Improve IT security when working from home with the Zero Trust approach

Historically, we have protected the office network like a castle with moats. And sure, firewalls and proxy servers are effective protection as long as company data is inside those walls. However, they are hardly useful when employees take valuable data outside them. Or when an attacker has already gotten in.

Today, we are used to being able to work freely wherever we are at any time of the day or night. So we need new ways to protect our company's data. Microsoft's solution to this problem is called Zero Trust - zero trust. This means that we treat all devices equally, regardless of which side of the firewall they are on. We consider all connections to be insecure until the user has identified themselves. And then the user should only get access to the resources the task requires.

Minimum rights to complete the task

The technology is based on integrating the identity, which is almost always the user's username or email address, into Azure AD. This is done together with the device and the business applications the user is expected to use. Which groups of users should have access to which resources is entirely governed by policies, always with a focus on ensuring that everyone has the lowest possible rights to do their job. The reason? If an account is hijacked, you don't want to give the perpetrator free access to all company data. If a user needs to extend their rights, this can be solved using PIM (Privileged Identity Management). This allows the user to apply for rights for a limited period of time. This also means less work for the IT department, as they do not have to decide who should have which rights.

Does the entity meet all the requirements?

Another important part of Zero Trust is the company's ability to impose specific requirements on the devices used. Common requirements include that the hard drive must be encrypted, that the latest security updates are installed, and that the device is protected by a PIN code. If an employee uses their personal computer or phone, they may be able to read and edit documents, but not download them. Is an employee trying to log in from the other side of the world? If so, an additional method of authentication may be required, such as a code sent to the mobile phone. Again, don't trust anyone.

Balance between IT security and productivity

Having to prove your identity all the time may sound cumbersome, and no one wants to have a code sent to them four times a day because their computer requires two-step verification. It's all about finding the right level of security for the right person at the right time, and most importantly, doing the groundwork. By creating thoughtful policies that give the right access to the right users, and by using tools such as facial recognition and fingerprinting, we hope to avoid the need for passwords altogether, except in emergencies.

Worth investing in cloud service security

Zero Trust tools are included in your Microsoft 365 license and the more advanced the license, the more security features you get. Conditional access is already supported in Microsoft 365 Business Premium, but with the more advanced licenses you also get access to features that use artificial intelligence to analyze user habits, look for anomalies, and respond to potential threats.

As we see it, it can often be better to reduce the budget for traditional IT security in the network and instead spend some of the money on cloud service security. Perhaps especially if you are about to renew an older system and want to avoid a large one-time cost. There's also nothing that says it has to be either/or. You can still have a secure network in the office, but move to the Zero Trust model when employees leave.

Outside the office they will move around - so why not ask an extra control question next time there is a knock on the door?

Want to know how secure your organization is? Book a free security assessment today!