Zero Trust Assessment tool now live!
Zero-trust principles are an emerging category that has arisen to address the need for organizations to enable secure remote access to applications for employees, partners, and contractors, regardless of where the application resides (on premises or in private or public cloud environments). As more applications migrate to the cloud, this requirement is growing, highlighting the shortcomings of VPN technology in terms of efficient usage of network bandwidth (the issue of traffic “tromboning” through a concentrator in the corporate data center) and, as a result of this tromboning, of user experience
Microsoft has created the Zero Trust Assessment tool to help determine where you are in your Zero Trust journey. Microsoft assessment tool will help you assess your readiness across identities, devices, apps, infrastructure, network and data, and then provide go-dos and deployment guidance to help you reach key milestones
The assessment questionnaire across the defense in depth layers are provided below
Identities
- Have you enabled multi-factor authentication (MFA) for internal users?
- Have you enabled multi-factor authentication (MFA) for external users?
- Where are you using single sign-on for internal users (employees)?
- Where are you using single sign-on for external users?
- Where is your identity provider hosted?
- Are access decisions to enterprise resources made using a security policy engine?
- Are you using real-time user sign-in risk detection when evaluating access requests?
- Are risk factors continuously evaluated during a session to identify changes to user risk?
- Which of the following technologies have you integrated with your identity and access management solution? - CASB, SIEM, EP, MDM, Conditional Access, Other
- Which of the following context is used in your access policies? - User, Device, Application, Network, Location, User risk, Sign-in risk, SIEM, other
Devices
- Are devices registered with your identity provider?
- Are devices enrolled in mobile device management for internal users?
- Are managed devices required to be compliant with IT configuration policies before granting access?
- Do you have a model for users to connect to organizational resources from unmanaged devices?
- Are devices enrolled in mobile device management for external users?
- Do you enforce data loss prevention (DLP) policies on all managed and unmanaged devices?
- Have you implemented endpoint threat detection to enable real-time device risk evaluation?
Applications
- Are you enforcing policy-based access controls for your applications?
- Are workloads monitored for threats?
- What on-premises applications and resources are available without virtual private network (VPN)/wire?
- Do you have an ongoing Shadow IT discovery and risk assessment of unsanctioned apps?
- Have you enabled real-time in-session monitoring to identify risks and respond as necessary?
- Do you have the ability to deliver granular control to your apps (such as limited visibility, read only, block, and more) based on user and session risk?
- Is administrative access to applications provided with Just-In-Time/ Just-Enough Privilege to reduce risk of permanent permissions?
Infrastructure
- Have you enabled cloud workload protection solutions across your digital estate: hybrid and multicloud?
- Does each workload have an app identity assigned?
- Is user and resource (machine to machine) access segmented for each workload?
- Does your security operations team have access to specialized threat detection tools for endpoints, email attacks, and identity attacks?
- Does your security operations team have access to a security information and event management (SIEM) solution to aggregate and analyze events across multiple sources?
- Does your security operations team use behavior analytics to detect and investigate threats?
- Does your security operations team use security orchestration, automation, and remediation (SOAR) tooling to reduce manual effort in threat response?
- Do you regularly review administrative privileges (at least every 180 days) to ensure admins only have just enough administrative rights?
- Have you enabled Just-in-Time access for administration of servers and other infrastructure?
Data
- Are access decisions governed by data sensitivity versus simple network perimeter controls?
- Has your organization defined a data classification taxonomy?
- Are data access decisions governed by policy and enforced by a cloud security policy engine?
- How is data classified and labeled?
- Are you continuously discovering sensitive data across your digital estate?
Networks
- Are your networks segmented to prevent lateral movement?
- What protections do you have in place to protect your networks?
- Do you establish secure administrative access to protect network segments?
- Do you encrypt all your network communication (including machine to machine) using certificates?
- Are you using machine learning-based threat protection and filtering with context-based signals?
Each organisation has unique requirements and would have invested in technology implementations and are at certain security maturity stages - hence it's important to assess how a Zero Trust security model implementation is planned and executed. The Zero Trust Assessment tool will help you determine where you are in your journey across your identities, devices, apps, infrastructure, network and data, and will tell you which maturity stage you are at (Traditional, Advanced or Optimal). The assessment will provide recommendations on how to progress to the next stage.
Also read - Recommendations to adopt 'Zero Trust' security controls across 'Defense in Depth' layers