Recently, people responsible for identity, security and governance have embraced the vision of Zero Trust. It is the logical evolution of our thinking towards an actionable, more thorough and holistic approach to access, based on the mantra ‘trust no-one, verify everything’. Today, I'm sharing my early experiences in this field.
The idea of Zero Trust
It’s not like a grand idea, it’s really simple. In 1990 it was cool to network things together. By 1995, most networks are connected by VPN and Internet replacing WANs – Firewalls and VPN dominate security conversation. Today, the way of thinking requires a paradigm shift. We need to start with a ‘deny all’ policy and provide access based on the trustworthiness of users and their devices, at every enforcement point available. The ‘Zero Trust’ architectural mindset embodies this shift.
The idea of Zero Trust is also not new. The original Zero Trust model was developed by Forrester in 2010, but not fully embraced until Google successfully implemented their version of Zero Trust, Beyond Corp in the 2014-2016 timeframe as their new approach to enterprise security. Now, Microsoft is also on board with the idea.
The Zero Trust Mindset
To implement Zero Trust, we need the following mindset:
Everything is connected to the Internet
Organizations need to collaborate more efficiently in their ecosystems to be more sustainable and profitable. Recently, organizations have embraced Working from Home (WfH). Both these trends have led organizations to expose systems, apps and services to the Internet, as VPN connections simply don’t scale.
Connecting everything to the Internet, however, doesn’t mean you need to open up firewall ports to your organization’s inner sanctum. At the contrary; Instead of using AD FS, use Password Hash Sync or Pass-through Authentication, instead of publishing apps through Web Application Proxy, use Azure AD App Proxy, etc. Both PTA and Azure AD App Proxy rely on communications with the outside world through Azure Service Bus instances and encryption through robust cryptography of the exchanged traffic.
When implementing these kinds of solutions, the paradigm of the old centralized firewall quickly loses its value; everything is traffic flowing from inside to outside using TCP443; the ‘universal firewall bypass protocol’.
Trust no single source
In GPS, GLONASS, Galileo and BeiDou and many other global positioning solutions, the number of satellites provides more accuracy. For every sign-in to Microsoft infrastructure (including Microsoft accounts, formerly known as Windows Live IDs), Microsoft applies Identity Protection.
Over a 100 signals per sign-in, on the user account, the device, the location, are taken into account to determine the trustworthiness of the sign-in. If the trustworthiness of a sign-in is deemed to low, based on multiple signals, additional requirements need to be met for the sign-in. This explains your sign-in might be met with a multi-factor authentication requirement when you first sign-in to your laptop at the airport of your destination, from a new customer’s office or when your reused password was leaked through another service.
Just like the old firewall paradigm, the old ‘one network for everything’ mindset is also quickly losing its value. Systems are still vulnerable. Systems will still be compromised. These systems will also leak their information using TCP433 outbound.
Therefore, we need to double down on segmentation on the network. We need to limit the blast radius for when the unthinkable happens, whether it’s an entire Active Directory lock-out or an organization-wide ransomware deployment in under 45 minutes…
Stopping lateral movement in its tracks is an approach that seemed to resonate with many of my customers when we talked micro-segmentation, both from the workstations to servers and among servers. There is no shame in segmenting Tier 0 into multiple segments that don’t completely align in terms of your security goals.
Azure AD Privileged Identity Management (PIM) (on top of separation of privileges between day-to-day accounts and privileged account, not replacing it) and Conditional Access also help. Azure AD PIM limits the time a privileged account is actually equipped with admin privileges and privileges are automatically stripped after an hour or a shift. Conditional Access allows for fine-grained policy-driven access controls, incorporating the status of the user account, the device, Identity Protection and location. Identity Protection integration with Conditional Access means that people with leaked passwords are no longer allowed to access organizational resources, limiting the blast radius.
For many organizations, this integration is not available as they don’t have E5 licenses. Conditional Access works without E5. With my customers, however, the utmost value has proven to be in EMS E5 and Microsoft 365 E5.
Standards equal Security
Microsoft is just one of the vendors for many organizations. Many vendors offer Zero Trust technologies that are best when they work together. In contrast to ‘the old Microsoft’, Microsoft these days is all about standards. You can only interoperate with Azure AD (Azure AD DS not included), for instance, when you use open standards like SAML, Oauth2, OpenID Connect, SCIM.
Microsoft is also involved in the Digital Identity Foundation (DIF) and the Fast Identity Online Alliance (FIDO) working together to allow people to own their own identities and to allow for simpler, stronger authentication to solve the world’s password problem.
Of course, standards are not without risks. Oauth has suffers from an issue called token theft. It is a known vulnerability, but it is more theoretical.
‘Good security is wide open.’ is an argument that I use with my customers a lot. ‘It’s okay that all the characteristics of the cryptography we use are available for free; as long as we know how to secure the private keys and how to prevent downgrading to lower standards, we’re good.’
There aren’t enough humans
One of the reasons why I believe Microsoft is better at guarding information than many of the small to medium-sized businesses is because Microsoft employs thousands of people in the Security product teams and its Security Response Center.
Even Microsoft acknowledges they can’t keep up manually. Microsoft has set up many automated defenses and automated responses, where possible. The technology they use is also available to organizations as the Microsoft Defender family of products.
I have worked with organizations where they had a well-funded and well-organized Security Operations Center (SOC). Even these teams threw 95% percent of cases on the floor and focused on state actors and competitors, as these cases represent the biggest risks. However, every organization is at risk from ransomware attacks.
Even with all the automation, segmentation, standardization and verification, no network is completely safe. Automated responses and plans with priorities need to be created before the unthinkable happens so the organization is prepared for when it happens. Of course, we all hope it will never happen to our organization.
Writing these plans can be fun exercises, I learned.
I feel all of the above measures and implementations are moot, when admins don't have insights into the things happening in their environments. Many of the tools are deployed to prepare for the inevitable, but there's little attention to detecting these events. There's little attention to feeding processes with the right inputs. Inputs from products and services like Microsoft Cloud App Security, Data Loss Prevention, DKIM protection, Endpoint Analytics, but even the Azure AD sign-in logs are rarely collected centrally and correlated even less often. Without these inputs, any visibility into the environment is limited. With limited visibility, it's no wonder the avarage time attackers can go unnoticed in environments is 140 days…
Zero Trust Deployment Center
Last month, Microsoft published its Zero Trust Deployment Center, grouping together the vast experiences from the Security teams and MVPs. The website provides guidance on the core areas of Zero Trust (Identity, Endpoints, Data, Apps, Infrastructure and Network) and how to make the right choices for each of these areas.
Please give it a try.