The document discusses the implementation of a Zero Trust security strategy using Azure, addressing modern security challenges such as diverse endpoints, cloud adoption, and sophisticated cyber attacks. It outlines key principles of Zero Trust, including strong authentication, least privilege access, and continuous monitoring to enhance security and reduce risks. Additionally, it emphasizes the importance of integrating security measures early in the development lifecycle and provides guidance on designing secure solutions with Azure tools.

1. Implementing Zero-Trust with
Azure
Dinusha Kumarasiri

2. Dinusha Kumarasiri, MVP
 Microsoft MVP for Microsoft Azure
 Microsoft Certified Trainer (MCT)
 Enterprise Architect/ Solutions Architect at NCS Australia
 Cloud Enthusiast
 Love to share what I learn

3. Agenda
 Modern security challenges
 Zero-trust security strategy
 Designing secure solutions with Azure
 Shifting security to left
 Shifting security to left with Azure DevOps

4. Modern security challenges
Diversity in endpoints
Cloud adoption
AI & Modernization
Shadow IT & SaaS
Security vs UX
• Variety of devices and stakeholders
• Remote work
• Bring your own devices (BYOD)
Risks
• Traditional perimeter-based control points are not effective
• Extension of threat surface
Impact
IDS/IPS
Corporate Network

5. Modern security challenges
Changes in endpoints
Cloud adoption
AI & Modernization
Shadow IT & SaaS
Security vs UX
• Workloads scatter among multiple cloud providers and on-premises
• Usage of numerous cloud services
• Ability to generate solutions and environments in short time
• IP ranges and details are publicly available
Risks
• Extension of threat surface
• Lack of visibility and centralized governance
Impact

6. Modern security challenges
Changes in endpoints
Cloud adoption
AI & Modernization
Shadow IT & SaaS
Security vs UX
• Sophisticated cyber attacks using AI tools to deceive employees with deepfakes
• Data tampering and fabrications using AI
• Adversarial machine learning with AI
Risks
• Traditional security measures are not sufficient
Impact

7. Modern security challenges
Changes in endpoints
Cloud adoption
AI & Modernization
Shadow IT & SaaS
Security vs UX
• Unvetted software and services without approval of IT department
• SaaS solutions are easily accessible and adoptable
• Implementation of Shadow AI
Risks
• Lack of centralized governance
• Lack of visibility and control
• Threat to information protection
Impact

8. Modern security challenges
Changes in endpoints
Cloud adoption
Shadow IT & SaaS
Security vs UX
• Adoption of latest tools and technologies may increase the attack surface
• Vulnerabilities introduced by weaker security standards to facilitate user convenience
• Challenges in implementing correct balance between security & user experience
Risks
• Compromising security for better user experience
Impact
AI & Modernization

9. Zero Trust Security strategy
Zero Trust security strategy ensures that every access request to its resources is authenticated,
authorized, and encrypted, regardless of the user’s location or device
Verify explicitly
• Authenticate & authorize at all
available data points
• Evaluate
• Identity
• Location
• Resource
• Data classification
• Anomalies
Use least privilege access
• Limit user access with Just-In-
Time (JIT) & Just-Enough-
Access (JEA)
• Risk-base adaptive policies
Assume breach
• Minimize blast radius with
micro-segmentation
• End-to-end encryption
• Continuous monitoring
• Threat detection & response

10. Zero Trust Security strategy
Zero Trust objectives
Identity
• Strong authentication (MFA)
• Gate access with policies
• Federation with on-premises source
• Analytics for visibility
Endpoints
• Endpoints registered with identity
provider
• Access granted for cloud managed &
compliant endpoints
• DLP policies enforced
Data
• Data classification based on sensitivity
level
• Data protection policies
• Apply labels and encrypt data
Apps
• Discover Shadow IT
• Ensure appropriate in-app permissions
• Access restrictions based on real-time
analytics
• Control user actions
Infrastructure
• Monitor & alert on abnormal behavior
• Human access require Just-In-Time
access
Network
• Network segmentation
• Threat protection
• Encryption
Assessment Tool

11. Designing secure solutions with Azure
 Verify explicitly
Entra ID
• Cloud based identity & access management
• Modern protocols
Conditional Access
• Verifies identities & endpoints with policy
• Evaluate endpoint health
• Multi-factor authentication
Web Application Firewall (WAF)
• OWASP security controls
• Custom rules including bot protection
• Rate limiting

12. Designing secure solutions with Azure
 Verify explicitly
Azure Web Application Firewall (WAF) Premium Entra ID Conditional Access

13. Designing secure solutions with Azure
 Least privilege access
Entra ID
• Just-In-Time (JIT) access to critical resources with
Privileged Identity Management (PIM)
• Access reviews
• Lifecycle workflows
Azure Role Based Access Control
• Just-Enough-Access (JEA) to critical resources
Managed Identity
• Identities managed by Azure for resources

14. Designing secure solutions with Azure
 Least privilege access
Entra ID Access Review
Privileged Identity Management (PIM)

15. Designing secure solutions with Azure
 Assume breach
Network micro-segmentation
• Connectivity through peering
• Enforce governance over entire estate
Azure Policy
• Traffic traverse through MS backbone network
Private Endpoint
• Resources securely distributed
• Developed with IaC and deployed with CI/CD
Landing Zones / Azure Blueprints
• Traffic is encrypted with TLS
• Data at rest encrypted
Encryption

16. Designing secure solutions with Azure
 Assume breach
Azure Policy

17. Designing secure solutions with Azure
 Extended Detection & Response
Microsoft Defender for Cloud
• Cloud Security Posture Management (CSPM)
• Cloud Workload Protection Platform (CWPP)
• Extended Detection & Response (XDR)
Microsoft Sentinel
• Security Information & Event Management
(SIEM)
Azure Monitor
• Monitoring solution for cloud & on-premises
environments

18. Designing secure solutions with Azure
 Extended Detection & Response

19. Designing secure solutions with Azure
 Lifecycle Management to govern Joiner, Mover & Leaver scenarios
Entra ID Lifecycle Workflows
• Onboarding and offboarding based on predefined templates
Join date Leave date
Send TAP to manager
PRE
Enable user account
Send welcome email
ONBOARD
Remove from groups
Remove from T
eams
PRE
Disable user account
Remove from all groups
Remove from all teams
OFFBOARD
Remove all licenses
Delete account
POST
POST
Add user to groups
Add user to T
eams
Access Package Assignment
JOB CHANGE MEMBERSHIP CHANGE
Entra ID Entitlement Management
Groups Teams Applications SharePointsites
• Grant Access Packages to users based on attributes

20. Shifting security to left
 Integrating security measures early in the development lifecycle and enabling early detection
and resolution of vulnerabilities
Security Information & Event
Management (SIEM)
Monitor
Log & T
elemetry collection
Web Application Firewall (WAF)
Operate
Penetration testing
Configuration management
Chaos engineering
Deploy
Dynamic Application Security
T
esting (DAST)
Test
Code review
Static Application Security T
esting (SAST)
Vulnerability scanning
Build
Threat modelling
Plan

21. Shifting security to left with Azure DevOps
Static Application
Security Testing
Role Based Access
Control
Private Endpoints
Chaos experiments
Code quality reports

22. Where to start?
Zero Trust Assessment Tool
Zero Trust Rapid Modernization Plan
Zero Trust Guidance Center

23. dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri