The document discusses Microsoft's zero trust architecture, which emphasizes verifying identities and securing access across a digital estate in response to the evolving landscape of cloud apps and mobile devices. It outlines various strategies for device compliance, application control, and data protection, aiming to enhance security through real-time threat monitoring, segmentation strategies, and robust policies. The zero trust model focuses on establishing secure connections for users and applications while enforcing strict access controls and compliance measures.

2. Traditional Model

3. Identity perimeter complements network perimeter
Today’s Model

4. mobile business apps
accessed daily by
employees3
5.2
of organizations
using cloud2
94%
of organizations
currently have a formal
BYOD program in place3
60%
internet-
connected devices
in use worldwide1
7B
How the world changed

5. Bring your own devices and IoT
Explosion of cloud apps
Expanding Perimeters
Explosion of signal
Composite apps & public restful APIs
Employees, partners, customers, bots
Old World vs. New World

6. A new reality needs new principles
Verify explicitly

7. Microsoft Zero Trust

8. Identity Data
Networking
Devices Apps Infrastructure
Zero Trust across the digital estate

9. Microsoft Zero Trust architecture
Visibility and Analytics
Automation

10. Zero Trust Objective:

11. Connect all of your
users and applications
Verify identities with
Multi-factor
authentication (MFA)
Control access with
smart policies and
risk assessments
Enforce least privilege
access with strong
governance
Verify and secure every identity
with strong authentication

12. HR systems
Apps and data
Cloud apps
On-premises perimeter-based networks
Azure AD
Networking and
delivery controllers
Azure AD
App Proxy
Connect all your users and apps
Active Directory
single sign-on

13. Verify identities with Multi-Factor Authentication (MFA)

14. Block access
Require MFA
Allow access
Limit access
Control access with smart policies and
risk assessments

15. Enforce least privilege access with strong governance

16. Zero Trust Objective:

17. Visibility into device health
and compliance
Restrict access from
vulnerable and compromised
devices
Enforce security policies
on mobile devices and
applications
Allow only compliant and trusted
apps and devices to access data

18. Device information detection:
Malicious Apps
Device manipulation
Network exploits
Data privacy violations
Device health
Encryption
OS version
Email profile
Microsoft Defender ATP
Mobile threat defense partners
Visibility into device
health and
compliance

19. Users on unmanaged and insecure
devices can be blocked or managed
Access decision:
→ Endpoint Manager provides
device compliance status
→ Azure AD enforces Conditional
Access
→ Block access
→ Remediate Device
→ Wipe device
→ Allow
→ Enforce MFA
→ Enroll device
Microsoft Azure
Restrict access from vulnerable and
compromised devices

20. Enroll devices for
management
Provision settings,
certs, profiles
Report & measure
device compliance
Remove corporate
data from devices
Publish mobile
apps to users
Configure and
update apps
Report app
inventory & usage
Secure & remove
corporate data within
mobile apps
Mobile Application
Management (MAM)
Conditional Access:
Restrict which apps can be
used to access email or files
Mobile Device
Management (MDM)
Conditional Access:
Restrict access to managed
and compliant devices
Managed apps
(Corporate
data)
Personal apps
(Personal data)
Multi-identity
policy
Zero Trust compliance for
mobile devices and apps

21. Zero Trust Objective:

22. Discover and control
apps in your
environment
Extend policy
enforcement into the
session
Protect sensitive data
in cloud apps
Protect apps from risks
and threats across multi-
cloud environments
Ensure applications are
available, visible and secured

23. Discover and control apps
in your environment
Block unsanctioned
apps and guide usage
to approved apps
Approve apps and
apply policy
Discover cloud apps
and services
Assess risk levels
X

24. Continuous policy
assessment and
enforcement
Update user’s session risk through
additional evaluation
In-session monitoring and policy enforcement
Edit files
View files online Open in Word/
print blocked
Extend policy enforcement into the session
Risky user behavior
logged for future
analysis and
Investigation
User behavior
analyzed against
session policy

25. Classify, label and protect
data across cloud apps
Monitor, investigate and
remediate data risks
• Visibility into application-based file
sharing, collaborators and
classification labels
• Report out on data exposure and
compliance risks of applications
• Govern data in the cloud with
granular DLP policies for
applications
• Classify and label data to
automatically protect,
encrypt and restrict access to
sensitive files across applications
• Generate alerts on policy
violations and trigger automatic
governance actions across
applications
• Investigate incident, quarantine
files, remove permissions and
notify users across applications
Protect sensitive data in cloud apps

26. Sample of supported apps
Protect apps from risks and threats across the clouds
Threat delivery
and persistence
Indicators of a
compromised session
Malicious use of an
end-user account
Malicious use of a
privileged user

27. Zero Trust Objective:

28. Align segmentation
strategy and role-based
access control
Rapidly find and fix
configuration (and other)
vulnerabilities
Use real-time threat
monitoring to detect
attacks and anomalies
Harden defenses and detect and
respond to threats in real time

29. A strong enterprise
segmentation strategy:
Align segmentation
strategy and role-based
access control → Enables operations
→ Contains risk
→ Monitors for violations

30. Rapidly find and fix configuration
(and other) vulnerabilities

32. Zero Trust Objective:

33. Segment networks and
implement context-driven
access controls
Use real-time threat
protection to detect and
respond to threats
Protect data with end-to-
end encryption
Move beyond traditional
network security approaches
!

34. Subscriptions Virtual
Network
Azure
Firewall
Network security
Group
Kubernetes
Services
Container
Networking
Interface

35. Partner solutions
X
X
X
Azure network
security
Threat protection at the network layer

36. Encryption built into Azure

37. Data
Zero Trust Objective:

38. 101010 0101
Discover and classify your
data based on sensitivity
Apply real-time protection
to your sensitive data
Gain visibility into sensitive
data activity, policy
violations, and risky sharing
Protect your sensitive data—
wherever it lives or travels

39. Discover and classify your data

40. Apply comprehensive protection to data and files

41. Monitor and remediate

42. Visibility and
Analytics

43. Gain insights across your enterprise

44. Available resources
aka.ms/Zero-Trust

45. © 2021 Razor Technology, LLC www.razor-tech.com
@DavidJRosenthal
Slideshare
www.razor-tech.com
5 Tower Bridge
300 Barr Harbor Dr., Suite 705
West Conshohocken, PA 19428
www.razor-tech.com
David.Rosenthal@razor-tech.com
Office: 866.RZR.DATA
LETS KEEP IN TOUCH