Understand how your organization can update its security practices in step with the rapid changes of the modern technological landscape.

What is Zero Trust?

Zero Trust is a new model of security requiring all users, either internal or external, to be authenticated, authorized, and continuously validated prior to being granted access to any applications or data. This is a must in a world where data no longer resides solely within the confines of our organisation’s walls but is instead distributed across a variety of apps and cloud services.

Zero Trust acknowledges the truth of our ever-evolving relationship to technology. With a shift to remote working and the rapid uptake of cloud services, the network perimeter of our organisations has fundamentally changed. Networks are no longer a place of safety. Never trust, always verify, has become the battle cry of a safer digital world. It also offers a modern solution to contemporary issues: Zero Trust secures hybrid workers, hybrid cloud environments, and ransomware threats.

To understand how Zero Trust approaches user security, we can offer insight into the following defining factors of its security infrastructure:

1. Context: The first key to ensuring safe access:
   • With Zero Trust, context is key to authorisation. Context is established from a user’s normal usage patterns of applications and resources. Who is requesting access? To which application? From what device? 
   • Identity forms the foundational building block to access. Strong, modern, multi-factor authentication is the tool used to protect these identities.
2. Conditional access: The key to access to applications and resources:
   • Conditional access allows us to apply conditions for access to applications and resources. For instance, maybe a user is signing in from a device that they wouldn’t normally use or a different IP address – with conditional access we have a variety of options: We can block access, require multi-factor authentication, or require that the device accessing the resource is compliant with certain security policies. In this way we can minimally impact legitimate users while preventing access from sources deemed to be risky.
3. Authorisation: Minimum permission for maximum safety:
   • Microsoft’s best-practice approach to permissions is to use the Principle of Least Privilege. Users should have the minimum permissions and access required for them to effectively conduct their role/duties and no more. This can include things like access to mailboxes and SharePoint, as a common vector of attack is through accounts with improper permissions.

Zero Trust goes even further by segmenting the network into micro-segments and introducing controls around traffic flowing between these segments. Additionally, Zero Trust introduces checks and balances around application workloads, by establishing patterns of context around typical workloads and introducing explicit verification of the service accounts associated with applications.

Zero Trust integrates a seamless user experience with total security.

The goal with these improved security measures is an unhindered user experience. With the consolidated identities of the modern O365 environment and tools such as Azure AD Connect, users can navigate between Microsoft 365 applications, and have these identities consolidated, to provide an overall seamless experience.

While Zero Trust may sound complicated, at the core it consists of typical modern security practices that remove the implicit trust of requests originating from within the network.

If you’d like help to develop a plan to move your organisation towards a Zero Trust architecture, and the incremental steps that can be taken to implement this model or other best-practice security policies, reach out to the Altitude Innovations Team today.