How much trust do you have in Zero Trust?
I recently had the pleasure of attending the ‘European SharePoint, Office365 and Azure Conference’ (ESPC) in Copenhagen. The 3-day conference was jam packed with sessions aimed at users across the entire technology sector; from business owners to IT Pros & developers. Prior to the main event beginning, there were even a selection of technical tutorial sessions, focusing on a deeper dive into some of today’s most topical subjects in the tech world.
I wanted to take this opportunity to talk about one of the most prevalent concepts, that came up time and time again – and that is, “Zero Trust”. Zero Trust appears to be another one of those IT buzzwords that everyone likes to use, however is rarely explained. Allow me the opportunity to break this concept down and provide some real-world examples of how this could apply to you.
I want to start by providing some interesting statistics based on Microsoft’s recently published Digital Defence Report:
- Identity is the #1 attack vector that criminals are targeting. If they have your credentials, they have your business identity. Microsoft estimate that over 1 million Azure AD accounts are potentially compromised every month.*
- In 88% of engagements, MFA (Multi-Factor Authentication) was not implemented for sensitive and high privileged accounts. This allowed attackers the ability to leverage those privileged credentials with no resistance to gain further persistence within the environment.*
- 88% of customers did not employ AD and Azure AD (Active Directory) best practices, allowing attackers to leverage misconfigurations & vulnerabilities in identities systems to gain broader access to company resources and provide a higher impact to the business.*
Zero Trust is not a product or a service that can be offered or installed.
Zero Trust is a security strategy that businesses should approach, design, and implement based on a set of defined security principles:
Verify explicitly
We should be verifying our users based on all available data points and not assuming trust just because they are coming from behind our corporate firewall, or via our VPN. We should be using all available methods, such as; identity, location, device health, data classification, anomaly detection and user risk to verify each user every time.
Use least privilege access
User access should be limited to exactly what they need to complete their job role and nothing further. Access to critical systems should be leveraged using the principles of Just-In-Time & Just-Enough-Access (JIT/JEA). If access to a privileged system is required, this should be requested, logged and risk assessed each time. Access should only be granted for the smallest amount of time needed to perform the task at hand.
Assume breach
Unfortunately, it is no longer a case of “If” but “When” you will be breached. Organisations should be designing their networks to limit the blast radius of any breach by providing segmented access to the network. Analytics should be leveraged to get visibility into your users, apps & networks to help drive threat detection and in turn defence
A zero-trust philosophy should be adaptive to the business and the complexities of a modern hybrid workforce. It should protect people, devices, applications, and data – wherever they are located. Zero Trust should be adopted across the entire digital estate and offer an end-to-end strategy to provide the best level of protection possible. This is not going to be achieved overnight, and should instead be a journey that an organisation embarks on with the support of key stakeholders across the organisation. Buy in from the whole of business will ensure effective delivery of a zero-trust infrastructure.
Where should you start?
Microsoft offer some great resources on how to start your Zero-Trust journey,
- Zero Trust Guidance Center – https://learn.microsoft.com/en-us/security/zero-trust/
- Zero Trust Assessment – https://www.microsoft.com/en-gb/security/business/zero-trust/maturity-model-assessment-tool?activetab=solution-wizard%3aprimaryr1
- SMB Zero Trust Guidance – https://learn.microsoft.com/en-us/security/zero-trust/guidance-smb-partner
About ADM
Founded in 1984, ADM Computing is Kent’s largest and longest established IT services company specialising in Cyber Security and IT support services that help to reduce IT costs as well as improve network efficiency. We have a long history of charity work and won’t be slowing down any time soon!
To keep up to date with all our latest updates, follow us on LinkedIn: ADM Computing LinkedIn
Wish to discuss Zero Trust further with a member of our team?
Blog Author
Dan Keen – Infrustructure Engineer | ADM Computing – Established in 1986.
Dan has been in the IT industry for 10 years and has quickly progressed from a young IT Apprentice to an Infrastructure Engineer with a passion for Business Continuity, Backups, Disaster Recover, Network Monitoring and IT Security (Focusing around SIEM / SOAR). Dan focuses on enabling users to engage with technology, ensuring they can perform their job roles in the most secure fashion possible – keeping both themselves and their organisation protected.
