Zero Trust ironically means that the best way to protect everything is to trust NOTHING. Then you work step by step to protect and secure each and every aspect of your IT environment.
IT used to work hard to establish areas of the network they felt to be safe. As a result, an enterprise would have a trusted network and trusted users, and an external network, and untrusted users. As part of this approach, for instance, IT installed a DMZ – a security zone or barrier between the ‘safe’ network and the ‘dangerous’ outside world. That is the concept of trust.
In contrast is Zero Trust, largely promulgated by Microsoft. Here is how Microsoft defines Zero Trust. “Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to ‘never trust, always verify.’ Every access request is fully authenticated, authorized, and encrypted before granting access. Microsegmentation and least privileged access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real-time,” Microsoft explained. “By implementing Zero Trust, Microsoft takes a layered approach to secure corporate and customer data. Microsoft’s phased implementation of Zero Trust centers on strong user identity, device health verification, validation of application health, and secure, least-privilege access to corporate resources and services.”
So as ironic as it sounds, the only way to have 100% trust in your Microsoft 365 security is, ironically, to have Zero Trust – to trust nothing and protect and verify everything.
With the Zero Trust model, the organization only allows access between IT entities that have to communicate with each other. There is no such thing as a trusted user anymore, or even a trusted server. Instead, IT secures every communications channel, because IT does not know who is listening in on the router. IT removes generic access to anything; that access has to be granted specifically. It cannot be inherited, and it has to have a purpose. This is Microsoft’s way to implement Zero Trust throughout an organization.
Driving the need, at least in part, for Zero Trust is the move to the cloud, and an increasingly mobile and remote workforce. “Cloud-based services and mobile computing have changed the technology landscape for the modern enterprise. Today’s workforce often requires access to applications and resources outside traditional corporate network boundaries, rendering security architectures that rely on firewalls and virtual private networks (VPNs) insufficient. Changes brought about by cloud migration and a more mobile workforce have led to the development of an access architecture called Zero Trust,“ Microsoft explained. “Implementing a true Zero Trust model requires that all components—user identity, device, network, and applications—be validated and proven trustworthy. Zero Trust verifies identity and device health prior to granting access to corporate resources. When access is granted, applying the principle of least privilege limits user access to only those resources that are explicitly authorized for each user, thus reducing the risk of lateral movement within the environment,” Microsoft concluded.
Here are four elements critical to establishing Zero Trust, according to Microsoft:
One problem is that implementing Zero Trust in Microsoft Microsoft 365 and Azure Active Directory (Azure AD) is highly complicated. Here is where CoreView can get M365 to true Zero Trust. “I think the Microsoft approach would probably get you there – eventually. In contrast, CoreView has a straightforward check box model that gets you to zero trust and least privilege access through our operator access and functional access control model,” explained CoreView solution architect Matt Smith. “Now contrast Microsoft’s complexity with the simple CoreView approach. Our permissions model is all check box-based. The example I typically use is mailboxes. If I want to give someone the ability to create mailboxes, I check a box. Now that person can create mailboxes. If I want to scope it, I put that person in a virtual tenant that is created in a couple of minutes just by looking at properties of Azure Active Directory. Now that person can only create mailboxes for people in the sales department, for example.”
This ties into Role-Based Access Control (RBAC) administration since those mailbox permissions are functional-based. CoreView can truly dive deep, and offer highly granular role-based permissions – even offering short-term admin roles. “If I want to give you the function as a help desk person of forwarding SMTP mail because somebody is out on long-term leave, I check some boxes. If I want to give it for just a period of time, I set off a workflow engine that says, ‘Grant this operator the ability to forward SMTP mail for a period of an hour or two. That works really well with workstation folks, who have to roll out OneDrive to workstations; you want to give these folks the ability to change the password on a desktop, but just for the next hour and a half or so while they are rolling OneDrive,” Smith said.
The following graphic shows how CoreView gets IT to true Zero Trust:
As you can see in the above graphic, CoreView helps IT enforce multi-factor authentication to give user identities 99.9% protection from credential cracking. CoreView also includes deep forensics to find and fix security holes, and stop invasions in the tracks.
CoreView offers deep Microsoft 365-specific security protection, governance, and compliance. Learn how we help with a personalized CoreView demo.