Zero Trust Security Modern Management Identity Device Application Network Infrastructure Data

Last time we have talked about what is Zero Trust? and why Zero Trust?

This time we can talk about the How: how to achieve Zero Trust with technologies

Let’s start with the six pillars:

Identities:

The Identity journey is all about transforming legacy authentication to modern authentication. The legacy authentication definition was coming from Microsoft and actually is the way Microsoft called their old Windows integrated authentication, like NTLM and Kerberos, which is insecure and vulnerable to Denial of Service (DOS) attacks.

The transformation journey is really depending on your organisational identity strategy, but the high level general strategic approach is below:

  1. Planning to turn off Legacy authentication protocol. I’m assuming most the organisations are using on-premise Active Directory as the legacy idP (Identity Provider), one good method to help stop DOS attacks would be to turn off Windows Integrated Authentication (which includes NTLM and Kerberos).
  2. Adopt and adapt into modern authentication. Microsoft initially was planning to turn off the legacy authentication on October 13, 2020, but due to the COVID-19 crisis, Microsoft is postponing the change to second half of 2021. But we still don’t have much time left, especially for large organisation usually require longer time for planning and remediating the legacy use case scenarios. Like there are still quite a few people using legacy Microsoft office version.

Modern authentication supported clients:

  • Office 2013 SP1+ with ADAL enabled
  • Mobile Office apps includes Word, Excel, PowerPoint, as well as the new Microsoft office mobile app
  • Mobile Outlook

So, if you still have users using Microsoft office 2010 or earlier, you might need to start the planning now.

  1. Adopt into modern authentication

Adaption is challenging, but adoption will be easy. Modern authentication will bring in a whole new way user will be authenticating and authorising to the company resources:

  • Authentication
    • Multi-factor authentication
    • Smart card authentication
    • Certificate-based authentication helps to protect passwords from exposure.
    • Passwordless authentication
      • Biometric authentication by using your face, fingerprint and more.
      • Mobile Authenticator app, like Microsoft Authenticator
      • Hardware security device-based authentication (FIDO2 security keys), like Yubikey
  • Authorisation: OAuth
  • Conditional access policies:
    • Mobile Application Management (MAM)
    • Azure AD Conditional Access

So, what are the options for our strategic modern idP?

  • Azure Active Directory
    • The most common modern idP due to the popularity of Microsoft Office 365 ecosystem, sorry we should call it Microsoft 365 now 😊
    • Coming natively from Microsoft 365, natively integrated with on-premise activity AD and all other Microsoft products.
    • ADFS is some sort of becoming legacy from Microsoft perspective, Azure AD will replace it in the future.
    • All applications within Azure or Microsoft 365 will be exclusively using Azure AD as the idP.
  • Okta
    • Fast growing idP
    • Identity routing rules is one of the highest demand capabilities
  • Ping identity

The idP is one of the first thing organization need to start investing, choosing the strategic idP is the key for the modern authentication transformation as well as moving forward to the Zero Trust model.

What is your strategic idP?