Quartz 4

iam zero trust

10 min read

iam moc cyb moc cyb iam

what is zero trust

Zero Trust is a security strategy. It is not a product or a service, but an approach in designing and implementing the following set of security principles…

verify explicitly

summary

This principle requires users to verify who they are, using more than one method, so that compromised accounts gained by hackers aren’t allowed to access your data and apps. This approach also requires devices to be recognised as being allowed to access the environment and, ideally, to be managed and healthy (not compromised by malware).

authenticate for every application and/or data set

MFA

mfa

Interesting products

Netwrix [secure envoy]

using device identities

using user identities

least privilege access

summary
  1. This principle limits the blast radius of a potential breach so that if an account is compromised, the potential damage is limited. ==different admin accounts for different purposes==  For accounts with greater privileges, such as administrator accounts, this involves using capabilities that limit how much access these accounts have and when they have access.
  2. It also involves using higher-levels of risk-based authentication policies for these accounts ==arctic wolf critical users==
  3. This principle also involves identifying and protecting sensitive data. For example, a document folder associated with a sensitive project should only include access permissions for the team members who need it RBAC

These protections together limit how much damage can be caused by a compromised user account.

Just In Time

Just Enough

Risk Based Adaptive policies

impossible travel

restricted country list or use country whitelists

assume breach

end to end encryption

analytics / logging

threat detection

improve defences

Verify explicitlyUse least privilege accessAssume breach
Always authenticate and authorize based on all available data points.Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

This is the core of Zero Trust. Instead of believing everything behind the corporate

Essentially: trust nothing and no one (even after authentication) and verify everything, always

And specifically, the principle is designed to protects people, devices, applications, and data wherever they are located.

adoption

Primarily: understanding that security is NOT another IT function but that although it does include IT as a business group it includes all business groups: that Security is a shared company responsibility aligned to business outcomes that affects business risk (i.e. revenue) directly.

Defining security as a business-level imperative is the first step toward a modern and scalable security approach.

Traditional role of security as an extension of IT responsibilityModern security posture with Zero Trust
Traditional protection relies on security specialists that are part of the IT team. Security is an IT function.Security is a responsibility shared among all levels of the business. Accountability for security rests with the executive, while responsibility is shared using the three Zero trust principles of assume breach, verify explicitly, and least privilege. A Zero Trust model moves security from reactive (who did what and when based on logging) to least privilege (based on just-in-time access to systems as needed). It also implements architecture elements and security operations capabilities to limit the damage from a breach.

how to sell it

RoleResponsibilityZero Trust interest
Chief Executive Officer (CEO)Responsible for the businessZero Trust minimises loss to revenue via reputation, legal, operational loss by mitigating the overall business risk.
Chief Marketing Officer (CMO)Responsible for the marketing vision and executionZero Trust allows for the rapid recovery from breach and empowers the responsible reporting function for a public-facing organization, allowing breaches to be contained without reputational loss.
Chief Information Officer (CIO)Responsible for IT as a wholeZero Trust principles eliminate vertical security solutions that aren’t aligned to business outcomes and enables Security as a Platform, which does align to business outcomes.
Chief Information Security Officer (CISO)Responsible for security program implementationZero Trust principles provide a sufficient foundation for the organization to comply with various security standards and enables the organization to secure data, assets, and infrastructure.
Chief Technology Officer (CTO)Chief Architect in the businessZero Trust helps with defensible technology alignment aligned to business outcomes. Using Zero Trust, security is baked into every architecture.
Chief Operations Officer (COO)Responsible for operational executionZero Trust helps with operational governance; the “how to” of the security vision and the surfacing of who did what and when. Both are aligned to business outcomes.
Chief Financial Officer (CFO)Responsible for governance and spendZero Trust helps with the accountability of spend and the defensibility of spend; a measurable way of gaining a risk-based measure against security and Zero Trust spending aligned to business outcomes.

how to measure it

Some organizations choose to prioritize work and measure progress against risk. Two common tools for identifying risks include tabletop exercises and ISO standards.

  1. One way to do this is to use CIS Table Top exercises: https://www.cisecurity.org/insights/white-papers/six-tabletop-exercises-prepare-cybersecurity-team

1. They are each designed to be completed together with your team of stakeholders “in as little as 15 minutes.” 
2. The exercises help you evaluate your preparedness in a cross-discipline manner. These exercises are representative and inclusive of different business units, not just IT or security.

3. With a defensive strategy, you look across your digital estate to identify where your digital assets are, what they’re composed of, and the relative risk profile based on the exfiltration or loss of access to your digital assets. You prioritize defensive areas to focus on by taking each area and estimating the potential damage to your business for these common types of incidents: 1. Data loss 2. Data leakage 3. Data breach 4. Data access loss 5. Compliance loss due to cyber incident

how to share it (cloud)

For more information, see Shared responsibility in the cloud in the Azure Security Fundamentals library.

Shared responsibility is a planning model frequently used by security teams to help transform the mindset and strategy from “in control of everything” to “sharing responsibility with the cloud provider.” This model emphasises the strategy of moving apps and resources to trusted cloud providers to reduce the security work that remains for your organisation.

This can become part of your long-term strategy, starting with the acquisition of new cloud-based apps as a motivation to retire legacy apps and servers that your organisation personally maintains.

Defensive strength can rapidly increase when you implement and practice basic security hygiene based on Zero Trust principles. Beyond the early gains, you get additional defensive strength by implementing more advanced security measures. Higher defensive strength provides protection against higher levels of attackers.

The following figure shows the qualitative relationship between your defensive strength and the impact of the cost and ROI of an attacker.

The attacker ROI model helps leaders understand that there are few absolutes. A security posture is never considered perfect or impenetrable. However, there is a lot of opportunity for your organization to be strategic and prioritize your budget and resources. It’s additional incentive for your team of business leaders to work together to protect your organization.

how to think about it

Ultimately, increase security friction enough to thwart attackers without restricting business and technology outcomes.

how to start a Zero Trust journey

If you are embarking on a Zero trust journey that is aligned to a business scenario or looking to embrace Zero Trust as a strategic defense doctrine, success can be difficult to measure. This is because security doesn’t pass a simple pass/fail type of evaluation. Rather, security is a commitment and a journey, to which Zero Trust supplies guiding principles.

Using this adoption guidance as a process framework, first establish and document our security strategy, very similar to a Project Initiation Document (PID). Using the principles that apply to strategy, at minimum, you should document:

  • What are you doing?
  • Why are you doing it?
  • How do you agree on and measure success?

Each business scenario encompasses a different set of assets with different tools to take inventory. Methodically, you begin with an inventory and classification of the assets for each business scenario:

  1. Asset Identification: What assets do you want to protect, such as identities, data, apps, services, and infrastructure? You may use the functional areas called out above as a guide of where to start. Asset identification forms part of your Define strategy and Plan lifecycle phases. The Define strategy phase can articulate a specific scenario, while the Plan phase documents the digital estate.
  2. Asset Classification: How important is each one of the identified assets, such as identities, business critical data, and human resources data? Asset classification is part of the Ready phase where you begin to identify the protection strategy for each asset.
  3. Asset Management: How do you choose to protect (govern) and administer (manage) these assets?
  4. Asset Recovery: How do you recover from compromise or loss of control of an asset (govern)?

Tracking your progress throughout the Zero Trust adoption process is crucial as it allows your organization to monitor and measure strategic goals and objectives.

Microsoft recommends taking two approaches to tracking your progress:

  1. Measure your progress against mitigating risks to your business.
  2. Measure your progress towards achieving strategic objectives across the Zero Trust architecture.

Many organizations use International Organization for Standardization (ISO) standards resources and tools to gauge an organization’s risk. Specifically:

  • ISO/IEC 27001:2022

    • Information security, cybersecurity and privacy protection
    • Information security management systems
    • Requirements

  • ISO 31000

    • Risk management

The requirements and guidelines in these standards are generic and can apply to any organization. They provide a structured and comprehensive way for you to review and gauge the risks that apply to your organization, as well as mitigations.

Identifying and understanding the specific risks that apply to your organization will help you prioritize your most strategic objectives across the Zero Trust architecture.

Once your organization has identified and prioritized your most strategic technical objectives, you can map out a staged roadmap for implementation. You can then track your progress by using various tools:

  • A downloadable PowerPoint slide deck with progress tracking slides. These are designed to help you track and communicate progress at a high level. Customize these slides for your own use.
  • Secure Score is an aggregated score of technical controls that contribute to your current security posture. Secure Score gives your organization a global view of the controls that have and are still to be implemented.
  • Cloud Security Posture Management (CSPM) tools provided with Microsoft Defender for Cloud.

Note that the progress percentage provided by Secure Score might not be accurate for organizations that aren’t willing to implement all controls due to reasons such as:

  • Scope of the business
  • Licensing
  • Capacity

Additionally, several portals and reports can assist you in creating an overview of risk within your business, including:

  • Reports within Microsoft Defender XDR provide information regarding security trends and track the protection status of your identities, data, devices, applications and infrastructure.
  • The Cloud Security Explorer allows you to proactively hunt for security risks.

For example, within Microsoft Defender XDR, the device inventory provides a clear view into newly discovered devices in your network that aren’t yet protected.

bibliography

https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-overview

Graph View

Backlinks