A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end to end strategy.
Identities. Identities whether they represent people, services, or IOT devices define the Zero Trust control plane. When an identity attempts to access a resource, we need to verify that identity with strong authentication, ensure access is compliant and typical for that identity, and follows least privilege access principles.
Devices. Once an identity has been granted access to a resource, data can flow to a variety of different devices From IoT devices to smartphones, BYOD to partner managed devices, and on premises workloads to cloud hosted servers. This diversity creates a massive attack surface area, requiring we monitor and enforce device health and compliance for secure access.
Applications. Applications and APIs provide the interface by which data is consumed. They may be legacy on premises, lift and shifted to cloud workloads, or modern SaaS applications. Controls and technologies should be applied to discover Shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behavior, control of user actions, and validate secure configuration options.
Data. Ultimately, security teams are focused on protecting data. Where possible, data should remain safe even if it leaves the devices, apps, infrastructure, and networks the organization controls. Data should be classified, labeled, and encrypted, and access restricted based on those attributes.
Infrastructure. Infrastructure (whether on premises servers, cloud based VMs, containers, or micro services) represents a critical threat vector. Assess for version, configuration, and JIT access to harden defense, use telemetry to detect attacks and anomalies, and automatically block and flag risky behavior and take protective actions.
Networks. All data is ultimately accessed over network infrastructure. Networking controls can provide critical “in pipe” controls to enhance visibility and help prevent attackers from moving laterally across the network. Networks should be segmented (including deeper in network micro segmentation) and real time threat protection, end to end encryption, monitoring, and analytics should be employed.
Each of these six foundational elements serves as a source of the signal, a control plane for enforcement, and a critical resource to defend. You should appropriately spread your investments across each of these elements for maximum protection.
4. mobile business apps
accessed daily by
employees3
5.2
of organizations
using cloud2
94%
of organizations
currently have a formal
BYOD program in place3
60%
internet-
connected devices
in use worldwide1
7B
How the world changed
5. Bring your own devices and IoT
Explosion of cloud apps
Expanding Perimeters
Explosion of signal
Composite apps & public restful APIs
Employees, partners, customers, bots
Old World vs. New World
11. Connect all of your
users and applications
Verify identities with
Multi-factor
authentication (MFA)
Control access with
smart policies and
risk assessments
Enforce least privilege
access with strong
governance
Verify and secure every identity
with strong authentication
12. HR systems
Apps and data
Cloud apps
On-premises perimeter-based networks
Azure AD
Networking and
delivery controllers
Azure AD
App Proxy
Connect all your users and apps
Active Directory
single sign-on
17. Visibility into device health
and compliance
Restrict access from
vulnerable and compromised
devices
Enforce security policies
on mobile devices and
applications
Allow only compliant and trusted
apps and devices to access data
18. Device information detection:
Malicious Apps
Device manipulation
Network exploits
Data privacy violations
Device health
Encryption
OS version
Email profile
Microsoft Defender ATP
Mobile threat defense partners
Visibility into device
health and
compliance
19. Users on unmanaged and insecure
devices can be blocked or managed
Access decision:
→ Endpoint Manager provides
device compliance status
→ Azure AD enforces Conditional
Access
→ Block access
→ Remediate Device
→ Wipe device
→ Allow
→ Enforce MFA
→ Enroll device
Microsoft Azure
Restrict access from vulnerable and
compromised devices
20. Enroll devices for
management
Provision settings,
certs, profiles
Report & measure
device compliance
Remove corporate
data from devices
Publish mobile
apps to users
Configure and
update apps
Report app
inventory & usage
Secure & remove
corporate data within
mobile apps
Mobile Application
Management (MAM)
Conditional Access:
Restrict which apps can be
used to access email or files
Mobile Device
Management (MDM)
Conditional Access:
Restrict access to managed
and compliant devices
Managed apps
(Corporate
data)
Personal apps
(Personal data)
Multi-identity
policy
Zero Trust compliance for
mobile devices and apps
22. Discover and control
apps in your
environment
Extend policy
enforcement into the
session
Protect sensitive data
in cloud apps
Protect apps from risks
and threats across multi-
cloud environments
Ensure applications are
available, visible and secured
23. Discover and control apps
in your environment
Block unsanctioned
apps and guide usage
to approved apps
Approve apps and
apply policy
Discover cloud apps
and services
Assess risk levels
X
24. Continuous policy
assessment and
enforcement
Update user’s session risk through
additional evaluation
In-session monitoring and policy enforcement
Edit files
View files online Open in Word/
print blocked
Extend policy enforcement into the session
Risky user behavior
logged for future
analysis and
Investigation
User behavior
analyzed against
session policy
25. Classify, label and protect
data across cloud apps
Monitor, investigate and
remediate data risks
• Visibility into application-based file
sharing, collaborators and
classification labels
• Report out on data exposure and
compliance risks of applications
• Govern data in the cloud with
granular DLP policies for
applications
• Classify and label data to
automatically protect,
encrypt and restrict access to
sensitive files across applications
• Generate alerts on policy
violations and trigger automatic
governance actions across
applications
• Investigate incident, quarantine
files, remove permissions and
notify users across applications
Protect sensitive data in cloud apps
26. Sample of supported apps
Protect apps from risks and threats across the clouds
Threat delivery
and persistence
Indicators of a
compromised session
Malicious use of an
end-user account
Malicious use of a
privileged user
28. Align segmentation
strategy and role-based
access control
Rapidly find and fix
configuration (and other)
vulnerabilities
Use real-time threat
monitoring to detect
attacks and anomalies
Harden defenses and detect and
respond to threats in real time
29. A strong enterprise
segmentation strategy:
Align segmentation
strategy and role-based
access control → Enables operations
→ Contains risk
→ Monitors for violations
33. Segment networks and
implement context-driven
access controls
Use real-time threat
protection to detect and
respond to threats
Protect data with end-to-
end encryption
Move beyond traditional
network security approaches
!
38. 101010 0101
Discover and classify your
data based on sensitivity
Apply real-time protection
to your sensitive data
Gain visibility into sensitive
data activity, policy
violations, and risky sharing
Protect your sensitive data—
wherever it lives or travels