In part one of this two-part series, I introduced the idea that for those who had adopted the Microsoft cloud (or any other kind of cloud technology) that our traditional security models would no longer be effective, and a security strategy rethink was needed to adopt approaches like zero trust.
In this part, I wanted to provide some guidance on what tools Microsoft make available so you can adopt a modern zero trust model. The road to delivering zero trust is an ever-evolving one, however, there are four basic pillars around which we can build it, secure access, secure identity, secure data and monitor our environment.
The Microsoft cloud provides us with a range of tools to achieve this. But to get started on this road I’d like to share the initial tools I’d look to adopt.
At the point we receive a login request from an identity is when we start to apply our context. Just because we recognise it, this does not mean we should trust it. Conditional access policies are our first defence. These policies can assess three criteria, the user, the device and the location.
With a policy, we can apply context to an access request. Based on that context we can choose whether we allow access, block it, or if we are unsure ask them to provide further validation. This is an extremely powerful first step in our modern security model.
If there was only one step you could take it should be to use multi-factor authentication (MFA). The use of MFA, according to Microsoft, can reduce the threat of identity breach by 99%. How? By taken one additional validation step beyond a username and password to confirm the owner of the identity is valid.
By using this in conjunction with conditional access we can build real intelligence into the way we allow access to our environment. If our access policy can identify risk in our user, their device or location, we can then use MFA to validate that request with a unique token before we decide to block or allow.
It cannot be underestimated the extent to which these two simple technology adoptions can help deliver a more robust modern security model.
Once we have allowed access to our cloud resources, a zero trust model doesn’t mean we implicitly trust users with our data. Instead, we must build a security model that ensures that those we have allowed access can only use the data in ways we want them to.
The Microsoft cloud provides us with two powerful capabilities to enforce secure data usage.
Data loss prevention (DLP) allows us to monitor the flow of data throughout our organisation to ensure it is not used inappropriately, over shared or leaked via emails, chat or external cloud services. This ability to identify sensitive data as it is used and control it is a crucial part of modern zero-trust security.
This is not the only tool we should consider, because while DLP can mitigate the risk of data misuse, what about when we do need to share data? Whether that is internally or externally, how do we do it securely? Sensitivity labels allow us to take this next crucial step. Labels can be attached to our sensitive information and from then the security we apply is embedded into our information. So regardless of where it is and wherever it is shared in future, we maintain complete control. There is, in my opinion, no stronger tool than this use of labels to protect our data assets.
Understanding your enterprise security baseline is as crucial as the tools we are putting in place to limit our risk. Knowing they are working and identifying areas for improvement is a powerful ally in taking on the security challenge. The Microsoft cloud gives us a range of powerful tools to do this. The place to start? The often underutilised Secure Score which allows you to compare your security posture to that of similar organisations as well as provide easy to understand guidance on where improvements can be made.
This high-level tool is a great way to quickly understand your security posture.
The security challenge is difficult, of that there is no doubt. While the move to the cloud has opened up opportunities to innovate and grow, it has presented new security risks. However, the cloud has also made it easier to get access to tools to help secure our systems more effectively than ever.
Hopefully this short series has given you some understanding of the changing security threat and how our security models need to evolve. And for those of you using Microsoft cloud technology, guidance on some of the powerful tools available to tackle many of the challenges we face.
I hope you have found this useful and I’d love to hear your feedback in the comments or contact me on Twitter.