In our previous webinar on this topic, Zero Trust for Application Security in Entra ID, we made the point that in a cloud landscape, with a massive attack surface, securing applications and data has become much harder than it used to be in a traditional datacenter with a single firewall. The traditional firewall perimeter-based security models are no longer sufficient to protect against sophisticated cyber threats, nor do they protect our data in the cloud.This is where the Zero Trust model comes into play, offering a robust framework to enhance security by assuming that no entity, whether inside or outside the network or cloud service, can be trusted by default. In this blog post, we will delve into the principles of Zero Trust, the importance of adopting it incrementally, and the native features of Entra ID that make this approach feasible.
Understanding Zero Trust Principles
Zero Trust is a security model that operates on the principle of "never trust, always verify." It was created by Forrester Research analyst John Kindervag in 2010 in response to the increasing number of security breaches and the limitations of traditional network security models. It moves us away from the “fort and moat” approach of securing critical services, with the hope of limiting every kind of attack to the three core principles of Zero Trust:
- Assume Breach: This principle is based on the understanding that attackers can and will find a way to breach your defenses. Therefore, it is essential to assume that a breach has already occurred and to plan accordingly. This mindset shifts the focus from preventing breaches to detecting and responding to them effectively. Tabletop exercises and breach readiness, and actively looking for breaches underpin this principle.
- Verify Explicitly: Every access request, whether from a user, device, or application, must be explicitly verified using all available data points, including identity, location, device health, and more. This ensures that in theory, only authorized entities can access sensitive resources. This assumes that you have data points to evaluate; using Entra ID as a rich set of data sets to determine what is occurring, when, and where in the context of identity provides the backdrop for this principle as we continue.
- Use Least-Privilege Access: Access should be granted based on the principle of least privilege, meaning that users and applications should only have the minimum level of access necessary to perform their tasks, for the least amount of time. This reduces the potential impact of a breach by limiting the access of compromised accounts, services, and Entre ID Apps. Continuous limitations of scope for User and Application identities using Role Based Access Control (RBAC) and other mechanisms become critical to us.
We understand that in the Zero Trust approach, we are never “done,” but rather continuously evaluating and improving, while aligning all our efforts to one of the three principles.
Incremental Adoption of Zero Trust
Adopting Zero Trust is not a one-time, "big bang" approach, rather it is an incremental exercise that requires careful planning and continuous execution, and it can be applied across various cloud services, products, and data. Here is a look at How to Secure On-Premises Exchange using Zero Trust Principles for example. We identify an area of implementation, such as Identity, and then build a Minimally Viable Product (MVP) that constitutes the V1 of the Zero Trust model. Over time, as we gain maturity, we gradually increase the features in our model to increment the model to a Version 1.1, 1.2, 2.0 etc.
Even in version 1.0, your security MVP represents an ever evolving Zero Trust Architecture, that documents who can do what, and when, to what. In the context of this blog post, Entra ID features are the enforcement or implementation of that model.
In the context of our webinar, consider the following when thinking about implementing a Zero Trust model for the first time:
- Start with Identity: Identity is the new perimeter in the Zero Trust model. Begin by implementing strong authentication mechanisms, like multi-factor authentication (MFA) – we say this every time - and enforcing conditional access policies to ensure that only trusted users and devices can access your resources.
- Implement Micro-Segmentation: Divide your cloud services into smaller segments to limit the lateral movement of attackers from one service or app to another. This involves creating granular security policies that control access between different segments based on the principle of least privilege. Examples include placing administrators into scoped groups such as Identity administrators, Exchange administrators or even specifically scoped roles for tasks, as opposed to using Global Admins or other highly privileged groups.
- Continuous Monitoring and Analytics: If you are licensed for it, implement continuous monitoring and analytics to detect and respond to suspicious activities in real-time. This includes using tools like Azure Sentinel - a Security Information and Event Management tool (SIEM) and/or Microsoft Defender XDR – an Extended Detection and Response tool to gain visibility into your environment. At minimum, consider using Defender for Identity (DFI), and native Entra ID logs to instrument logon and access activity. In addition to the built-in Entra ID monitoring and analytics tools, third-party solutions like ENow's App Governance Accelerator can provide a focused solution to manage and secure enterprise applications, app registrations, and related tenant settings.
- Automate Security Responses: Use automation to respond to potential security incidents quicker than a human could. This can include automating the enforcement of security policies, such as blocking access from compromised devices or requiring additional authentication for high-risk activities. A practical example is using a Conditional Access Policy to block access to a machine with missing patches or a user whose behavior has changed to high-risk, by logging into cloud services from an unexpected country.
- Regularly Review and Update Policies: Zero Trust is not a set-it-and-forget-it approach or a singular implementation of a product. Regularly review and update your security policies to ensure they remain effective. This includes conducting regular security assessments and penetration tests to identify and address vulnerabilities along with sanity checking if what is defined as your security policy still makes sense.
Entra ID Features for Zero Trust
Entra ID, the artist formerly known as Azure Active Directory (Azure AD or AAD), provides a set of features that enable organizations to implement Zero Trust principles. Here are some of the features we called out, grouped by Zero Trust principle, understanding though, that some features can live under multiple headings:
Assume Breach:
- Conditional Access: Conditional Access is a powerful tool that allows you to enforce policies based on various conditions, such as user location, device compliance, and risk level. The effect is that only trusted and expected users and devices can access your resources.
- Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring users to provide multiple forms of verification before accessing resources. Did I mention that we talk about this every time? This reduces the risk of unauthorized access due to compromised credentials, however due to MFA phishing attacks and token theft, it is not the only mechanism we should depend on.
- Privileged Identity Management (PIM): PIM helps you manage, control, and monitor access to resources by providing just-in-time (JIT) access and enforcing the principle of least privilege. This reduces the risk of privilege escalation and insider threats by ensuring that there is no standing access to privileged groups such as Global Admins.
- Microsoft Defender for Identity: Defender for Identity provides advanced threat detection and response capabilities by analyzing user activities and identifying potential threats. Common attack types are negated quickly, while suspicious user and administrator activity is flagged.
Verify and Authorize:
- Role-Based Access Control (RBAC): RBAC allows you to assign permissions to users based on their roles within the organization. This ensures that administrators only have access to the resources they need.
- Dynamic Groups: Dynamic Groups automatically add and remove users from groups based on their attributes, such as department or job title. This helps you manage group memberships more efficiently by ensuring that access is granted based on Entra ID attributes.
- Privileged Access Management (PAM): PAM provides additional security for privileged accounts by requiring approval for certain actions and monitoring the activities of privileged users.
Least Privilege:
- Identity Protection: Identity Protection uses machine learning and behavioral analytics to detect and respond to suspicious activities, such as impossible travel or unusual sign-in patterns. This helps you identify and mitigate potential threats in real-time and is also one of our favorite features.
- Self-Service Password Reset (SSPR): SSPR allows users to reset their passwords without the need for administrative intervention. This improves administrator productivity by removing the need or rights for administrators to reset user passwords while ensuring that password policies are enforced, assuming you still use passwords!
- Application Proxy: Application Proxy enables secure remote access to on-premises applications without the need for a VPN. Combined with features like conditional Access, this helps you extend Zero Trust principles to legacy applications and provides a relatively seamless SSO user experience using Entra ID identities.
- Device Guard: Device Guard ensures that only trusted devices can access your resources by enforcing device compliance policies. This helps you protect your environment from compromised (infected) or non-compliant (out of date) devices.
By leveraging features attached to these principles, organizations can start to implement Zero Trust principles and create a version 1.0 of their Zero Trust Security model or Zero Trust Architecture. Remember, adopting Zero Trust is an incremental process, and you want to start with areas aligned to Zero Trust Principles and gradually expand your implementation.
Conclusion
Implementing Zero Trust for application security in Entra ID is a journey that requires careful planning and execution, remembering that implementing one product or feature does not create a security model or a Zero Trust Architecture.
By adopting Zero Trust principles incrementally and leveraging the native features of Entra ID in addition to third-party tools such as ENow’s App Governance Accelerator, organizations can significantly enhance their security posture and realize the Zero Trust promise of protecting against evolving threats.
Remember that Zero Trust is not a one-time project but an ongoing set of processes that together make up a Zero Trust Architecture and require continuous monitoring, assessment, and improvement.
Start with the Entra ID features that you have, to implement the policies of your Zero Trust model and over time incrementally harden the model to increase the friction against attackers.
To get additional information on Zero Trust for Entra ID Applications, you can access the webinar recording for free.
Checkout our Community Forum and engage with our experts about Entra ID.
The AppGov Community Forum is moderated by Microsoft Security & Identity MVPs and subject-matter experts to answer your questions around Entra ID, managing Enterprise Applications, Application Registrations, and the impact of Tenant Settings on an application's lifecycle.
Do you know what apps are lurking in your tenant? ENow App Governance Accelerator helps organizations quickly get in control of their Entra ID apps and remain in control. It enables them to understand their current security posture, what they need to do to improve it, and accelerates making the necessary changes to get to their desired state. Get the ENow App Governance Accelerator Platform today!