How do you secure a device according to Zero Trust principles? Part 1
Recently, we introduced you to Microsoft's Zero Trust Framework. With the mass adoption of cloud services and the move towards XaaS'ing (Anything as a Service) of the IT landscape, the security focus is shifting primarily to identities and devices. These devices are also called endpoints. Luc Frijters explains how to handle securing and managing endpoints as an organization, based on the principles of Zero Trust.
Endpoint means a (usually) physical device that connects and exchanges information with a computer network. In the Microsoft Cloud, an endpoint is often thought of as the point from which a user accesses services in the Microsoft (Public) Cloud. For example, sending an email via Outlook on a laptop, sharing a file via the OneDrive app on an Android smartphone, participating in a Teams meeting from an iPad or completing timekeeping in Dynamics 365 from a desktop. In short, laptops, desktops, tablets, smartphones and nowadays web browsers or full virtual (cloud) workstations such as Windows 365, can all be endpoints.
Microsoft's Zero Trust Framework is based on three principles:
For the Zero Trust way of security, it is of secondary importance what different types of devices are used and where they are located. The exact same security policy must be continuously applied on every device and in every location.
How do you secure an endpoint according to Zero Trust principles (with Microsoft technology)?
A number of cornerstones can be identified from the Microsoft Cloud:
Using these cornerstones from the Microsoft Cloud allows you to apply Zero Trust principles to endpoint security
In an ideal, modern scenario, endpoints are added or registered in Azure Active Directory, depending on whether they are business or private endpoints. Business endpoints in particular are managed with Microsoft Intune, with Conditional Access validating, defining and securing access to applications and data, and Microsoft Defender for Endpoint providing prevention and detection of malware and other threats. All this while Windows Hello for Business handles authentication on (managed) endpoints, based on biometrics, combined with local hardware-based security mechanisms such as Secure Boot and TPM chip.
Read part 2 of this blog on how to approach this practically and why certain choices are made.
Want to get started yourself?
Of course, there is much more to discover about Azure Active Directory, Microsoft Intune, securing endpoints and the Zero Trust Framework. Want to learn more about how your organization is taking an active stance on IT security? Read more about our Security offerings and expertise.
Our Security experts are ready to help!
