Security - Zero Trust - User & Infra
Why Zero Trust
Nowadays there are a lot of cloud environments and remote workforce that require access to corporate applications and data that exist beyond the traditional boundaries of a corporate behind firewalls and VPNs. Every modern organization needs a holistic system of verification to handle security and to combat threats effectively.
Office Line adopted a modern approach to security called “Zero Trust,” which is based on the: “Trust None, Verify Everything” principle. We implement security controls based on this approach. We manage and grant access by continually verify identities, devices, and services, with ultimate purpose the protection of your company.
How to achieve Zero Trust
To address the security challenges that modern workplace face, we implement Zero Trust in that way where users access the corporate environment in a layered approach that keeps the corporate data secure. Our implementation approach is centered on strong user identity, verification of device health, secure and least-privilege access to corporate resources and services and offers a reduced risk of unauthorized lateral movement across your corporate network.
Through these authentication and verification methods, we ensure that users are given access only to where they are authorized, explicitly.
Verify Identities
Most of the security breaches involve credential theft, and gaps in cyber security hygiene. These multiply the risk exposure to employees and to organizations at scale. So that, one of the primary components of a Zero Trust implementation is the ability to verify a user’s identity before he grants with access to the corporate resources.
With Azure Active Directory, we explicitly approved and grant access to specific corporate applications and data, for each individual user, in a user-friendly environment and across many devices. As we continue to move forward, our ultimate goal is to completely eliminate the use of passwords.
Verify Devices
Every unmanaged device is an easy entry point for malicious actors. It is vital for cyber security to verify devices so that to ensure that only the healthy devices can access critical applications and data. The initial and fundamental step of our Zero Trust implementation is to enroll the user devices on Microsoft Intune, the ultimate device management system that manages corporate policies to govern access to all resources.
With Microsoft Intune we ensure that every device is categorized as healthy before allowing access to email, SharePoint, or Teams. We also enforce integrated security controls that incorporates complete risk assessments and mitigation strategies, intelligently.
Verify Access
We can always focus on managing and maintaining healthy device and secured identities throughout a corporate environment. However, sometimes require users to work from unmanaged devices. With that in mind, we define a plan to minimize the methods of access to corporate resources, and to require identity and device health verification for all access methods.
In the verify access pillar, our focus is on segmenting users and devices across specific networks and automatically routing them to appropriate network segments, by forcing policy updates to their systems.
The final goal is an Internet-only access method. Using this approach, we reduce users accessing the corporate network for most scenarios, and we enable a plan to establish a set of services that make applications available to users with unmanaged devices.
Zero Trust by Office Line
The primary components of this implementation are:
Microsoft Intune for device management and device security policy configuration.
Azure Active Directory (Azure AD) for creating policies of conditional access of healthy devices, and for user and device inventory.
Microsoft Intune pushes configuration requirements to managed devices.
The device generates a statement of health, which is stored in Azure AD.
Finally, when the user requests access to a resource, the device health state is verified as part of the authentication exchange with Azure AD.
