Stepping into Zero Trust with a Solid Strategy
Previously posted on Quisitive Blog
You can learn how to improve Azure security posture for SMBs using a Zero Trust strategy, including tips for maximizing this strategy by leveraging executive buy-in, collaboration among business leaders, and a phased approach to Zero Trust adoption.
In our last blog post, we explored the concept of Zero Trust and provided guidance for the SMB Community. (If you prefer video overviews, Microsoft created an excellent overview of the topic here: MCRA Zero Trust Overview.) In this blog, we’re exploring how a Zero Trust Strategy can improve your business security posture. Keep reading to learn about the importance of executive buy-in, collaboration among business leaders, and the phased approach to Zero Trust adoption.
Getting executive buy-in from business leaders, whether at a small or large organization, is key. That’s why Microsoft’s Zero Trust Adoption Framework emphasizes the need for buy-in at the highest level of an organization. It highlights that Zero Trust is a proactive, integrated approach to security that requires understanding and protecting critical business assets while maintaining business agility.
The framework outlines the importance of collaboration among business leaders, technology leaders, business security leaders, and security practitioners to create an agile Zero Trust security approach. It provides guidance on setting objectives, tracking progress, and driving adoption through a methodical and phased approach, ensuring that security becomes a strategic driver for growth rather than just a cost center.
Starting with the strategy in mind is critical as you go down your Zero Trust adoption path. The below would be an example of how you could integrate it into your current strategic initiatives:
Microsoft has provided a great foundation of resources for starting your own Zero Trust Journey: Zero Trust adoption framework overview | Microsoft Learn. As with many areas in cybersecurity, it starts with documenting your critical assets: what they are doing for the business, why they need to do it, and how you measure that they are doing it successfully. Using the Lifecycle mentioned above, you can start to track the implementation of different components of your journey based on business criticalities, quick wins, or building out a greenfield for future growth.
Tools to Ease You into the Implementation of your Zero Trust Security Strategy
Adoption Scenario Plan Phase Grid
For business scenario project leads, business leaders, and other stakeholders
Easily understand the business security enhancements for each scenario and the level of effort for the stages and objectives of the Plan phase
Download: Visio file or PDF
Business leader tracker for Zero Trust
Zero Trust adoption tracker
Track your progress through the stages and objectives of the Plan phase
For business scenario project leads, business leaders, and other stakeholders
Download: PowerPoint slide deck
Implementer tracker for Zero Trust
Business scenario objectives and tasks
Assign ownership and track your progress through the stages, objectives, and tasks of the Plan phase
For business scenario project leads, IT leads, and IT implementers
As you can see just from the initial set of tools having a solid strategy when beginning this journey will be critical to its long-term success and the overall success of your security program. Of course, Microsoft and security partners like Quisitive have an extensive background in implementing strategic programs like this. They can provide your organization with the needed guidance or implementation resources to help this be a success for your organization.
With a solid footing in strategy and engagement of your business leaders, you can start down the implementation journey, at which point, unless this is a greenfield project, you might want to conduct some assessment of your current business security posture, and again here Microsoft delivers a multi-domain self-assessment to help you with that Microsoft Zero Trust Maturity Assessment Quiz | Microsoft Security
Tracking your Zero Trust Journey
Microsoft has provided a toolkit of guidance to help business security and technology teams collaborate with business leaders on Zero Trust by providing:
Recommended Zero Trust objectives for business leaders across organizations
A methodical and phased approach to implementing a Zero Trust architecture
A systematic way to track progress, scoped to business leaders
Curation of the most relevant resources for the adoption of Zero Trust, from slides that are ready to be presented to business leaders to technical implementation guidance and user infographics
From a compliance perspective, your organization should define its strategy according to its intrinsic GRC methodology. If the organization doesn’t subscribe to a specific standard, policy, or framework, then an assessment template should be obtained from Compliance Manager. Every active Microsoft 365 subscription is assigned a data protection baseline that may be mapped against Zero Trust deployment guidelines.
Domain Planning Process Chart
Here is an example of an implementation plan across the different domains previously discussed, as well as some of the ways that you can blend in signals and authentication as you build out your Zero Trust processes. Using a strategic plan with requirements before implementation allows you to consider the scope of your implementation and how you could phase it base on business needs and resources available.
In the diagram above:
Each of the functional areas is represented: Identities, Endpoints, Networks, Data, Apps, and Infrastructure
Zero Trust integrates protection across all the functional areas through policies and Policy Optimization
Threat protection brings together signals across the organization in real-time to provide visibility into attacks and streamline remediation through automated actions and incident response tracking
For the most part, we have started to uncover all of the requirements which you need to Define the Strategy of your Zero Trust journey. Here are some points of consideration as you round out your strategy:
Create a strategic implementation plan that includes:
Identities
Endpoints
Networks
Data
Apps
Infrastructure
Compliance, regulatory and contractual requirements
Zero Trust integrates protection across all these areas through policies and policy optimization. Incorporate threat protection to provide real-time visibility and automate remediation actions.
Use a phased strategy to consider the scope of implementation and phase it based on business needs and available resources.
In our next blog post, we will discuss using the phased strategy process we just covered to map out your environment and PLAN the type of work that might be needed for the various phases.