Our previous blog continued our journey towards Zero Trust by developing a strategic approach and engaging the right stakeholders. Microsoft provides several valuable tools to help you identify critical assets within your organization, allowing you to start mapping out the interdependencies between your people, business processes, and technology.

Let's continue our journey by adopting a Zero-Trust approach and examining the business scenario of rapidly modernizing your security posture. Instead of concentrating on the technical aspects of implementing a Zero-Trust architecture, the focus is developing a strategy and setting priorities. The paper also outlines implementing these priorities while incrementally measuring and reporting progress.

Your security posture refers to your organization's overall cybersecurity defense capabilities, preparedness, and operational readiness to address ongoing cybersecurity threats. Like any other significant metric related to your organization's operational status or well-being, it should be quantifiable and measurable.

Retrieved from Rapidly modernize your security posture for Zero Trust | Microsoft Learn

The key components of Microsoft's rapidly modernizing your security posture for Zero Trust:

Define Strategy Phase:

Let's collaborate within your organization to create a strategy and establish priorities and objectives for your Zero Trust journey, highlighting the significance of organizational alignment and strategic goals.

Retrieved from Rapidly modernize your security posture for Zero Trust | Microsoft Learn

To successfully implement the principles of Zero Trust with your partner teams, you must achieve business alignment. You can build confidence in your evolving security framework by agreeing on the risks and gaps in your current security posture, determining the steps needed to mitigate these issues, and establishing a method to track and communicate progress.

Business alignment can be attained through one or both of the following approaches.

• Take a risk-based approach, identifying the top risks to your organization and the most appropriate mitigations.

• Understand where your digital assets are, what they're composed of, and their relative risk profile based on exfiltration or loss of access to them to create a defensive strategy.

Either approach can be used to progress through this article. The technical objectives and work described in the other business scenarios support both methods.

Retrieved from Rapidly modernize your security posture for Zero Trust | Microsoft Learn

Risk-based approach

Some organizations choose to prioritize work and measure progress against risk. Tabletop exercises and ISO standards are two standard tools for identifying risks.

Tabletop exercise evaluation: The Center for Internet Security (CIS) provides Six Tabletop Exercises to Help Prepare Your Cybersecurity Team, which is an easy way to get started.

These tabletop exercises are designed to help organizations walk through different risk scenarios and evaluate their state of preparation. Each exercise can be completed with your team of stakeholders "in as little as 15 minutes."

Using ISO standards resources and tools

Many organizations use International Organization for Standardization (ISO) standards resources and tools to gauge risk. These provide a structured and comprehensive way to review and assess the risks and mitigations that apply to your organization.

Defensive strategy

Assessing your entire digital landscape is essential when implementing a defensive strategy. This involves identifying your digital assets, understanding their composition, and evaluating the risks associated with their potential exfiltration or loss of access.

Next, you should prioritize the areas that need attention by estimating the potential damage each type of incident could cause your business. Consider these common types of incidents as you evaluate the risks.

• Data loss

• Data leakage

• Data breach

• Data access loss

• Compliance loss due to cyber incident

Once you have identified the key areas needing protection, you can systematically implement Zero Trust principles. This process will also help you build a solid case for the funding and resources necessary to carry out this work.

The shared responsibility model is also a valuable resource for shaping your strategy and priorities. Your security responsibilities will vary depending on the type of cloud service you use. The following diagram illustrates the balance of responsibilities between you and Microsoft.

Retrieved from Rapidly modernize your security posture for Zero Trust | Microsoft Learn

Document and report on your security posture

It's essential to continuously report on your security posture using various methods, including Microsoft scoring mechanisms and other dashboards. Numerous tools and approaches are available to achieve this. In this scenario, you will identify the reports and tools that are most beneficial for your organization and develop a documentation method that is effective for your specific needs.

Plan Phase

In this phase, you create technical plans and ensure skills readiness. It includes evaluating, testing, and piloting the technical objectives.

Retrieved from Rapidly modernize your security posture for Zero Trust | Microsoft Learn

This Excel workbook will assign owners and track your progress for these stages, objectives, and tasks. Here's the worksheet for this business scenario.

Microsoft provides resources to help you rapidly modernize your security posture. The following sections highlight resources for specific tasks in the four previously defined stages.

Stage 1

Here, you begin to understand your current security posture. You initiate discussions within your leadership team and organization to learn about Zero Trust and how it aligns with business strategies and objectives.

Stage 2

Here, continue to detail your current security posture, including:

• Developing a response readiness plan

• Starting an inventory of your digital estate

• Implementing basic hygiene

• Inventory your digital estate

When preparing for breach readiness, it is essential to understand the state of both your physical and digital assets. The first objective in this process is to take an inventory. It is important to note that other business scenarios may require you to inventory the assets affected by the specific situation. These inventories and the status of the items contribute significantly to your overall security posture.

For this particular business scenario, it is recommended that you compile a comprehensive list of all physical and digital assets, services, and line-of-business (LOB) applications.

Physical assets include endpoints such as mobile phones, PCs, laptops, and servers (whether physical or virtual). Digital assets can encompass services like email and retention data in Exchange Online, files and records stored in SharePoint Online, SQL Platform as a Service (PaaS) offerings, data lakes, and files on on-premises file servers or Azure File Shares.

Consider using a Cloud Access Security Broker (CASB) service, such as Microsoft Defender for Cloud to enhance visibility into users' services, including shadow IT data locations.

The following are digital assets to include in your inventory:

• Identities

• Devices

• Data

• Apps

• Infrastructure

• Network

Stage 3

A robust security posture requires effective instrumentation to enhance visibility. To simplify the process, consolidate your tools and methods into as few views or dashboards as possible. The primary goal at this stage is to visualize your security posture through dashboards tailored to your audience.

Adopting an "assume breach" mentality necessitates examining breach preparedness by implementing continuous monitoring. In this phase, it's essential to document and evaluate the number of portals or views that fulfill this function. This internal documentation can take the form of reports you compile manually or reports generated from your security tools, such as Exposure Management, Compliance Manager, Microsoft Defender XDR, Microsoft Defender for Cloud, Microsoft Sentinel, and other relevant tools.

For example:

• An executive summary view of risk, breach preparation, and current incidents.

• A CISO summary view for IT and OT security assets.

• Security Analyst views to respond to incidents.

• A historical view on security information and event management (SIEM) and security orchestration, automation, and response (SOAR) to comply with regulatory demands and long-running threat hunting.

• Creating and maintaining role-specific views creates transparency with the security posture status of your stakeholders, who share the burden of security management, from executive leaders to incident responders.

Stage 4

The objectives of Stage 4 are about maturing your organization's ability to prevent and respond to attacks.

Ready Phase:

This phase focuses on gradually implementing the technical objectives across your digital landscape. It entails tracking and measuring progress, monitoring and identifying threats, and iterating for greater maturity.

Retrieved from Rapidly modernize your security posture for Zero Trust | Microsoft Learn

The Ready phase for this business scenario differs from other business scenarios. Instead of evaluating, testing, and piloting specific security capabilities or configurations, this phase emphasizes assembling your stakeholder team and collaboratively addressing each stage and objective using an agile approach.

For example, when tackling each objective:

1. Assess what is needed to achieve the objective, including identifying the necessary team members.

2. Start with a reasonable strategy and test it out.

3. Refine the approach based on the feedback and insights gained during testing.

4. Pilot the revised approach and make further adjustments based on your learning.

The following table illustrates how this process can be applied to identifying risks to your organization in Stage 1 of the Plan phase.

Ready task - Actions

Evaluate - Decide what resources you'll use to evaluate risks and who should participate in the activities. This evaluation can include tabletop exercises or the ISO standards. Determine who in your organization should participate.

Test - Using the resources you're targeting, review the recommended exercises with a small group of your stakeholders to gauge your readiness to engage your fuller team.

Pilot - If you're using the tabletop exercises, try out one of the scenarios with the chosen participants. Review the results and determine if you can proceed to the other exercises. If you’re using the ISO standards, target a portion of the standard to pilot the evaluation.

An agile approach like this allows opportunities to adjust and optimize your methodology and process. You also build confidence as you go.

Adopt Phase:

This phase focuses on systematically guiding each component of your Zero Trust architecture through the adoption lifecycle while governing and managing the implementation process.

You will incrementally implement your strategy and deployment plans during the adoption phase across various functional areas. This scenario involves achieving the objectives outlined in the four stages or any customized objectives and stages that apply to your organization.

Modernizing your security posture also entails meeting the technical objectives recommended in other business scenarios or those prioritized by your organization. These contribute to your overall security posture.

As you transition to the adoption phase for this scenario and others, you must communicate your efforts' status, progress, and value.

Retrieved from Rapidly modernize your security posture for Zero Trust | Microsoft Learn

Govern and Manage

This section highlights the importance of communicating status, progress, and value to business leaders. It emphasizes the need for a standardized security posture that caters to IT and Operational Technology (OT) security requirements.

Retrieved from Rapidly modernize your security posture for Zero Trust | Microsoft Learn

Security governance is an ongoing process. As you move into this phase, focus on tracking and measuring the results of each component of the Zero Trust architecture you have implemented. By combining this with continuous monitoring and detection, you can identify opportunities for improvement and maturity.

Track and Measure

This article provides various reports and dashboards that you can utilize to evaluate your current status and measure progress. Ultimately, the goal is to establish a set of metrics that demonstrate your advancements and help identify potential emerging vulnerabilities. Use these different reports and dashboards to gather the most relevant metrics for your organization.

Team and Organization Metrics

The following table lists some example metrics that you can use to monitor your team's and organization's security posture.

Microsoft Security Exposure Management is a security solution that provides a unified view of security posture across company assets and workloads. This tool includes Security Initiatives, which help you assess readiness and maturity in specific security risk areas. Security Initiatives take a proactive approach to managing security programs toward specific risk—or domain-related objectives.

Retrieved from Rapidly modernize your security posture for Zero Trust | Microsoft Learn

This Zero Trust adoption framework encourages a risk-based approach or a defensive strategy. With either approach, you can focus on other security initiatives within the exposure management tool, such as Ransomware Protection or specific threat initiatives. Your efforts can contribute to the overall maturity of the Zero Trust initiative.

You can utilize the Zero Trust initiative alongside this adoption framework. The initiative's metrics and tasks are organized by specific Zero Trust business scenarios.

Monitor and detect

As you navigate each business scenario, determine how you will monitor and detect changes in the environment and potential breaches. Many of these capabilities are offered through Extended Detection and Response (XDR) tools, including the suite of Microsoft Defender XDR products and Microsoft Sentinel. These are implemented in the Prevent or Reduce business damage from a breach scenario.

Iterate for maturity

Implementing Zero Trust can take years, especially in large organizations. During this time, attackers will continue to evolve their techniques. Therefore, it is crucial to utilize your metrics alongside your monitoring and detection capabilities to identify areas where you need to improve and advance your Zero-Trust environment. Additionally, make sure to continuously evaluate and adapt how you measure success and communicate progress, status, and value.

Embracing a Zero-Trust strategy is crucial for small and medium-sized businesses (SMBs) to strengthen their security on Azure. By establishing a clear strategy, aligning it with business objectives, and systematically implementing security measures, organizations can effectively reduce risks and safeguard their digital assets. It is essential to continuously monitor, assess, and adapt security practices to keep up with evolving threats. Begin your Zero-Trust journey today to ensure your organization is well-equipped to tackle cybersecurity challenges.