As explored in detail in Part 1 of this Zero Trust Security series, the standard castle-and-moat, perimeter-styled network defense has been rendered practically useless in this new era of cloud computing, mobile devices, IoT, and other technologies. A new security philosophy is needed to address the challenging digital landscape that has taken form in recent years. Part 1 explains, in detail, what a Zero Trust Network is, why the Zero Trust security mindset is necessary, and how you can implement its strategies.
Part 2 will focus on some of the specific tools found in Microsoft 365 that can help make Zero Trust security a reality for your organization.
Azure Active Directory (AD) is the cornerstone of implementing Zero Trust security in Microsoft 365. It operates using a conditional access approach. For example, Azure AD’s Identity Protection makes access control decisions that are dynamic. They’re done on a case-by-case basis that evaluates each user, device, location, and session risk. This assessment is done for every resource request. The process does the following, as explained by Microsoft:
- It combines attested runtime signals about the security state of a Windows device
- It evaluates the trustworthiness of the user session and identity so that it can respond with as strong a security configuration as possible
Essentially, conditional access establishes a set of rules that can be designed to monitor and regulate every scenario in which a user attempts to access your company’s resources. That level of control is at the heart of a Zero Trust security philosophy.
Azure AD’s role is essential, but it is just one part of a many-pieced whole in Microsoft 365’s arsenal. It uses many other tools to establish a Zero Trust Network.
Windows Defender Advanced Threat Protection
Microsoft 365 has an endpoint protection platform (EPP) and an endpoint detection response (EDR) rolled into one powerful piece of technology called Windows Defender Advanced Threat Protection (ATP). Its capabilities are described by Microsoft this way:
[ATP] provides intelligence-driven protection, post-breach detection, investigation, and automatic response capabilities. It combines built-in behavioral sensors, machine learning, and security analytics to continuously monitor the state of devices and take remedial actions if necessary. One of the unique ways Windows Defender ATP mitigates breaches is by automatically isolating compromised machines and users from further cloud resource access.
Microsoft gives this scenario as an example: attackers are able to extract hashed user credentials from a device by using the Pass-the-Hash (PtH) and “Pass the Ticket for Kerberos” techniques. The attackers then use the credentials to move laterally and leapfrog into other systems.
Other Microsoft tools, such as Windows Defender Credential Guard and System Guard, will prevent these attacks (and even protect the system as it boots up and continues running), but you still need to know when such an attack has happened.
Essentially, Windows Defender ATP brings these attacks to light using its endpoint protection and detection response. It also creates a risk level for the compromised devices that were involved. In the bigger scope of the conditional access approach mentioned above, after ATP assigns a risk level to a machine, this assessment can later be used when deciding to give a token to that advice to access other resources.
Cloud App Security
A tool like Cloud App Security is a necessity in today’s unpredictable work environment. Employees come to work with a variety of past experiences and preferences for software and online tools. When an employee brings into the company something they’ve liked using elsewhere without notifying IT or asking their permission, that employee has unknowingly created what’s called “Shadow IT”—when employees bring in third-party programs without having them vetted or approved. Besides exposing your network to potential bad actors, unchecked Shadow IT can place Personally Identifiable Information (PII), such as Social Security Numbers, or other sensitive company data at risk.
This is why Microsoft 365 has Cloud App Security (CAS), an important tool in its Cloud Security stack. Besides our breakdown of this tool in this article, you can watch our Tech Talk video overview that explains how it assists you in wrangling in the unpredictable elements of Shadow IT. As Microsoft describes it:
[Cloud App Security] is a comprehensive solution that can help your organization as you move to take full advantage of the promise of cloud applications, but keep you in control, through improved visibility into activity. It also helps increase the protection of critical data across cloud applications. With tools that help uncover shadow IT, assess risk, enforce policies, investigate activities, and stop threats, your organization can more safely move to the cloud while maintaining control of critical data.
CAS does a wide range of tasks to help you maintain control when Shadow IT sneaks in. The Cloud App Security tool will:
- Import system logs from more than 20 different kinds of Firewalls (i.e. Sonicwall, Watch Guard, Sysco, Palo Alto Networks, etc.)
- Use a custom log format tool so you can use CAS for any logs you have
- Parse a day’s worth of logs (for a medium to large-sized business) in only a few hours
- Check and analyze a catalog of more than 16,000 cloud applications and instantly show you on the dashboard how many applications, IP addresses, users, and how much bandwidth use (download and upload) are present
- Provide a concise overview of the most used apps ranked by bandwidth and grouped by type
- Display a list of your top bandwidth consumers with the amount of bandwidth that’s been used
- Allow you to click on each data point to see more details and dig deeper
- Provide a locations map that displays every location in the world where the information is being sent
When you click on a country on the map, you will see (for example) old installs of apps that have been left behind. With a click, you are presented with the risk level, security features, compliance certifications, and a display that identifies which users are active in those apps.
You can also access a list of apps in use and filter the list by security score. You can click and see who has interacted with each app. This gives you the insight to detect malware and find the end-users involved as you investigate security incidents.
In other words, it gives you the eyes to see the security weaknesses no matter they are located, the bad actors involved, and the path to resolving the weaknesses.
CAS can also be configured to alert you when certain incidents happen, depending on your security needs. In our video at the top of this section, you can learn more details about this crucial process of using CAS.
Azure Information Protection
Microsoft’s Azure Information Protection (AIP) shares similarities with Cloud App Security. Except it is far more powerful. Cloud App Security is designed to protect data in Office 365. AIP goes beyond the cloud and expands to protect on-premise infrastructure.
It is one tool in a unified package that makes up Microsoft Information Protection (MIP). MIP takes the features of Cloud App Security, Windows Information Protection, and Azure Information Protection and unifies them in a single location where you can manage every aspect of your security.
The AIP tool assists you in classifying and protecting documents and emails using labels. Each label type can be customized and applied automatically using rules and conditions you specify or you can apply them manually (or a combination of both using notifications). The labels can apply to identify watermarks, regulate access, control access offline, and set expiration dates on materials that are time sensitive.
AIP is a powerful tool for establishing rules and conditions for your Zero Trust Network. To learn more about the details of how it works and how to set it up to your exact specifications, watch our Tech Talk video on AIP.
Intune is Microsoft’s primary tool for managing mobile devices, computers, and applications in an organization. This includes the enrollment, registration, and overall management of all client devises. Along with Azure, Intune has control and visibility of any assets and data that are valuable to the organization. It has the ability to automatically establish trust requirements based on tools such as AIP and CAS mentioned earlier in the article.
Azure Security Center
The Azure Security Center is a collection of security best practices carefully integrated and combined into one software package. Microsoft has taken the hard-earned lessons it has learned from keeping its own data centers secure and placing them all in a user-friendly interface that is mobile-friendly. This means you can instantly access to a world-class enterprise security interface and summary of your company’s security status on your mobile device.
To learn more about Azure Security Center, watch our Tech Talk videoand see the amazing (and incredibly convenient) features of this tool.
Enterprise Mobility + Security (EMS)
Enterprise Mobility + Security in Microsoft 365 delivers what its name promises: an effective combination of mobility and security on an enterprise level. As you’ve seen above, Microsoft leverages plenty of brilliant tools to make it happen, and they come together nicely and in a way that’s user-friendly and manageable in its EMS package. As Microsoft explains:
…EMS protects across users, devices, apps and data and is specifically designed to work together with Office 365 and Windows 10 to enable security that does not compromise user experience. EMS also secures and manages across thousands of SaaS applications, on-premises apps, as well as safeguarding data across iOS and Android devices. Most recently we integrated the management experience for IT into a single easy to use console. All this adds up to an intelligent security solution to support your organization’s digital transformation.
To learn more about Enterprise Mobility + Security watch our Tech Talk video and see first-hand how Microsoft makes it so powerful and effective.
Zero Trust Security Means Thorough (and Effective) Conditional Access
All of the powerful tools above come together to accomplish the objective of Zero Trust security: require all requests for network access to flow through an access control proxy and make all assessments based on device and user trust. The bottom-line: Zero Trust security means conditional access that is comprehensive but intelligent enough to allow flexibility and productivity. This fits the description for Microsoft 365’s security tools nicely.
Learn More about Zero Trust Security
Contact us for more helpful information about Zero Trust Security and how we can help you achieve it.