, Mayunk J., Mavi (Merav) Etzyon-Grizer, Adam Jung, Keith Homiski, Adwait Joshi, Albert Chew, Yair Tor, Astrid McClean, Chris Jackson, Kara Cole