Embracing a Zero Trust security model within your organization can help your company decrease the chances of a potential breach. In this guide, we will share several steps your company can take to implement a Zero Trust approach to security.
1. The first step to setting up a Zero Trust model is to ensure you are not implementing per-user multi-factor authentication (MFA), as using per-user MFA in tandem with a Zero Trust model is ineffective. To see if you are implementing per-user MFA, go to entra.microsoft.com and navigate to the identity tab. Click on the “All users” section of the “Users” tab and then head to the per-user MFA tab.
Look through your users and ensure each is listed as “Disabled” under the multi-factor auth status column.
2. On the same microsoft.com page, go to the protection tab and click on authentication methods. Here, you can see the different authentication methods available to you:
Of these options, we highly recommend that Microsoft Authenticator be enabled. This method is secure and easily deployed on a user’s cell phone. FIDO2 Security Key and Hardware OATH Tokens are also strong authentication methods. SMS and Email should be last resort options, as they are most easily compromised. This tab also allows you to monitor which authentication methods your employees are using:
3. Now that you have disabled per-user MFA and are familiar with the different authentication methods, let’s walk through several important steps for establishing a Zero Trust system. The first step is Conditional Access. Conditional Access is a tool used to implement automated access controls. It sets conditions for entering your Cloud-based applications, such as who has access, which locations have access, and at what times. You can find the Conditional Access tab under the Protection section of the Entra homepage:
Under the device compliance enforcement section of the Conditional Access tab, you can set conditions for which users you want to target, which resources to protect, the conditions of an access attempt, and several other factors. The session tab of this section also allows you to set sign-in frequency and whether you want to allow continuous access.
Geo-block is another important feature of Conditional Access that we highly recommend implementing. This prohibits devices from accessing information if they are not within a certain geographic location. If, for instance, you know that your team is located entirely within the United States, you would want to block access for any devices outside the United States.
Within Conditional Access, you should also set conditions that MFA should be required for all Users and Admins.
4. Another tool for implementing the Zero Trust model is Privileged Identity Management (PIM). This minimizes risk by ensuring that only authorized administrative users can access information only when needed. PIM protects administration roles, members of groups, and Azure resources. You can access Privileged Identity Management within the Identity Governance tab of the Microsoft Entra home page:
To add conditions for who can assign themselves to roles, go to the Microsoft Entra roles section of the Manage tab:
From there, select the position you want to add an assignment for. Adding employees here allows them to promote themselves to that role. Role settings allow you to alter certain conditions, such as duration and justification for role promotion.
This highly customizable system allows you to set up specific conditions and permissions based on your company’s needs. This guide is an example of how you might structure your company’s Zero Trust model to minimize the threat of a breach.
To learn more about Zero Trust with Microsoft Services and how your organization can make the most of your Microsoft licensing, tune in to our monthly webinar series, ‘Jammin’ with James’. Register for the next webinar on January 16, 2023 here.
About Plow Networks
Plow Networks is a leading IT services provider, connecting businesses to technology since 2012. With deep expertise in network, cloud, and end user support services, we partner with clients to leverage technology in ways that simplify operations and fuel growth. Plow Networks is based in Brentwood, Tenn.
