What is zero trust and how can my business use it?

First coined by analyst firm Forrester back in 2010, the term “zero trust” refers to a cyber-security approach that continuously verifies the trustworthiness of every device, user, and application in an organization. Amid an increasing prevalence of cloud-based services, mobile computing, internet of things (IoT), and bring your own device (BYOD) strategies in the workforce, the idea of zero trust remote access was already gaining momentum. But it was the COVID-19 pandemic that sparked many IT leaders to drastically and quickly increase their use of remote network connectivity—usually with now-outdated forms of virtual private network (VPN) connections.

In a zero trust environment, organizations can empower their employees to work from anywhere. IT business leaders are learning that VPNs were strained over the past year, and implementing zero trust principles in their organizations is a more efficient way to enable a secure hybrid networking environment. Amaxra security consultants are implementing zero trust security for our customers to allow their employees to securely access their must-have business applications and cloud services over the internet without a VPN connection.

How zero trust works to secure your business

Zero Trust is not a single product, service, or software, but it is a security model that relies on a set of system design principles that leverages deep, real-time cyber-security analytics and identity management to protect users and data. Zero trust security is often used to combat compromised user credentials, remote code exploitation, and even insider threats. It’s important to know that zero trust security is based on the rather extreme idea of “never trust and always verify,” assuming that not only are network breaches inevitable, but that every device, user, and service both inside and outside traditional network boundaries is already compromised and must be constantly verified.

It sounds paranoid, but the inherent paranoia of zero trust principles is not unwarranted. Stats from cyber-security analysis firm, Risk Based Security, showed that 2020 was the “worst year on record” with 36 billion records stolen from around 3,000 publicly-reported data breaches worldwide. Implementing a zero trust security model assumes that a data breach is inevitable (or has likely already occurred) and limits user access to only what is needed for that particular user. Enabling this “least-privileged access” for organizational users is accomplished using real-time data stored in a cloud-based identity access and management (IAM) solution.

Because Amaxra is a Gold-level Microsoft Partner with over ten years’ experience deploying secure Microsoft-based productivity solutions, our consultants set up zero trust security using Azure Active Directory (AD), the comprehensive IAM integrated into Microsoft 365 Business plans. The benefit of using Azure AD for IAM is that access to resources and data is protected using strong authentication and risk-based adaptive access policies without compromising the overall user experience. An example of Azure AD protection is the easy and fast single sign-on experience that Microsoft 365 users enjoy from anywhere and on any device. Azure AD in the Microsoft 365 admin panel enables IT managers to easily manage all user identities—along with assigning user access to specific apps and services—in a centralized location and user interface. This unified IAM extends to data and services either in the cloud or on-premises to improve an IT manager’s visibility and control in a zero trust environment.

Zero trust security needs comprehensive security policy enforcement

Once your business has an IAM solution for granting least-privileged access as a corporate-wide policy, zero trust strategies require that all systems under the zero trust umbrella have a means to find and thwart malicious activity that goes against that policy. Zero trust security policy enforcement must be automated and constant, working in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting an organization’s digital assets in real-time from dynamic threats. It uses a combination of network analytics, user access policies, and threat intelligence as contextual data—allowing the concept of least-privileged access to be applied for every access decision. It’s how a zero trust solution can allow or deny access to resources based on the combination of several contextual factors.

One component of zero trust policy enforcement Amaxra deploys for our Microsoft 365 Business customers is multi-factor authentication (MFA). Amaxra sets up this integrated Microsoft 365 security feature for all customers by default to enforce zero trust user access policies to systems and apps through a combination of smartphone hardware and cloud-based Microsoft Authenticator software. For our Microsoft 365 Business customers that need even more security, Amaxra deploys Microsoft Cloud App Security, which is an add-on cloud access security broker (CASB) solution. This CASB was built by Microsoft and specifically works with Azure AD to supply user access data that enables advanced detection of anomalous behavior and then automatically blocks potential attacks. While many Amaxra customers are on the Microsoft 365 Business plan, the Cloud App Security feature comes standard with certain Microsoft 365 Enterprise plans—and can sometimes be more cost-effective when zero trust security with Azure AD, MFA, and CASB are all integrated into a single plan.

Amaxra can help you deploy zero trust security

Embracing a zero trust security model, and re-engineering an existing information system based on this security model, is a strategic effort that will take time to achieve full benefits. Amaxra can help your business deploy this data-centric security model—whether or not you have investments in the Microsoft solution ecosystem.