Securing infrastructure according to the Zero Trust Framework

Vincent Villerius

09 nov, 2023

The first Security Blog of this series explained the Zero Trust Framework. For securing IT assets, the infrastructure layer is an important part of the framework. IT infrastructure consists of solutions that support multiple applications. Traditionally, this has been thought of as referring to compute, storage and network. Matters about which - in the on-premises world - it is (probably) clear as to how they should be protected. But what about in the cloud? Vincent Villerius, Managing Consultant Azure & Integration explains.

Shared responsibility

When you use cloud services, there is a shared responsibility (shared responsibility model) for information security between the cloud provider and the customer. In this model, the cloud provider is always responsible for things like physical access security, energy, cooling and physical hardware, but for the services that are purchased on top of that, the responsibility varies by delivery model. When it comes to proprietary data, end-user devices, accounts and access management, the responsibility for each delivery model lies with the customer. In IaaS (Infrastructure as a Service), the customer has more responsibilities than in PaaS and SaaS models. To keep things clear, for the remainder of this blog we'll look specifically at the IaaS model. Where are the responsibilities as a customer and what tools does Microsoft offer to take that responsibility?

IaaS

In the IaaS model, you purchase compute, storage and network from Azure. The customer is responsible for the setup and thus security of virtual servers, virtual networks, identity infrastructure and applications. Fortunately, Azure offers several solutions that allow Zero Trust principles to be applied to proprietary resources.

Verify the identity of everything and everyone who wants access and apply this to the systems themselves. Ask questions like, "is trusted software being used?" and "can your own virtual machines be trusted?" The following tips can help with this first principle:

Use generation 2 virtual machines. These use verified bootloaders, operating systems and drivers.
Deploy Azure Policy for reporting on and enforcing secure standards.
Use Azure Bastion so that access to virtual machines is first controlled by Azure AD (Active Directory) and does not require RDP (Remote Desktop Protocol) traffic through public IP addresses.
Use Adaptive Application Controls to ensure that only trusted applications are run. This is part of Defender for Servers plan 2.

We still see many organizations in which every IT employee is Global Admin and Subscription Owner. These employees are probably good faith parties, but accidents are waiting to happen. Giving employees the access needed to be productive only for a moment can prevent many incidents. The following tips can help limit permissions to the bare essentials:

Use Role Based Access for access to and management of IaaS resources.
Limit the number of Global Admins and Owners as much as possible. Azure offers built-in roles and the ability to define appropriate roles yourself.
Use Privileged Identity Management to give administrators access only when needed, for as long as needed.
Use Just Enough Administration to set up delegated administration for Powershell users.

It is often said that there are two types of organizations: those that know they have been hacked and those that do not yet know. From the mindset that a break-in may already be underway, we minimize its impact as much as possible. The following tips can help:

Use Azure Security Center for insight into the status of security and for tips on how to improve it.
Encrypt data at rest and in transit. Consider managing proprietary encryption keys with Azure KeyVault.
Prevent an attacker from moving freely through your virtual network. Segment the virtual network and use Network Security Groups, Azure Firewall and Route Tables to enforce this.

Use Adaptive Network Hardening to adaptively further restrict network traffic when Network Security Groups do not provide sufficient control. This is part of Defender for Servers plan 2.

Take responsibility

Cloud services are enormously powerful, scalable and rich in configuration options. Organizations often mistakenly assume that security is the full responsibility of the cloud vendor, resulting in vulnerabilities and data breaches. Especially when a customer uses IaaS and PaaS services, they have many responsibilities. Fortunately, there is a rich set of tools that can be deployed to secure systems in the cloud in a way that does justice to your requirements and wishes.

Learn more

From our Infrastructure and Security experts

Connect with us

Want to know how your organization can take an active stance on IT security? Our experts are ready to help.

First name

Last name

E-mail

Phone optional

Company name optional

Company location

Message

By using this form you agree to the storage and processing of the data you provide, as indicated in our privacy policy. You can unsubscribe from sent messages at any time. Please review our privacy policy for more information on how to unsubscribe, our privacy practices and how we are committed to protecting and respecting your privacy.

Deze website maakt gebruik van cookies

Wij, en derde partijen, gebruiken cookies op onze website. We gebruiken cookies om statistieken bij te houden, uw voorkeuren op te slaan, maar ook voor marketingdoeleinden (bijvoorbeeld het op maat aanbieden van advertenties). Door op 'Instellingen' te klikken kunt u meer lezen over onze cookies en uw voorkeuren aanpassen. Door op 'Alles accepteren' te klikken, ga je akkoord met het gebruik van alle cookies zoals beschreven in onze privacy- en cookie policy.