Discussses contemporary security challenges and explores how the zero trust approach can effectively overcome them. Additionally, I have outlined several use cases demonstrating how Azure services can be leveraged to implement zero trust principles.
2. Dinusha Kumarasiri, MVP
Microsoft MVP for Microsoft Azure
Microsoft Certified Trainer (MCT)
Enterprise Architect/ Solutions Architect at NCS Australia
Cloud Enthusiast
Love to share what I learn
3. Agenda
Modern security challenges
Zero-trust security strategy
Designing secure solutions with Azure
Shifting security to left
Shifting security to left with Azure DevOps
4. Modern security challenges
Diversity in endpoints
Cloud adoption
AI & Modernization
Shadow IT & SaaS
Security vs UX
• Variety of devices and stakeholders
• Remote work
• Bring your own devices (BYOD)
Risks
• Traditional perimeter-based control points are not effective
• Extension of threat surface
Impact
IDS/IPS
Corporate Network
5. Modern security challenges
Changes in endpoints
Cloud adoption
AI & Modernization
Shadow IT & SaaS
Security vs UX
• Workloads scatter among multiple cloud providers and on-premises
• Usage of numerous cloud services
• Ability to generate solutions and environments in short time
• IP ranges and details are publicly available
Risks
• Extension of threat surface
• Lack of visibility and centralized governance
Impact
6. Modern security challenges
Changes in endpoints
Cloud adoption
AI & Modernization
Shadow IT & SaaS
Security vs UX
• Sophisticated cyber attacks using AI tools to deceive employees with deepfakes
• Data tampering and fabrications using AI
• Adversarial machine learning with AI
Risks
• Traditional security measures are not sufficient
Impact
7. Modern security challenges
Changes in endpoints
Cloud adoption
AI & Modernization
Shadow IT & SaaS
Security vs UX
• Unvetted software and services without approval of IT department
• SaaS solutions are easily accessible and adoptable
• Implementation of Shadow AI
Risks
• Lack of centralized governance
• Lack of visibility and control
• Threat to information protection
Impact
8. Modern security challenges
Changes in endpoints
Cloud adoption
Shadow IT & SaaS
Security vs UX
• Adoption of latest tools and technologies may increase the attack surface
• Vulnerabilities introduced by weaker security standards to facilitate user convenience
• Challenges in implementing correct balance between security & user experience
Risks
• Compromising security for better user experience
Impact
AI & Modernization
9. Zero Trust Security strategy
Zero Trust security strategy ensures that every access request to its resources is authenticated,
authorized, and encrypted, regardless of the user’s location or device
Verify explicitly
• Authenticate & authorize at all
available data points
• Evaluate
• Identity
• Location
• Resource
• Data classification
• Anomalies
Use least privilege access
• Limit user access with Just-In-
Time (JIT) & Just-Enough-
Access (JEA)
• Risk-base adaptive policies
Assume breach
• Minimize blast radius with
micro-segmentation
• End-to-end encryption
• Continuous monitoring
• Threat detection & response
10. Zero Trust Security strategy
Zero Trust objectives
Identity
• Strong authentication (MFA)
• Gate access with policies
• Federation with on-premises source
• Analytics for visibility
Endpoints
• Endpoints registered with identity
provider
• Access granted for cloud managed &
compliant endpoints
• DLP policies enforced
Data
• Data classification based on sensitivity
level
• Data protection policies
• Apply labels and encrypt data
Apps
• Discover Shadow IT
• Ensure appropriate in-app permissions
• Access restrictions based on real-time
analytics
• Control user actions
Infrastructure
• Monitor & alert on abnormal behavior
• Human access require Just-In-Time
access
Network
• Network segmentation
• Threat protection
• Encryption
Assessment Tool
11. Designing secure solutions with Azure
Verify explicitly
Entra ID
• Cloud based identity & access management
• Modern protocols
Conditional Access
• Verifies identities & endpoints with policy
• Evaluate endpoint health
• Multi-factor authentication
Web Application Firewall (WAF)
• OWASP security controls
• Custom rules including bot protection
• Rate limiting
12. Designing secure solutions with Azure
Verify explicitly
Azure Web Application Firewall (WAF) Premium Entra ID Conditional Access
13. Designing secure solutions with Azure
Least privilege access
Entra ID
• Just-In-Time (JIT) access to critical resources with
Privileged Identity Management (PIM)
• Access reviews
• Lifecycle workflows
Azure Role Based Access Control
• Just-Enough-Access (JEA) to critical resources
Managed Identity
• Identities managed by Azure for resources
14. Designing secure solutions with Azure
Least privilege access
Entra ID Access Review
Privileged Identity Management (PIM)
15. Designing secure solutions with Azure
Assume breach
Network micro-segmentation
• Connectivity through peering
• Enforce governance over entire estate
Azure Policy
• Traffic traverse through MS backbone network
Private Endpoint
• Resources securely distributed
• Developed with IaC and deployed with CI/CD
Landing Zones / Azure Blueprints
• Traffic is encrypted with TLS
• Data at rest encrypted
Encryption
19. Designing secure solutions with Azure
Lifecycle Management to govern Joiner, Mover & Leaver scenarios
Entra ID Lifecycle Workflows
• Onboarding and offboarding based on predefined templates
Join date Leave date
Send TAP to manager
PRE
Enable user account
Send welcome email
ONBOARD
Remove from groups
Remove from T
eams
PRE
Disable user account
Remove from all groups
Remove from all teams
OFFBOARD
Remove all licenses
Delete account
POST
POST
Add user to groups
Add user to T
eams
Access Package Assignment
JOB CHANGE MEMBERSHIP CHANGE
Entra ID Entitlement Management
Groups Teams Applications SharePointsites
• Grant Access Packages to users based on attributes
20. Shifting security to left
Integrating security measures early in the development lifecycle and enabling early detection
and resolution of vulnerabilities
Security Information & Event
Management (SIEM)
Monitor
Log & T
elemetry collection
Web Application Firewall (WAF)
Operate
Penetration testing
Configuration management
Chaos engineering
Deploy
Dynamic Application Security
T
esting (DAST)
Test
Code review
Static Application Security T
esting (SAST)
Vulnerability scanning
Build
Threat modelling
Plan
21. Shifting security to left with Azure DevOps
Static Application
Security Testing
Role Based Access
Control
Private Endpoints
Chaos experiments
Code quality reports
22. Where to start?
Zero Trust Assessment Tool
Zero Trust Rapid Modernization Plan
Zero Trust Guidance Center