The concept of a Zero Trust cybersecurity architecture has been around for more than a decade, but adoption didn’t really begin to take hold until the past couple of years. As with many technology innovations, it hasn’t always been clear just what Zero Trust is all about and, more important, how to implement it easily and cost effectively.
The principles of Zero Trust are simple: Never trust; always verify. In practice, that means each user must be verified before access is granted to any resource. Every request from every user, inside or outside of your perimeter, must be authenticated, authorized and encrypted in real time.
This protects your organization in ways other models can’t. It stops malware from entering your network; gives remote workers more protection without affecting productivity; simplifies management of security operations centers with enhanced automation; and extends visibility into potential threats to improve proactive remediation and response.
Whether your organization is already deploying Zero Trust or the term is completely new to you, it is important to understand just what Zero Trust is all about, how it can protect your organization and how to implement it most effectively.
Overall, Zero Trust changes the concept of perimeter from one based on location to one based on identity and access. This is a much more relevant security model in today’s era of cloud computing, remote work and digital transformation. Zero Trust is a game changer in helping to reduce complexity, lower costs, decrease the number of cybersecurity tools and address the growing shortage in skilled cybersecurity personnel.
The Zero Trust Journey
As organizations have experienced the benefits of Zero Trust, usage is growing rapidly, to the point where Zero Trust has become a new norm in cybersecurity conversations and expectations. According to Adroit Market Research, deployments are growing at a compound annual rate of 17%, and the overall market is expected to reach $38 billion by 2025.
One of the biggest reasons for this growth is that Zero Trust can now be deployed more easily, seamlessly and cost effectively as part of an end-to-end cloud architecture, particularly for customers of Microsoft solutions such as Microsoft 365, Azure Active Directory (Azure AD), Microsoft 365 Defender and more.
For many organizations, this mitigates the big issue of how to implement Zero Trust by allowing IT to seamlessly integrate components such as identity policy and enforcement as part of their existing, widely used software solutions, thereby saving money and reducing deployment complexity.
Perhaps just as important in driving Zero Trust growth, business leaders are now recognizing and embracing the intrinsic and significant value of Zero Trust in protecting their organizations from breaches and malicious cybersecurity attacks. Part of this awareness is a result of COVID-19 and the urgent need to scale and secure remote work.
According to a Deloitte press release, nearly 40% of organizations adopting Zero Trust have accelerated their efforts because of the pandemic. Their primary reasons have been to reduce the risk of remote work and insider threats, mitigate third-party risk and manage cloud risk.
Zero Trust Implementation
One of the myths that has delayed more widespread use of Zero Trust is that you have to start from scratch with a whole new architecture and deploy it across your entire organization. In reality, Zero Trust is a journey and the most effective strategy is to roll it out in stages so that IT and cybersecurity teams, as well as users, gain knowledge and experience.
Many organizations start with specific applications, data assets or classes of users. You want to protect your most vulnerable assets and users. For example, with more people working remotely, users with the most widespread access privileges may be vulnerable to additional risks from unsecured home networks and devices that may be used for both business and personal applications.
Another critical factor in implementing Zero Trust is the ability to leverage existing solutions to make the transition more seamless and less costly. Microsoft, in particular, has been a leader in leveraging Zero Trust capabilities across its solution set to simplify migrations and provide an integrated, end-to-end model.
Here are just two of many examples of how Microsoft solutions accelerate Zero Trust deployments:
- Identity verification: Identity is one of the foundational elements of a Zero Trust architecture. With Azure AD, customers can easily deploy strong, adaptive, standards-based identity verification with validation of usernames, passwords and multifactor or biometric authentication. In addition, Azure AD analyzes a variety of data to provide real-time context on user, device, location and session risk for every access request. To learn more about Azure AD, please read the article here.
- Policy enforcement: Organizations can use Azure AD to manage policy based on their own security posture and risk appetite. Those policies are effective only when enforced consistently and end to end. Microsoft offers a variety of ways to enforce policy, depending on the application, user or use case. For example, in securing software-as-a-service apps, which are vital to remote work productivity, Microsoft Cloud App Security can block downloads, monitor low-trust user sessions and restrict user sessions from non-corporate networks.
Zero Trust Case Study
In real-world use cases, an end-to-end strategy using Microsoft technologies for Zero Trust has enabled customers across the globe to simplify and streamline deployments and empower their remote workforces.
For example, in the financial services industry, Bridgewater Associates has built a Zero Trust framework using Microsoft 365 to deliver seamless access to documents, email and data for employees anywhere, while still maintaining stringent security standards.
The organization has been able to leverage Microsoft solutions to implement security controls at each layer: identity, data, services and network. This transformation has been essential in enabling Bridgewater to support employees working from home during COVID-19.
Taking the Next Step
Now is the time to explore, expand or accelerate Zero Trust. The shift to remote work is not going away no matter what happens with COVID-19, and adversaries have been extremely aggressive in seeking to exploit new vulnerabilities.
Zero Trust not only delivers significant improvements in security, but also reduces costs and complexity while providing more peace of mind for business and IT leaders, cybersecurity teams and end users.
Fortunately, the path to Zero Trust is much easier than ever. With Microsoft solutions, organizations can move at their own pace toward building an end-to-end Zero Trust architecture one step at a time. For more information on how your organization can adopt Zero Trust, please visit the Microsoft Zero Trust Deployment Center.
Take a Zero Trust Assessment and find out where you are in your journey of identity, device, app, infrastructure, and data security and what the best next step is to establish a trust-based access strategy.