Professional Documents
Culture Documents
Initiating A Zero Trust Transformation Project
Initiating A Zero Trust Transformation Project
transformation project?
August 2021
Microsoft France
Contributors/Reviewers: Jean-Yves Grasset, Arnaud Jumelet, Félix Ndouga, Maxime Roques, Guillaume
Aubert, Bastien Simon, Guillaume Bordier, India Giblain, Marc Gardette, Etienne Lacour, Jean-Marc
Guégan, Martin Flichy, Romain Curel, Lauren O’Hara
Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation. Microsoft m
© 2021 Microsoft Corporation. All rights reserved. Any use or distribution of these materials
without express authorization of Microsoft Corp. is strictly prohibited. Microsoft and
Windows are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries. The names of actual companies and products
mentioned herein may be the trademarks of their respective owners.
The other major factor is the widespread shift of employees to remote work, a
scenario that for many companies and organizations was not anticipated. This has
challenged the well-established principles of perimeter security by increasing the
exposure of workstations located outside the physical boundaries of the enterprise.
The Zero Trust model is receiving a much more attentive reception from security
managers because they are aware that the reflexes acquired decades ago no longer
work. Today's world is not the same as it was 10 or even 5 years ago. To support this
awareness, we can refer to the CESIN-Opinionway Corporate Cyber Security
Barometer, Wave 62, dated January 2021, which indicates that 75% of respondents
1
The document is in French « L'ESSENTIEL DE LA SECURITE NUMERIQUE POUR LES DIRIGEANTS ET LES DIRIGEANTES ».
2
The document is in French « Baromètre de la cyber-sécurité des entreprises, Vague 6 du CESIN-
Opinionway »
4 Initier un projet de transformation Zero Trust
are currently studying how the Zero Trust model will be translated, have already put
in place building blocks of the model or are already very committed.
Beyond France, a study conducted as part of the MICROSOFT DIGITAL DEFENSE REPORT
mentioned above, estimated that 94% of respondents have already begun to deploy
Zero Trust building blocks and that 55% are looking to accelerate this deployment
because of the pandemic.
The ANSSI recently published a SCIENTIFIC AND TECHNICAL OPINION ON THE ZERO TRUST
3
MODEL in which it is admitted that "If the Zero Trust model is in line with the logic of
"defense in depth" historically promoted by the ANSSI, it constitutes a modification of
the paradigm of the strict perimeter logic that has long prevailed”. It is then
recommended that "if an implementation of the model is envisaged, it can only be
progressive", which is strictly in line with this document.
Indeed, the transition to Zero Trust is an ambitious objective, a redesign project that
must be considered over time, but also a real opportunity to adapt to a context that
has changed profoundly over the last decade.
Moreover, this security approach assumes that the risk is omnipresent: the principle
of "Assume Breach" is used, which admits that, whatever the protections put in place,
one can be compromised at any time. In this case, it is necessary to be able to detect
and react as quickly and efficiently as possible.
3
The document is in French « AVIS SCIENTIFIQUE ET TECHNIQUE SUR LE MODELE ZERO TRUST ».
As this is a Microsoft white paper, we will describe the Zero Trust architecture with
the technological building blocks of our solutions as examples: Azure Active
Directory as the central identity brick, Microsoft Endpoint Manager for the device
management, Microsoft Defender for Endpoint for the security of
Windows 10/Windows 11 devices, Azure Sentinel for the SIEM brick, etc.
However, deploying a Zero Trust architecture does not require you to adopt only
Microsoft components, nor to replace all the security systems that are currently in
place. It's up to you to build your own architecture, with the goal of drastically
reducing the number of security solutions to facilitate their integration, avoid
redundancies and optimize their administration.
Principles
To summarize in one sentence, the Zero Trust principle describes the fact that "all
users and devices should be able to access the right resources from any location with
the same security conditions". This is broken down into three pillars:
1. Verify explicitly : dynamically control the context of the accessing user – identity,
location from which access is made, device used and health status, etc.
2. Implement least privilege access: ensure, based on this context, that the accessing user
will only have the necessary privileges to access the application. This can be refined by
assigning a time window for access.
3. Assume breach: adopt a posture where you admit that you could be compromised
and ensure that you are able to detect attacks and contain them quickly to limit their
impact.
Technological pillars
Beyond the understanding of these simple principles, we can see that the real-world
implementation covers a very broad set of topics (or pillars) from identity, devices,
data, applications, infrastructure and network, according to the categorization
proposed in the ZERO TRUST DEPLOYMENT CENTER.
On the left, we find the Identity of the person accessing the resource (usually the
user), to whom we will impose a strong authentication – multi-factor – and whose
risk can be dynamically estimated. Next, the Device used to access the targeted
resource (an application or a service), whose associated risk level can be estimated:
for example, a low risk level if the device is managed by the company, evaluated in
The central node, which is very precisely described in the Zero Trust vision, is the
real-time access assessment engine. It is based on identity and device elements of
the access context and dynamic threat state assessment. Based on the security
policies defined by the organization, it allows full, partial, conditional access to the
requested application or imposes a denial. This strictly follows the model defined in
the NIST ZERO TRUST ARCHITECTURE white paper, where the user is the subject
accessing the resource from a device and whose context is dynamically evaluated to
grant or deny access to the resource. This evaluation is based on a module called
Policy Enforcement Point which is the "heart of the reactor".
The other pillars concern Data with the classification and protection of the most
sensitive data using encryption. This can include protection against information
leakage. Then comes the Infrastructure, whether it be cloud (Azure and other clouds)
or on-premises for the protection of application components: VMs, containers,
microservices, etc. Finally, the Network, with everything related to network security
such as traffic filtering, communication encryption, endpoints exposure, micro-
segmentation...
You should take advantage of this Zero Trust security redesign project to minimize
the number of solutions used. With a piecemeal approach to selecting the "best"
solutions on the market (“best of bread approach”), companies end up stacking
dozens of security solutions that are problematic to integrate and operate, both in
terms of implementation and return on investment. However, there is no need to
wipe the slate clean, as we will see later in determining the Zero Trust maturity level
in Chapter 5 IDENTIFY YOUR MATURITY LEVEL.
Most of the security technological building blocks are now based on the cloud, which
offers the advantages of being accessible from any location with an Internet
connection (no more need for a VPN), not requiring infrastructure deployment, and
finally leveraging the power of AI by taking advantage of the effect of scale for
detection and response to cyber threats.
Importance of pillars
Not all pillars are perceived with the same importance. A survey conducted in early
2020, the figures of which can be found in the infographic SECURING IDENTITY WITH
ZERO TRUST, asked the question "What is the most important pillar in your Zero Trust
security model?" The 2 pillars mentioned in priority are Devices at 38% and Identities
at 24%.
This can be interpreted by the fact that IT managers surveyed are more sensitive to
device security because teleworking has brought this topic to the forefront, and to
the awareness of the importance of identity protection with the intensification of
attacks whose entry vector remains identity theft and especially phishing. As for the
other pillars, it seems surprising that applications are relegated to just 1% of the
concerns. This is probably due to the fact that companies are using more and more
SaaS applications or that internal applications have not yet migrated massively to
the cloud.
You will have to consider this model transition as a project or a set of projects that
will be spread over several months or even several years: we tend to say that it is
more of a "journey". For several years now, security has returned to the heart of
organizations and involves all entities. To quote one of the fundamental principles
of The ESSENTIAL OF DIGITAL SECURITY FOR MANAGERS4: "Cybersecurity is managed as a
transversal element in the company. It concerns everyone, at all levels, from the
design of a project to its execution and sale". This is especially true for a project
redesigning the security model, which will involve building a team whose members
will include the network, security, and IT teams (infrastructure, directory,
workstations, etc.), as well as the business and legal departments.
Like any project that strongly impacts the company, it will be necessary to find a
sponsor, someone quite high in the hierarchy, who believes in the project and will
be able to defend it at the highest level. If your company already has a CYBER-
COMEX, you will have to rely on its members to carry out your Zero Trust project.
Businesses will be your strong allies if you can prove to them that this transformation
will make it easier for you to deploy new applications or make possible scenarios
that were not allowed until now. These teams will be indispensable in defining which
scenarios are the most interesting to consider. This is true both for the takeover of
the SaaS solutions used – by authorizing them from now on in all conscience – but
also for the development of new applications or services made available internally
or to the company's customers or partners.
This new approach to security that you are going to propose should no longer be
seen as a hindrance, but as being able to facilitate the business, the daily work for all
the users of your information system, and the fluidity of the exchanges internally as
well as with the partners/subcontractors.
You will have to choose people motivated by the subject to form the core team of
the project. There is no need to multiply the number of team members to end up in
4
The document is in French « L’ESSENTIEL DE LA SECURITE NUMERIQUE POUR LES DIRIGEANTS ET LES DIRIGEANTES »
The Core Team and the sponsor will naturally be involved in the continuation of the
Zero Trust project. Keep in mind that the journey to Zero Trust itself will require a
long-term commitment from the team and leadership.
But let's not forget the objective: it is primarily a framing of the project which does
not require that everything be defined in the smallest details (technical,
organizational, ...) but that the major projects or sub-projects be identified, estimated
in cost, put in relation with each other and positioned on a time scale.
The basic question will therefore be: what are the problems to be solved and in what
priority?
• I want to allow employees to work from home with the same security
conditions and performance;
• I want to be able to ensure that my critical data (e.g. my trade secrets) are
properly protected and guarantee against leakage or theft;
• I want to ensure that my production sites are properly protected and will
remain available;
• Etc.
From the list that you have built, you will then have to assign a priority to each
expectation. For example, you might prioritize ransomware protection or critical data
protection. The solutions to cover each expectation may concern several pillars,
several technologies per pillar and be more or less difficult to set up.
Note that some expectations may be more specific, such as "I want to minimize the
attack surface of my Active Directory" because they correspond to an experience, or
a risk assessed as strong (compromise of the on-premises Active Directory).
Data control Data is the most valuable assets of the company: we should we be
able to identify the data that is the most sensitive through classification. These
sensitive data must benefit from appropriate protection that will guarantee their
confidentiality, including in the event of leakage (intentional or not) to the outside.
Ensuring their integrity and availability is crucial, for example, in the event of a
ransomware attack.
Cloud integration The cloud has become an essential element both for the
business use of available SaaS applications and for applications developed in-house.
Organizations where cloud integration has been done in a less controlled manner
should seize the opportunity of Zero Trust to regain control by limiting shadow IT.
Identity is one of the pillars of Zero Trust: the implementation of strong identity
management and protection in a hybrid environment is a matter to be considered
as a priority.
5
GENERAL DATA PROTECTION REGULATION
Some expectations will be expressed in a simple way because they will refer to only
one pillar and a limited number of technological building blocks in that pillar. For
example, if we consider the expectation "I want to strengthen user authentication to
secure access to external and internal applications", this concerns the Identity pillar
and two authentication hardening technologies: multi-factor authentication and
passwordless authentication.
Other expectations will be more complex to implement because they involve several
pillars and several technologies among these pillars. For example, the expectation "I
want to be able to protect myself effectively against ransomware" will focus on several
pillars, mainly the Data pillar with data access protection, backup-restore, but also
attack detection (in an "Assume breach" vision), protection against phishing,
protection of identities and devices, hardening of the Active Directory, and
strengthening of administration practices.
Another example, the expectation "I want to allow employees to work from home with
the same security conditions and the same performance" will be even more transversal
by involving the Identity pillars (identity management, strong authentication),
Devices (management of device security), Data (data protection/classification),
Network (powerful access to collaboration applications), and Applications
(conditional access linked to identity and context, application security). We see in
this case that we will have to make choices in the schedule for deploying the building
blocks, for example tackling first securing identity, then securing devices, etc.
One thing is certain, Identity is a pillar that will be common to almost all scenarios.
This construction stage will be conducted in the form of workshops that you can
build and lead yourself based on the many existing documentation, or by getting
help from external consulting resources. These meetings should involve the Core
Finally, you will have to be ambitious to consider the change of model as a whole,
but then define a phasing in the deployment of technological building blocks
according to the priorities of your expectations.
To go further, the online tool ZERO TRUST MATURITY MODEL ASSESSMENT offers you, for
each pillar, to assess your level of maturity based on a set of questions about your
This maturity level analysis allows you to make a first pass at your existing
environment. This exercise is important because it allows you to inventory the
existing solutions that could be integrated into the Zero Trust vision, the possible
level of difficulty for their integration, the solutions to be replaced, etc. It is important
to keep in mind the expectations you have defined in order to focus on the
technological building blocks you identified in the previous step. Even if you have to
be ambitious to build an overall vision, you have to avoid dispersing works and
especially avoid going into technical details at this stage.
Evaluation examples
Taking the concrete case of ransomware protection again, the following topics will
be evaluated against the existing environment to infer, for example:
• Protection against phishing emails: OK, although we will have to strengthen employee
awareness and test through campaigns.
• Workstation protection: the workstations are all managed by an internal tool with
security configurations applied, regular security patch updates, and anti-virus / anti-
malware, but an EDR (Endpoint Detection and Response) would be a plus.
• Detection of ransomware attacks: this is currently the weakest point: our SIEM does
not effectively identify this type of attack and react without delay. An EDR should be
considered, possibly coupled with a SIEM that could quickly detect compromised
workstations and isolate them to avoid propagation.
• Workstation rebuild: this is another weak point. We would not be able to rebuild a
large number of workstations in a short time. An automated and efficient solution,
ideally in the form of a cloud service, should be considered.
• Data recovery: a lot of data is hosted in SharePoint Online and could be restored to
earlier versions in case of encryption, but there are still on-premises servers whose
recovery capabilities are less certain.
• Application protection: mission-critical applications rely on SaaS solutions that are not
susceptible to ransomware.
Let's take as a second example the decision to migrate or develop applications in
the cloud while ensuring that they are properly protected: we will look at the Identity,
Applications but also Devices pillars to make the following observation in relation to
our existing environment:
These results show that device security is a topic that has been addressed as a
priority. The network is typically a subject where security is mastered at least on the
on-premises part, but its importance should not be neglected concerning the
architecture of cloud applications and the impacts related to the generalization of
teleworking. As for the Data and Identity pillars, even if the technologies are available
(respectively classification, encryption, DLP, etc. and multi-factor authentication,
conditional access control, protection of privileged accounts, etc.), half of the
companies consider that they still have some way to go to take advantage of them.
The infrastructure pillar, which concerns the security of on-premises servers or IaaS
components in the cloud (for the detection of attacks or configuration anomalies)
remains the subject on which companies feel most vulnerable and least equipped.
Quick wins have a positive side: they are both motivating for the teams and quickly
bring tangible results. They also provide reassurance at a higher level about the
viability and positive impacts of the Zero Trust project. The downside is that they can
give a false sense of project completion and leave people thinking "that's it, we're
Zero Trust", "in the end it wasn't any more complicated than that, now let's move on
and stop investing".
This is why the quick wins must be chosen with care and presented as starting points
while being integrated in the complete roadmap of the project, which will not be
spread over a few weeks but over the longer term. The choice of quick wins must be
integrated into the technical building blocks that correspond to the expectations
previously determined.
Some quick wins are highlighted because they correspond to essential Zero Trust
pillars like Identity. The quick win that is systematically highlighted is the
generalization of multi-factor authentication or, better, passwordless authentication.
But this is far from being the only one: for example, the implementation of SSO for
the most popular or most critical applications would be visible and not necessarily
complex. If we consider the objective of fighting ransomware, the implementation of
an EDR such as Microsoft Defender for Endpoint, will quickly bring visibility on
threats coming from the endpoints and will allow to react accordingly.
6
To be found in the Microsoft white paper ZERO TRUST BUSINESS PLAN, A PRACTICAL GUIDE TO IMPLEMENTING
THE ZERO TRUST FRAMEWORK AT YOUR ORGANIZATION
Finally, a quick win remains a tactical step, i.e. an immediate and visible advantage,
but it must be part of a strategic approach that represents the transition to the Zero
Trust model. In addition, one will strive to respect the principle of minimizing the
number of solutions to limit integration problems, reduce costs and facilitate
administration.
In NIST terminology, the central element is the component called Policy Enforcement
Point (PEP) which dynamically assesses the context and makes decisions on whether
or not to grant access. In the Microsoft environment, this role is assigned to Azure
Active Directory, which implements the function of PEP through conditional access
control and also acts as an identity repository.
As recommended in the white paper 10 TIPS FOR ENABLING ZERO TRUST SECURITY,
"Identity is the best starting point for Zero Trust" since “using identity as the control
plane lets companies treat every single access request as untrusted until the user,
device, and other factors are fully vetted.”
Identity compromise is the entry point for the vast majority of attacks perpetrated
on enterprises or organizations: in March 2020 alone, Microsoft detected 4.9 billion
attempted logins related to attacks and more than 150,000 compromised accounts,
according to figures specified in the document UNDERSTANDING IDENTITY THREAT
PROTECTION. Identity protection is therefore a priority to deal with the increase in this
type of attack, often initiated by phishing campaigns.
To further reinforce the message, let's cite the EXAMINING ZERO TRUST AN EXECUTIVE
ROUNDTABLE DISCUSSION document summarizing the roundtable discussion between
the Cloud Security Alliance and Microsoft in December 2020, which advocates
"considering identity as the new perimeter" arguing that "organizations must first
focus on strengthening their user authentication and identity verification, as most
security breaches involve the theft of credentials.”
This is not surprising when you know that passwords are responsible for 80% of the
entry points for hackers 8 and that it is estimated that the widespread use of
multifactor authentication reduces the risk of compromise by 99.9%9. Especially since
its implementation is greatly simplified by a single setting that includes several
preconfigured security options10.
7
ZT_One_Minute_Identities (microsoft.com)
8
Email: Is the Digital Door Propped Open for Identity Hijackers? Multi-Factor Authentication Helps Shut
Cyber Criminals Out, CHUBB/Microsoft.
9
Flash whitepaper: Why MFA is a top priority in 2020
10
What are security defaults?
11
Plan a passwordless authentication deployment in Azure Active Directory
The recommendation is to start with a few simple policies and roll them out in stages,
on a reduced perimeter, before generalizing them. Once the process is under control
and tested, the number of access policies can be increased, taking care to use
indicators to monitor their application, which makes the transition to the next
chapter.
To conclude, the complete approach to the Identity pillar is described in the article
SECURING IDENTITY WITH ZERO TRUST | MICROSOFT DOCS.
In its approach to measuring the progress of the Zero Trust project, the Microsoft
white paper "ZERO TRUST BUSINESS PLAN, A PRACTICAL GUIDE TO IMPLEMENTING THE ZERO
TRUST FRAMEWORK AT YOUR ORGANIZATION", defines three main categories of indicators
that correspond to three global objectives of any Zero Trust vision that we have
already discussed in step 3: strengthening and efficiency of security, opening up to
new business scenarios and simplifying security implementation by limiting the
number of heterogeneous solutions to be integrated (i.e. move away from the "best
of breed" approach).
In the first category of business scenarios, we will focus on providing the most
transparent and trouble-free experience for users by defining indicators such as the
number of rejected multifactor authentications (to be minimized), the percentage of
users accessing applications with SSO, the number of password reset requests. We
will also be interested in the user's daily experience of scenarios linked to mobility,
for example the number of accesses to applications from personal or company-
The indicators will be chosen with relevance among the information brought back
by a telemetry that will have to be omnipresent: this is one of the feedbacks from
the implementation of the Zero Trust model by the internal IT of Microsoft as
described on the page IMPLEMENTING A ZERO TRUST SECURITY MODEL AT MICROSOFT.
According to this article, “Pervasive data and telemetry are used to understand the
current security state, identify gaps in coverage, validate the impact of new controls,
and correlate data across all applications and services in the environment. Robust and
standardized auditing, monitoring, and telemetry capabilities are core requirements
across users, devices, applications, services, and access patterns”.
In the Microsoft environment, you natively have the SECURE SCORE tool to help you
evaluate your current security posture and give you a list of recommendations to
proactively improve it. This feature comes in two flavors: Secure Score applicable to
PaaS, IaaS, hybrid and multi-cloud workloads, and Microsoft Secure Score applicable
to Microsoft SaaS applications.
In their article Zero Trust Doesn't Mean Zero Breaches, Forrester answers a question
they are commonly asked: would Zero Trust have prevented this or that attack
(SolarWinds, NOELIUM, etc.)? The answer is that "Zero Trust acknowledges that bad
things happen to good people and prescribes techniques in place to limit the blast
radius, detect the incident, and respond automatically." This statement highlights the
interest of an early detection of the incident, of a quick reaction – if possible
automatic – to limit the impacts of the blast.
Since identity being the "new perimeter" and the prime target of attacks, its
monitoring becomes a necessity. For example, you can upload activity logs from
Azure AD to Azure Monitor or transfer them to your own SIEM12 for processing. You
can also rely on Identity Protection to analyze signals, detect and remediate identity
risks.
To monitor the security of Windows endpoints, you can rely on your own EDR or
choose to use Microsoft Defender for Endpoint. To extend monitoring beyond that,
you can either opt for solutions by services or functions and perform processing and
correlation in your SIEM (Security Information and Event Management), or for a first
level of integration with a suite such as Microsoft 365 Defender which integrates
several tools (Microsoft Defender for Endpoint, Defender for Office 365, Defender
for Identity, etc.).
12
Azure AD activity logs in Azure Monitor
The highest-level monitoring element remains the SIEM, which collects signals from
a multitude of heterogeneous sources to try to extract weak signals, raise meaningful
alerts and give the possibility to investigate without juggling between consoles.
Unfortunately, traditional SIEM solutions tend to multiply false positives due to the
exponential increase in the number of signals to be processed. Newer solutions
based on the cloud and Artificial Intelligence (AI) are proving to be more efficient in
processing these masses of signals, limiting the number of false positives and
offering orchestration and automatic response capabilities. One example is Microsoft
Azure Sentinel, which leverages AI to quickly identify threats and remove the flaw in
traditional SIEMs by eliminating the need for infrastructure configuration,
maintenance and evolution.
In addition, most applications are now accessible from the Internet, whether they are
SaaS-based vendor applications or the organization's own applications that have
migrated to the cloud. Device management services (MDM for mobile devices and
PCs), security services (XDR, etc.) and directory services (Azure Active Directory) are
also available as SaaS services, making security management accessible with a simple
Internet connection.
All of this contributes to the fact that, from an IT perspective, " Internet becomes the
corporate network ". Indeed, when identities are managed in your Azure AD cloud
directory, when all workstations are controlled from cloud services, when
applications are accessible from the outside, and when security systems are
themselves able to operate from the cloud, the notion of a network becomes
commonplace. No matter where a user's device is located, all they need is the ability
to connect to the Internet to access all the resources they need for their work with
the same level of security.
This is the choice adopted by Microsoft's internal IT department, which provides two
types of on-site Internet access: the "Unmanaged Internet" network is reserved for
people such as guests, seminar participants…, or for employees' devices used in
BYOD mode; the "Managed Internet" network is reserved for employees accessing
the Internet from a device managed by the company. The latter network offers, in
addition to Internet access, the possibility to access on-site resources such as
printers. Both networks are accessible through the Wi-Fi on each Microsoft site.
The benefits in terms of security are obvious: the attack surface of the internal
network is greatly reduced following the contraction of the internal network; attacks
coming mainly from compromised workstations and targeted on Active Directory
become ineffective; the role of the Active Directory becomes minor due to its
deprovisioning and makes it less critical; the use of strictly secure administration
workstations limits the possibilities of compromise; finally, isolating critical resources
in network segments reinforces their immunity to attacks..
13
Implementing a Zero Trust security model at Microsoft
This example will certainly have to be adapted to your own existing environment but
it constitutes a target and sets out the main principles:
14
Azure best practices for network security
15
How to apply a Zero Trust approach to your IoT solutions
16
Purdue Enterprise Reference Architecture - Wikipedia
The figure will represent a synthetic view of all of the workstreams that await you,
and will take into account the subjects related to integration into the existing
environment and the impacts on the security solutions already in place: certain
solutions will be continued and will have to be considered in the integration with the
other Zero Trust building blocks, while others will disappear or, at the very least, will
be preserved within a much smaller scope. This roadmap will not have the precision
of a detailed project plan but will provide an overall vision sufficiently precise to
defend your transformation project.
To get to the heart of the matter, let's take an example of a roadmap based on the
real-life cases of customers who have conducted this Zero Trust scoping phase. You
will notice that many of the building blocks are based on Microsoft solutions, which
was a choice dictated by a desire to limit integration costs and to simplify security
administration by limiting the number of administration portals, among other things.
The Identity pillar is, unsurprisingly, quite rich, with the Azure AD directory becoming
the reference directory for identities after the migration from the previous on-
premises identity management platform and its subsequent removal 17. Eventually,
the synchronization links with Active Directory are disabled with the provisioning of
identities from the Human Resources system. Conditional access is set up from the
beginning for users (it's a quick win) and then extended to devices that are managed
from Microsoft Intune (MDM) and whose security and health status are transmitted
by the EDR in place. The Windows Hello for Business biometric authentication project
is launched from the start as a proof of concept (another quick win) before being
generalized and then associated with passwordless authentication available natively
with Azure AD.
The Devices pillar follows three phases in the path to “modern” management,
starting with a pilot where the workstations and mobiles in this first scope are joined
17
We are talking about the identity management platform and not Active Directory, whose footprint
will be reduced but which will not be deleted.
The Data pillar starts with the implementation of the classification of data hosted in
the cloud, a large part of the data having migrated to SharePoint Online. Some
sensitive data will remain on-premises, hosted on secure servers in isolated network
segments with rigorous access constraints. The Data Classification Governance
workstream will be launched to define the data management processes according
to their sensitivity. The data protection workstream will follow to apply encryption to
data based on sensitivity following classification, whether automatic or under the
responsibility of the creator/owner of the information.
The attainment of the "Achieve Data Protection and Compliance" milestone seals an
important moment in the Zero Trust project, as it will have provided the opportunity
to implement a classification solution that has often been postponed due to a lack
of suitable technical solutions.
Finally, the DLP (Data Loss Prevention) functionality will then be activated and
configured at the level of the CASBs (Cloud Access Security Broker) already deployed
by the company (see below).
The Applications pillar begins with the deployment of the CASB function at the
enterprise level, with the choice of using the Microsoft Cloud App Security solution.
The CASB will be able to discover all the cloud applications used, including some
SaaS applications not referenced by the internal IT ("Shadow IT"). It will be possible
to assign them a risk level and approve or not their use.
SaaS applications will then be gradually connected to Azure AD (for those that are
not natively connected 19 ) to rely on the directory's identity repository and take
advantage of SSO. Two workstreams will be carried out in parallel: the first to migrate
eligible legacy applications to the cloud; the second to publish older Web
applications through reverse-proxies based on Azure AD authentication.
18
Protecting high-risk environments with secure admin workstations
19
List of applications natively integrated with Azure AD
The Infrastructure pillar starts with the deployment of the Microsoft Defender for
Identity solution to monitor Active Directory and be able to detect attacks or
compromises while waiting to drastically reduce its attack surface.
Windows 10/Windows 11 workstations will then gradually migrate to Azure AD in
conjunction with Windows Intune for their management. The federation function
between Active Directory (and possibly other internal directories) and Azure Active
Directory will be removed once all applications have transitioned to Azure AD
authentication (see Applications pillar).
The final workstream covers the gradual deprovisioning of Active Directory as users
and machine accounts migrate to Azure: the infrastructure, which can include many
forests and a multitude of domain controllers, can be reduced to the minimum size
that would still be needed to administer the ultimate internal resources. This
reduction in the Active Directory footprint has the advantage of drastically reducing
the attack surface of the Information System, thus limiting the probability of
compromise with commonly used attack scenarios. Monitoring will continue to be
required to protect internal resources.
The final Network pillar will focus on optimizing remote access to productivity
applications and services, such as Office 365 collaborative tools. In a context where
telecommuting has become the new norm, it is necessary to offer users the means
to work efficiently from home. The era of the all-VPN is over and remote accesses
must reconcile performance and respect of the security level 20. Particular attention
must be paid to audio and video streams, which require near-real-time conditions
to provide an optimal user experience.
20
See the white paper Optimize Office 365 remote work with split-tunneling available in English and
French.
This quote, which sums up the soul of Zero Trust, must however be translated into a
real transformation project of the security model, induced by a new way of
addressing security in order to face the current cyber threats. Moving towards Zero
Trust is not just a simple revision of network security: six pillars must be considered,
with identity as a priority. Indeed, "Identity is the new perimeter": the focus must be
on strengthening authentication and generalizing a conditional access control based
on identity, the level of associated risk and more broadly on the context of access –
including the device and its status.
To start a Zero Trust project, one must be ambitious in the vision, start with
reasonable steps while being quick in the execution, which can be summarized by
the formula "Think big, start small, move fast". You must think big because it is a
transformation project: the establishment of the roadmap must develop this vision
by mapping it technologically on the time axis. You will need to define your priority
expectations in the two categories of strengthening security and enabling new
business scenarios; quick steps with visible gains will allow you to quickly show the
benefits of your Zero Trust project.
It is by no means a question of starting from scratch but of taking into account the
existing environment by evaluating your level of maturity and by building your own
solution: some technological components will be preserved and adapted, others will
be replaced by more powerful ones with, as an objective, to limit the number of
disparate security tools to gain in effectiveness while reducing costs.