How to initiate your Zero Trust

transformation project?

In 11 simple and practical tips

August 2021
Microsoft France

Writers: « Initiative Zero Trust » Team, France

Contributors/Reviewers: Jean-Yves Grasset, Arnaud Jumelet, Félix Ndouga, Maxime Roques, Guillaume
Aubert, Bastien Simon, Guillaume Bordier, India Giblain, Marc Gardette, Etienne Lacour, Jean-Marc
Guégan, Martin Flichy, Romain Curel, Lauren O’Hara

1 Initier un projet de transformation Zero Trust

 Table of contents
Introduction .............................................................................................................................................................. 4
1 Understanding the Zero Trust Vision ......................................................................................................... 7
2 Build a cross-functional team ...................................................................................................................... 11
3 Why a Zero Trust project? ............................................................................................................................. 13
4 Define technological building blocks ....................................................................................................... 16
5 Identify your maturity level ........................................................................................................................... 18
6 Identify les quick wins ..................................................................................................................................... 21
7 Prioritize the Identity pillar ........................................................................................................................... 23
8 Define and use indicators.............................................................................................................................. 27
9 Monitor security ................................................................................................................................................ 29
10 Internet as corporate network .................................................................................................................. 31
11 Define a roadmap .......................................................................................................................................... 34
Conclusion .............................................................................................................................................................. 39

2 Initiating a Zero Trust transformation project

 MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation. Microsoft m

ay have patents, patent applications, trademarks, copyrights, or other intellectual property

rights covering subject matter in this document. Except as expressly provided in any written
license agreement from Microsoft, our provision of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property. The
descriptions of other companies’ products in this document, if any, are provided only as a
convenience to you. Any such references should not be considered an endorsement or
support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may
change over time. Also, the descriptions are intended as brief highlights to aid
understanding, rather than as thorough coverage. For authoritative descriptions of these
products, please consult their respective manufacturers.

© 2021 Microsoft Corporation. All rights reserved. Any use or distribution of these materials
without express authorization of Microsoft Corp. is strictly prohibited. Microsoft and
Windows are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries. The names of actual companies and products
mentioned herein may be the trademarks of their respective owners.

3 Initiating a Zero Trust transformation project

 I ntroduction

The current period is conducive to questioning the way security is handled by

companies, as it is obvious that the stacking of security solutions no longer protects
against the proliferation of attacks due to their greater complexity. In addition,
attackers are taking advantage of the COVID-19 pandemic to conduct opportunistic
attacks that stick to current events as detailed in the September 2020 MICROSOFT
DIGITAL DEFENSE REPORT.

The extension of threats is unfortunately confirmed by the resurgence of attacks

faced by organizations. According to a joint press release from the French National
Agency for the Security of Information Systems (ANSSI) and its German counterpart
the Federal Office for Information Security (BSI) in December 2020: I quote "in the
continuity of a trajectory initiated in 2019, the number of cyberattacks has exploded:
the number of victims has thus been multiplied by 4 in one year". The agency (ANSSI)
counted 200 cyberattacks against operators of vital importance (OIV) in 2020, four
times more than in 2019. "These attacks target companies in the public or private
sector."

The other major factor is the widespread shift of employees to remote work, a
scenario that for many companies and organizations was not anticipated. This has
challenged the well-established principles of perimeter security by increasing the
exposure of workstations located outside the physical boundaries of the enterprise.

Taking into account the Zero Trust model

As THE ESSENTIALS OF DIGITAL SECURITY FOR EXECUTIVES1 rightly analyzes, "With a totally
extended and highly fragmented information system, now carried by the cloud and
with dispersed mobile equipment, digital security is facing a new difficulty in rethinking
its control and protection methods in depth”. It is imperative to thoroughly review the
security of the extended information system to move from a perimeter model to a
Zero Trust model.

The Zero Trust model is receiving a much more attentive reception from security
managers because they are aware that the reflexes acquired decades ago no longer
work. Today's world is not the same as it was 10 or even 5 years ago. To support this
awareness, we can refer to the CESIN-Opinionway Corporate Cyber Security
Barometer, Wave 62, dated January 2021, which indicates that 75% of respondents

1
The document is in French « L'ESSENTIEL DE LA SECURITE NUMERIQUE POUR LES DIRIGEANTS ET LES DIRIGEANTES ».
2
The document is in French « Baromètre de la cyber-sécurité des entreprises, Vague 6 du CESIN-
Opinionway »
4 Initier un projet de transformation Zero Trust
 are currently studying how the Zero Trust model will be translated, have already put
in place building blocks of the model or are already very committed.

Beyond France, a study conducted as part of the MICROSOFT DIGITAL DEFENSE REPORT
mentioned above, estimated that 94% of respondents have already begun to deploy
Zero Trust building blocks and that 55% are looking to accelerate this deployment
because of the pandemic.

The ANSSI recently published a SCIENTIFIC AND TECHNICAL OPINION ON THE ZERO TRUST
3
MODEL in which it is admitted that "If the Zero Trust model is in line with the logic of
"defense in depth" historically promoted by the ANSSI, it constitutes a modification of
the paradigm of the strict perimeter logic that has long prevailed”. It is then
recommended that "if an implementation of the model is envisaged, it can only be
progressive", which is strictly in line with this document.

Indeed, the transition to Zero Trust is an ambitious objective, a redesign project that
must be considered over time, but also a real opportunity to adapt to a context that
has changed profoundly over the last decade.

The principles of Zero Trust

The Zero Trust model is based on the principle that one can no longer trust the
network or the location from which access is requested; this is all the more obvious
in the new context of widespread teleworking where employees connect through
their personal Internet connection and no longer necessarily use the VPN or only for
accessing to internal resources. It is then necessary to dynamically check the access
context (identity of the accessing user, status of the device, location, etc.) before
authorizing access to the resource (application or service) under certain conditions.

Moreover, this security approach assumes that the risk is omnipresent: the principle
of "Assume Breach" is used, which admits that, whatever the protections put in place,
one can be compromised at any time. In this case, it is necessary to be able to detect
and react as quickly and efficiently as possible.

Approach to a Zero Trust project

Once this is acknowledged, the question that immediately follows is: "Where do I
start and how can I successfully complete this project towards the Zero Trust security
model? In fact, this is more of a "journey" than a project, because organizations will
not be able to switch overnight: there is an existing situation to take into account,
and it is not a question of wanting to replace everything. Sensitive assets and critical
applications will remain on-premises for a long time. The rest of the organization's
data will be made available through SaaS applications and internal applications will
benefit from a migration to the cloud. The challenge is therefore to adapt the security
model for this hybrid mode.

3
The document is in French « AVIS SCIENTIFIQUE ET TECHNIQUE SUR LE MODELE ZERO TRUST ».

5 Initiating a Zero Trust transformation project

 To quote the NIST white paper CHAPTER 7: MIGRATING TO A ZERO TRUST ARCHITECTURE:
“Implementing a ZTA [Zero Trust Architecture] is a journey rather than a wholesale
replacement of infrastructure or processes. An organization should seek to
incrementally implement zero trust principles, process changes, and technology
solutions that protect its highest value data assets. Most enterprises will continue
to operate in a hybrid zero-trust/perimeter-based mode for an indefinite period
while continuing to invest in ongoing IT modernization initiatives “.

Objective of this white paper

The objective of this white paper is to guide you in structuring your Zero Trust project
based on experience and feedback. It is intended to help you start your own Zero
Trust project by considering your existing situation, the priority issues to be resolved
and the scenarios you would like to focus on. Additional resources are provided to
allow you to help you learn more.

As this is a Microsoft white paper, we will describe the Zero Trust architecture with
the technological building blocks of our solutions as examples: Azure Active
Directory as the central identity brick, Microsoft Endpoint Manager for the device
management, Microsoft Defender for Endpoint for the security of
Windows 10/Windows 11 devices, Azure Sentinel for the SIEM brick, etc.

However, deploying a Zero Trust architecture does not require you to adopt only
Microsoft components, nor to replace all the security systems that are currently in
place. It's up to you to build your own architecture, with the goal of drastically
reducing the number of security solutions to facilitate their integration, avoid
redundancies and optimize their administration.

The idea is to advocate a pragmatic approach to adopting Zero Trust as summarized

by the slogan "Think big, start small, move fast" which you will find in the Microsoft
white paper “ZERO TRUST BUSINESS PLAN, A PRACTICAL GUIDE TO IMPLEMENTING THE ZERO
TRUST FRAMEWORK AT YOUR ORGANIZATION”.

6 Initiating a Zero Trust transformation project

 1 Understanding the Zero Trust Vision
Starting a Zero Trust project requires a good understanding of the Zero Trust
concepts and the technological building blocks that will allow these major principles
to be implemented in the real world. The objective is to apply the vision to one's own
existing information system. This first step is an introduction to Zero Trust and a
discovery of the technological building blocks associated with six major themes (or
pillars) described below that structure the Zero Trust approach. The aim is to
understand the principles of Zero Trust that will serve as a guide throughout the
project, but without going into the details of the technologies at first. The choice of
technologies used, and their in-depth study will be carried out in the form of
dedicated workshops as explained later in step 4 DEFINE TECHNOLOGICAL BUILDING
BLOCKS.

Principles
To summarize in one sentence, the Zero Trust principle describes the fact that "all
users and devices should be able to access the right resources from any location with
the same security conditions". This is broken down into three pillars:

1. Verify explicitly : dynamically control the context of the accessing user – identity,
location from which access is made, device used and health status, etc.
2. Implement least privilege access: ensure, based on this context, that the accessing user
will only have the necessary privileges to access the application. This can be refined by
assigning a time window for access.
3. Assume breach: adopt a posture where you admit that you could be compromised
and ensure that you are able to detect attacks and contain them quickly to limit their
impact.

Technological pillars
Beyond the understanding of these simple principles, we can see that the real-world
implementation covers a very broad set of topics (or pillars) from identity, devices,
data, applications, infrastructure and network, according to the categorization
proposed in the ZERO TRUST DEPLOYMENT CENTER.

7 Initiating a Zero Trust transformation project

 The pre-study should focus on these 6 major pillars, knowing that some should be
treated as a priority such as identity, that all are connected and that the level of
maturity of your organization will not be the same depending on the subject. You
could very well have a good level of maturity on the identity pillar by having already
set up a hybrid repository (with synchronization between your internal identity
repository and the cloud repository) but be less mature in management and device
(endpoints) security.

The Zero Trust Architecture

The diagram below distributes the 6 pillars around a central element to understand
how the whole is articulated.

On the left, we find the Identity of the person accessing the resource (usually the
user), to whom we will impose a strong authentication – multi-factor – and whose
risk can be dynamically estimated. Next, the Device used to access the targeted
resource (an application or a service), whose associated risk level can be estimated:
for example, a low risk level if the device is managed by the company, evaluated in

8 Initiating a Zero Trust transformation project

 compliance with security policies, up to date with security patches, etc., unlike a
personal device whose health status cannot be measured.

The central node, which is very precisely described in the Zero Trust vision, is the
real-time access assessment engine. It is based on identity and device elements of
the access context and dynamic threat state assessment. Based on the security
policies defined by the organization, it allows full, partial, conditional access to the
requested application or imposes a denial. This strictly follows the model defined in
the NIST ZERO TRUST ARCHITECTURE white paper, where the user is the subject
accessing the resource from a device and whose context is dynamically evaluated to
grant or deny access to the resource. This evaluation is based on a module called
Policy Enforcement Point which is the "heart of the reactor".

The other pillars concern Data with the classification and protection of the most
sensitive data using encryption. This can include protection against information
leakage. Then comes the Infrastructure, whether it be cloud (Azure and other clouds)
or on-premises for the protection of application components: VMs, containers,
microservices, etc. Finally, the Network, with everything related to network security
such as traffic filtering, communication encryption, endpoints exposure, micro-
segmentation...

We can see that beyond these principles, it is necessary to rely on technological

building blocks, but that this vision is "disruptive" compared to perimeter security as
it was understood until now.

Defining technological building blocks

Each topic will be associated with one or more technological building blocks, which
will offer several functionalities. For example, the Identity building block – provided
in the Microsoft environment by Azure Active Directory – will offer SSO, conditional
access, and multi-factor authentication, among other things, which will be part of
the set of functions and controls contributing to the implementation of Zero Trust.
The Data building block (based on Microsoft Information Protection) will integrate
the features of classification and protection of sensitive data by encryption.

You should take advantage of this Zero Trust security redesign project to minimize
the number of solutions used. With a piecemeal approach to selecting the "best"
solutions on the market (“best of bread approach”), companies end up stacking
dozens of security solutions that are problematic to integrate and operate, both in
terms of implementation and return on investment. However, there is no need to
wipe the slate clean, as we will see later in determining the Zero Trust maturity level
in Chapter 5 IDENTIFY YOUR MATURITY LEVEL.

Most of the security technological building blocks are now based on the cloud, which
offers the advantages of being accessible from any location with an Internet
connection (no more need for a VPN), not requiring infrastructure deployment, and
finally leveraging the power of AI by taking advantage of the effect of scale for
detection and response to cyber threats.

9 Initiating a Zero Trust transformation project

 For more information, you can consult the following references:

• CHIEF INFORMATION SECURITY OFFICER (CISO) WORKSHOP TRAINING

• CISO WORKSHOP MODULE 3: IDENTITY AND ZERO TRUST USER ACCESS
• ZERO TRUST EBOOK

Importance of pillars
Not all pillars are perceived with the same importance. A survey conducted in early
2020, the figures of which can be found in the infographic SECURING IDENTITY WITH
ZERO TRUST, asked the question "What is the most important pillar in your Zero Trust
security model?" The 2 pillars mentioned in priority are Devices at 38% and Identities
at 24%.

This can be interpreted by the fact that IT managers surveyed are more sensitive to
device security because teleworking has brought this topic to the forefront, and to
the awareness of the importance of identity protection with the intensification of
attacks whose entry vector remains identity theft and especially phishing. As for the
other pillars, it seems surprising that applications are relegated to just 1% of the
concerns. This is probably due to the fact that companies are using more and more
SaaS applications or that internal applications have not yet migrated massively to
the cloud.

10 Initiating a Zero Trust transformation project

 2 Build a cross-functional team
The implementation of a Zero Trust model is not a simple project in the sense that it
is a real change in the security model compared to the previous perimeter model,
which has not evolved for decades. Of course, we are not questioning the
fundamentals of security, but we must change the way they are implemented to
adapt to new threats and new business needs. We must also consider that the
"weapons" available to us have been considerably strengthened, so we must at least
be aware of them and know how to make the most of them.

You will have to consider this model transition as a project or a set of projects that
will be spread over several months or even several years: we tend to say that it is
more of a "journey". For several years now, security has returned to the heart of
organizations and involves all entities. To quote one of the fundamental principles
of The ESSENTIAL OF DIGITAL SECURITY FOR MANAGERS4: "Cybersecurity is managed as a
transversal element in the company. It concerns everyone, at all levels, from the
design of a project to its execution and sale". This is especially true for a project
redesigning the security model, which will involve building a team whose members
will include the network, security, and IT teams (infrastructure, directory,
workstations, etc.), as well as the business and legal departments.

Like any project that strongly impacts the company, it will be necessary to find a
sponsor, someone quite high in the hierarchy, who believes in the project and will
be able to defend it at the highest level. If your company already has a CYBER-
COMEX, you will have to rely on its members to carry out your Zero Trust project.

Businesses will be your strong allies if you can prove to them that this transformation
will make it easier for you to deploy new applications or make possible scenarios
that were not allowed until now. These teams will be indispensable in defining which
scenarios are the most interesting to consider. This is true both for the takeover of
the SaaS solutions used – by authorizing them from now on in all conscience – but
also for the development of new applications or services made available internally
or to the company's customers or partners.

This new approach to security that you are going to propose should no longer be
seen as a hindrance, but as being able to facilitate the business, the daily work for all
the users of your information system, and the fluidity of the exchanges internally as
well as with the partners/subcontractors.

You will have to choose people motivated by the subject to form the core team of
the project. There is no need to multiply the number of team members to end up in

4
The document is in French « L’ESSENTIEL DE LA SECURITE NUMERIQUE POUR LES DIRIGEANTS ET LES DIRIGEANTES »

11 Initiating a Zero Trust transformation project

 a plethora of working meetings, which will be the best way to drown the project. On
the other hand, it will be necessary to involve more widely people with the necessary
skills, on a technical subject or on the existing environment and with the knowledge
of the company, during working meetings to collect the elements on the existing
environment, to propose and discuss the directions, to evaluate the complexity of
implementation, etc.

One of the criteria for choosing team members is a minimum of knowledge in

security or at least an appetite for the subject. Indeed, the pre-study requires
knowledge of the Zero Trust model and will go through a training stage. In addition,
the individuals must be open to new ideas to build the Zero Trust vision and then be
able to communicate it to their teams and colleagues.

The Core Team and the sponsor will naturally be involved in the continuation of the
Zero Trust project. Keep in mind that the journey to Zero Trust itself will require a
long-term commitment from the team and leadership.

But let's not forget the objective: it is primarily a framing of the project which does
not require that everything be defined in the smallest details (technical,
organizational, ...) but that the major projects or sub-projects be identified, estimated
in cost, put in relation with each other and positioned on a time scale.

12 Initiating a Zero Trust transformation project

 3 Why a Zero Trust project?
Before embarking on the Zero Trust journey, one must be able to identify what are
the expectations around this project, what are the problems to be solved, what
improvements are expected while ensuring that it is in line with the Zero Trust vision.
Starting from a general approach which consists in transforming the security model
to make the extended information system better suited to new threats, we must then
focus on more precise objectives to define priorities in the building blocks that we
will set up.

The basic question will therefore be: what are the problems to be solved and in what
priority?

To answer this question, the method consists of brainstorming during non-technical

workshops to identify expectations by formulating them in the form of "high-level"
wishes, i.e. without going into technical considerations. The following non-
exhaustive list gives you some examples:

• I want to be able to migrate or develop applications in the cloud while

ensuring that they are properly protected;

• I want to allow employees to work from home with the same security
conditions and performance;

• I want to keep applications on-premises but have them accessible from

the outside under strict conditions;

• I want to be able to ensure that my critical data (e.g. my trade secrets) are
properly protected and guarantee against leakage or theft;

• I want to be able to protect myself effectively against ransomware (I have

already suffered an attack that cost me dearly);

• I want to be able to facilitate working with partners on sensitive projects;

• I want to strengthen user authentication to secure access to external and

internal applications;

• I want to minimize the attack surface of my Active Directory;

• I want to ensure that my production sites are properly protected and will
remain available;

13 Initiating a Zero Trust transformation project

 • I want to streamline my security solutions to reduce costs and facilitate
operations;

• I want to ensure that I am RGPD compliant to limit the risk of a fine in

case of personal data leakage;

• I want to be able to limit the tools and infrastructure constraints (VPN

type, connection network) to allow my users to work in a secure way;

• I want to offer more flexibility to my users and minimize my footprint on

infrastructure;

• Etc.
From the list that you have built, you will then have to assign a priority to each
expectation. For example, you might prioritize ransomware protection or critical data
protection. The solutions to cover each expectation may concern several pillars,
several technologies per pillar and be more or less difficult to set up.

Note that some expectations may be more specific, such as "I want to minimize the
attack surface of my Active Directory" because they correspond to an experience, or
a risk assessed as strong (compromise of the on-premises Active Directory).

Expectations fall into two categories: a strengthening of security and a reasoned

openness to new scenarios, in line with new challenges. The security aspect is, de
facto, predominant since Zero Trust is a new security model, but the benefits must
also be considered in the business sense. It is important to change the negative and
anxiety-provoking view of security to see it as a way to adapt while protecting the
assets and operations of your business in an environment that has become
increasingly complex.

Among the arguments to be put forward:

Security Better resistance to attacks from both cybercriminal organizations (the

MICROSOFT DIGITAL DEFENSE REPORT SEPTEMBER 2020 cites 13 billion malicious emails,
including 1.6 billion containing phishing URLs) and nation-states targeting all sectors
of activity, whether private, governmental, NGOs or education. The "Assume Breach"
pillar of the Zero Trust strategy takes these threats into account.

Adaptability An opportunity to respond to much more open scenarios. Companies

that have already adopted Zero Trust, at least partly, have seen the value in the
requirements created by the pandemic and the spread of teleworking. But we can
envisage scenarios that go much further: better identity management – including
external identities – with easier access to the organization's resources while
respecting the principle of "least privilege" makes it possible to easily integrate new
partners or to carry out mergers and acquisitions more efficiently while respecting
their own security standards.

14 Initiating a Zero Trust transformation project

 Opportunities A better implementation of security makes it easier to seize
opportunities through the development of new applications to be made available
internally or to one's own customers, or the faster availability of new SaaS
applications.

Data control Data is the most valuable assets of the company: we should we be
able to identify the data that is the most sensitive through classification. These
sensitive data must benefit from appropriate protection that will guarantee their
confidentiality, including in the event of leakage (intentional or not) to the outside.
Ensuring their integrity and availability is crucial, for example, in the event of a
ransomware attack.

Compliance Better protection of data adapted to its sensitivity facilitates

compliance with regulations while limiting the risks of information leakage and their
financial and image impacts. Especially if you implement processes and security
controls to ensure data protection, compliance with GDPR5 will be easier.

Cloud integration The cloud has become an essential element both for the
business use of available SaaS applications and for applications developed in-house.
Organizations where cloud integration has been done in a less controlled manner
should seize the opportunity of Zero Trust to regain control by limiting shadow IT.
Identity is one of the pillars of Zero Trust: the implementation of strong identity
management and protection in a hybrid environment is a matter to be considered
as a priority.

5
GENERAL DATA PROTECTION REGULATION

15 Initiating a Zero Trust transformation project

 4 Define technological building blocks
In the previous step, you defined the expectations and assigned priorities. Now, it is
a matter of identifying and building the technological solutions that will allow you
to meet these expectations by drawing from the technological building blocks at
your disposal as studied in step 1 UNDERSTANDING THE ZERO TRUST VISION.

Some expectations will be expressed in a simple way because they will refer to only
one pillar and a limited number of technological building blocks in that pillar. For
example, if we consider the expectation "I want to strengthen user authentication to
secure access to external and internal applications", this concerns the Identity pillar
and two authentication hardening technologies: multi-factor authentication and
passwordless authentication.

Other expectations will be more complex to implement because they involve several
pillars and several technologies among these pillars. For example, the expectation "I
want to be able to protect myself effectively against ransomware" will focus on several
pillars, mainly the Data pillar with data access protection, backup-restore, but also
attack detection (in an "Assume breach" vision), protection against phishing,
protection of identities and devices, hardening of the Active Directory, and
strengthening of administration practices.

Another example, the expectation "I want to allow employees to work from home with
the same security conditions and the same performance" will be even more transversal
by involving the Identity pillars (identity management, strong authentication),
Devices (management of device security), Data (data protection/classification),
Network (powerful access to collaboration applications), and Applications
(conditional access linked to identity and context, application security). We see in
this case that we will have to make choices in the schedule for deploying the building
blocks, for example tackling first securing identity, then securing devices, etc.

Finally, in order for the solutions to be implemented to meet expectations,

technological building blocks will be common (eventually all should be used): for
example, strong authentication will be a building block that will be found in many
scenarios since it is a foundation for securing identities. Conditional access control
will also be a central building block as the engine of Zero Trust to authorize access
in an intelligent way depending on the context.

One thing is certain, Identity is a pillar that will be common to almost all scenarios.

This construction stage will be conducted in the form of workshops that you can
build and lead yourself based on the many existing documentation, or by getting
help from external consulting resources. These meetings should involve the Core

16 Initiating a Zero Trust transformation project

 Team members as well as representatives of the internal teams. For example, on the
subject of devices (PCs, mobiles), you should call on people from internal IT who
have knowledge of device management and deployment, and who will be able to
imagine with you the transformations that need to be made to integrate with the
Zero Trust model.

Finally, you will have to be ambitious to consider the change of model as a whole,
but then define a phasing in the deployment of technological building blocks
according to the priorities of your expectations.

17 Initiating a Zero Trust transformation project

 5 Identify your maturity level
In your journey towards Zero Trust, you are not starting from scratch: you have an
existing environment to consider, and you may have already deployed mechanisms
or technologies that correspond to a first step towards the Zero Trust model. For
example, if you have already deployed Office 365, you have a hybrid identity
architecture with Azure Active Directory as the cloud identity repository
synchronized with Active Directory, the on-premises identity repository. Perhaps you
have already implemented some conditional access control rules to secure access to
certain applications or deployed multi-factor authentication for some of your
employees? Or have you deployed a CASB solution to limit Shadow IT by controlling
access to SaaS cloud solutions?

Assessing your maturity level

To help you assess your level of Zero Trust maturity, you can first consult the concise
white paper ZERO TRUST MATURITY MODEL. The table below provides an overview of
the Identity and Device pillars.

Depending on the features you have already implemented, you can be in a

Traditional, Advanced or Optimal level depending on the pillars. For example, if you
have already implemented a cloud-based device management solution (mobile and
PC) such as Microsoft Intune, and you check device compliance before giving access
to apps through a conditional access control policy, you are in the Device pillar in
the Advanced tier.

To go further, the online tool ZERO TRUST MATURITY MODEL ASSESSMENT offers you, for
each pillar, to assess your level of maturity based on a set of questions about your

18 Initiating a Zero Trust transformation project

 existing situation, and then provides you with recommendations to increase your
level of Zero Trust maturity and links to the technical description of solutions to use.

This maturity level analysis allows you to make a first pass at your existing
environment. This exercise is important because it allows you to inventory the
existing solutions that could be integrated into the Zero Trust vision, the possible
level of difficulty for their integration, the solutions to be replaced, etc. It is important
to keep in mind the expectations you have defined in order to focus on the
technological building blocks you identified in the previous step. Even if you have to
be ambitious to build an overall vision, you have to avoid dispersing works and
especially avoid going into technical details at this stage.

Evaluation examples
Taking the concrete case of ransomware protection again, the following topics will
be evaluated against the existing environment to infer, for example:

• Protection against phishing emails: OK, although we will have to strengthen employee
awareness and test through campaigns.
• Workstation protection: the workstations are all managed by an internal tool with
security configurations applied, regular security patch updates, and anti-virus / anti-
malware, but an EDR (Endpoint Detection and Response) would be a plus.
• Detection of ransomware attacks: this is currently the weakest point: our SIEM does
not effectively identify this type of attack and react without delay. An EDR should be
considered, possibly coupled with a SIEM that could quickly detect compromised
workstations and isolate them to avoid propagation.
• Workstation rebuild: this is another weak point. We would not be able to rebuild a
large number of workstations in a short time. An automated and efficient solution,
ideally in the form of a cloud service, should be considered.
• Data recovery: a lot of data is hosted in SharePoint Online and could be restored to
earlier versions in case of encryption, but there are still on-premises servers whose
recovery capabilities are less certain.
• Application protection: mission-critical applications rely on SaaS solutions that are not
susceptible to ransomware.
Let's take as a second example the decision to migrate or develop applications in
the cloud while ensuring that they are properly protected: we will look at the Identity,
Applications but also Devices pillars to make the following observation in relation to
our existing environment:

• Identity management and protection: Azure Active Directory has been

deployed and synchronized with the internal Active Directory, but SSO has
not been generalized for SaaS applications and is not used for internally
developed applications. Multi-factor authentication is not yet widely used.
• Securing access to applications: Conditional access is not used to evaluate
the context of the user, device, etc. before allowing access to at least the most
critical applications that are available from the Internet.

19 Initiating a Zero Trust transformation project

 • Workstation protection: all workstations are managed by an internal tool with
enforced security policies, regular security patch updates, anti-virus/anti-
malware, but their health status cannot be used as a parameter in conditional
access.
In summary, this maturity level review is an exercise that allows for a high-level
assessment of the current status while keeping in mind the priority expectations. It
helps to identify where progress can be made in moving towards a Zero Trust model
and to begin to get a clearer picture of which technologies to implement, replace or
integrate.

Survey on the level of maturity

To give you an idea of the level of maturity of companies, a survey conducted in
early 2020, the figures of which can be found in the infographic SECURING IDENTITY
WITH ZERO TRUST, shows that 79% of the companies surveyed consider that they are
best equipped on the Device pillar. The Network, Data and Identity pillars follow with
almost identical scores, and lastly the Infrastructure pillar.

These results show that device security is a topic that has been addressed as a
priority. The network is typically a subject where security is mastered at least on the
on-premises part, but its importance should not be neglected concerning the
architecture of cloud applications and the impacts related to the generalization of
teleworking. As for the Data and Identity pillars, even if the technologies are available
(respectively classification, encryption, DLP, etc. and multi-factor authentication,
conditional access control, protection of privileged accounts, etc.), half of the
companies consider that they still have some way to go to take advantage of them.

The infrastructure pillar, which concerns the security of on-premises servers or IaaS
components in the cloud (for the detection of attacks or configuration anomalies)
remains the subject on which companies feel most vulnerable and least equipped.

20 Initiating a Zero Trust transformation project

 6 Identify les quick wins
The slogan "Think big, start small, move fast6" recommends that you be ambitious in
order to embed the entire information system in your Zero Trust vision, start with
short but significant steps – the quick wins – and be fast in execution.

Quick wins have a positive side: they are both motivating for the teams and quickly
bring tangible results. They also provide reassurance at a higher level about the
viability and positive impacts of the Zero Trust project. The downside is that they can
give a false sense of project completion and leave people thinking "that's it, we're
Zero Trust", "in the end it wasn't any more complicated than that, now let's move on
and stop investing".

This is why the quick wins must be chosen with care and presented as starting points
while being integrated in the complete roadmap of the project, which will not be
spread over a few weeks but over the longer term. The choice of quick wins must be
integrated into the technical building blocks that correspond to the expectations
previously determined.

Some quick wins are highlighted because they correspond to essential Zero Trust
pillars like Identity. The quick win that is systematically highlighted is the
generalization of multi-factor authentication or, better, passwordless authentication.
But this is far from being the only one: for example, the implementation of SSO for
the most popular or most critical applications would be visible and not necessarily
complex. If we consider the objective of fighting ransomware, the implementation of
an EDR such as Microsoft Defender for Endpoint, will quickly bring visibility on
threats coming from the endpoints and will allow to react accordingly.

A quick win can be defined in relation to an implementation perimeter, for example

by focusing on the company's most critical assets. You could choose to focus on
strengthening access to the most critical applications, securing the most sensitive
data, protecting privileged accounts, etc. Then, once the solution has been proven,
it can be generalized by moving forward in phases. This idea of focusing first on
critical assets allows to quickly increase the level of security and resilience of the
company/organization against cyber-attacks.

A quick win can be visible (e.g. deployment of multi-factor authentication or SSO),

or not (deployment of an Endpoint Detection and Response system), but it must be
measurable in order to evaluate progress and demonstrate that the expected

6
To be found in the Microsoft white paper ZERO TRUST BUSINESS PLAN, A PRACTICAL GUIDE TO IMPLEMENTING
THE ZERO TRUST FRAMEWORK AT YOUR ORGANIZATION

21 Initiating a Zero Trust transformation project

 benefits are indeed achieved, whether in terms of security or with a possible return
on investment. This subject will be discussed in Chapter 8 DEFINE AND USE INDICATORS.

Finally, a quick win remains a tactical step, i.e. an immediate and visible advantage,
but it must be part of a strategic approach that represents the transition to the Zero
Trust model. In addition, one will strive to respect the principle of minimizing the
number of solutions to limit integration problems, reduce costs and facilitate
administration.

22 Initiating a Zero Trust transformation project

 7 Prioritize the Identity pillar
Identity is the fundamental element in the Zero Trust model, associated with the
device from which access is gained. It is even stated that "identity is the new
perimeter" since most breaches involve credential or identity theft.

In NIST terminology, the central element is the component called Policy Enforcement
Point (PEP) which dynamically assesses the context and makes decisions on whether
or not to grant access. In the Microsoft environment, this role is assigned to Azure
Active Directory, which implements the function of PEP through conditional access
control and also acts as an identity repository.

As recommended in the white paper 10 TIPS FOR ENABLING ZERO TRUST SECURITY,
"Identity is the best starting point for Zero Trust" since “using identity as the control
plane lets companies treat every single access request as untrusted until the user,
device, and other factors are fully vetted.”

Identity compromise is the entry point for the vast majority of attacks perpetrated
on enterprises or organizations: in March 2020 alone, Microsoft detected 4.9 billion
attempted logins related to attacks and more than 150,000 compromised accounts,
according to figures specified in the document UNDERSTANDING IDENTITY THREAT
PROTECTION. Identity protection is therefore a priority to deal with the increase in this
type of attack, often initiated by phishing campaigns.

To further reinforce the message, let's cite the EXAMINING ZERO TRUST AN EXECUTIVE
ROUNDTABLE DISCUSSION document summarizing the roundtable discussion between
the Cloud Security Alliance and Microsoft in December 2020, which advocates
"considering identity as the new perimeter" arguing that "organizations must first
focus on strengthening their user authentication and identity verification, as most
security breaches involve the theft of credentials.”

An identity managed in the cloud

The implementation of Azure Active Directory, which should be considered as the
"heart of the reactor", requires that identities be created in Azure AD, either directly
or by synchronization with the on-premises Active Directory (most common case).
This synchronization step must be implemented through the use of the Azure AD
Connect or Azure AD Connect Cloud Sync free solutions, but is already effective if
you have deployed Office 365. It is indeed essential that identities are present in the
cloud directory to enable it to support authentication and conditional access control.

23 Initiating a Zero Trust transformation project

 Migrating from Active Directory to Azure Active Directory
Active Directory has been the internal directory used by almost all companies for two
decades. Even if security and administration best practices have been available for a
long time, the history and life of companies (mergers, acquisitions) have made it
complex to secure. Moreover, the attacks whose scenario is now well known
(compromise of a user account, lateral movement and privilege escalation) aim at
taking possession of the directory as an administrator and therefore obtain overall
rights to internal resources.

In a Zero Trust approach, Microsoft's recommendation is sooner or later to

deprovision Active Directory, as internal applications and resources become available
from the cloud, whether it be SaaS applications, applications and data that have
migrated to the cloud. As identities migrate into Azure AD, computer will leave Active
Directory and be managed from an MDM service in the cloud in a "modern
management" mode. This transition to a deprovisioned Active Directory will greatly
limit its exposure to attacks. This goes hand in hand with the implementation of
technologies associated with the other Zero Trust pillars on strengthening endpoint
security, detection capabilities, strengthening authentication linked to Azure Active
Directory, etc.

As a target, Active Directory should be reduced to the administration of internal

resources not intended to migrate to the cloud (e.g. industrial systems) with
reinforced administration workstations, network segmentation and detection
systems guaranteeing security on a perimeter now excessively restricted.

24 Initiating a Zero Trust transformation project

 Strengthening authentication
According to a survey conducted by Microsoft among IT managers in several
countries that have embarked on their Zero Trust journey 7, 76% have implemented
strong authentication first and 60% have implemented policy-based conditional
access.

This is not surprising when you know that passwords are responsible for 80% of the
entry points for hackers 8 and that it is estimated that the widespread use of
multifactor authentication reduces the risk of compromise by 99.9%9. Especially since
its implementation is greatly simplified by a single setting that includes several
preconfigured security options10.

The next step, the ultimate in authentication, is passwordless authentication which

de facto removes weaknesses in password usage. Authentication can be based on a
biometric characteristic such as a face or fingerprint, or a device-specific PIN code
that is not transmitted over the network. You will have the choice between using
your Windows computer with biometrics and / or PIN code, logging in with a FIDO2
security key or the Microsoft Authenticator app for mobile devices 11.

Access control under conditions

In addition to strong authentication, the key element of Zero Trust is conditional
access control, which makes real-time decisions about access to resources by taking

7
ZT_One_Minute_Identities (microsoft.com)
8
Email: Is the Digital Door Propped Open for Identity Hijackers? Multi-Factor Authentication Helps Shut
Cyber Criminals Out, CHUBB/Microsoft.
9
Flash whitepaper: Why MFA is a top priority in 2020
10
What are security defaults?
11
Plan a passwordless authentication deployment in Azure Active Directory

25 Initiating a Zero Trust transformation project

 into account the context of the request: the user, with an assessment of identity risk;
the device, with an assessment of compliance and health status; the location from
which the request is made; and the set of signals collected by the Microsoft Security
Graph. These elements are examined, considering the policies you define, to make
the decision to access the resource or deny it. An example of an access policy is to
define that "access to the Human Resources application is only possible for groups
of users belonging to this department, provided that access is from a workstation
managed by the company's MDM and with multi-factor authentication imposed
regardless of location”.

The recommendation is to start with a few simple policies and roll them out in stages,
on a reduced perimeter, before generalizing them. Once the process is under control
and tested, the number of access policies can be increased, taking care to use
indicators to monitor their application, which makes the transition to the next
chapter.

To conclude, the complete approach to the Identity pillar is described in the article
SECURING IDENTITY WITH ZERO TRUST | MICROSOFT DOCS.

26 Initiating a Zero Trust transformation project

 8 Define and use indicators
To introduce the importance of this step, a short quote from 10 TIPS FOR ENABLING
ZERO TRUST SECURITY summarizes the objective: "Showing value along the way" and
goes on to say that " One of the most effective ways to build long-term support for a
Zero Trust initiative is to demonstrate incremental value with each investment”. This
only reinforces the fact that Zero Trust is a transition project that must be
strategically designed for the medium term with incremental implementation and
measurable progress. And how do you measure the progress and benefits of your
Zero Trust project: by defining indicators to measure the achievement of objectives
in the deployment of features that cover the expectations you have defined.

In its approach to measuring the progress of the Zero Trust project, the Microsoft
white paper "ZERO TRUST BUSINESS PLAN, A PRACTICAL GUIDE TO IMPLEMENTING THE ZERO
TRUST FRAMEWORK AT YOUR ORGANIZATION", defines three main categories of indicators
that correspond to three global objectives of any Zero Trust vision that we have
already discussed in step 3: strengthening and efficiency of security, opening up to
new business scenarios and simplifying security implementation by limiting the
number of heterogeneous solutions to be integrated (i.e. move away from the "best
of breed" approach).

In the first category of business scenarios, we will focus on providing the most
transparent and trouble-free experience for users by defining indicators such as the
number of rejected multifactor authentications (to be minimized), the percentage of
users accessing applications with SSO, the number of password reset requests. We
will also be interested in the user's daily experience of scenarios linked to mobility,
for example the number of accesses to applications from personal or company-

27 Initiating a Zero Trust transformation project

 managed mobile devices, but also the performance of remote use of collaborative
tools that have become essential with teleworking.

The second category, focused on security effectiveness, will be based on more

technical indicators such as the number and criticality of security incidents, the
number of incidents detected and resolved automatically, the number of devices
managed and compliant with security policies, etc.

Finally, the category concerning the simplification of security solutions will be

evaluated by indicators such as the total number of security products (often several
dozen initially), the number of solutions requiring integration and the associated
cost, the time and cost of their operation, the number of steps in an incident
management process and the average time to resolve an incident, the percentage of
false positives…

These indicators will be synthesized into dashboards to be presented regularly to the

Core Team and relayed to the management. These elements will constitute
measurable proof of the project's progress, its effectiveness and will validate the
interest in continuing with the Zero Trust transformation.

The indicators will be chosen with relevance among the information brought back
by a telemetry that will have to be omnipresent: this is one of the feedbacks from
the implementation of the Zero Trust model by the internal IT of Microsoft as
described on the page IMPLEMENTING A ZERO TRUST SECURITY MODEL AT MICROSOFT.
According to this article, “Pervasive data and telemetry are used to understand the
current security state, identify gaps in coverage, validate the impact of new controls,
and correlate data across all applications and services in the environment. Robust and
standardized auditing, monitoring, and telemetry capabilities are core requirements
across users, devices, applications, services, and access patterns”.

More generally, telemetry will have greater coverage because it encompasses a

broader set of information to validate the proper operation of deployed services and
functionalities and allows for finer-grained vision and monitoring. Only a few
indicators will be chosen to appear in the dashboards.

In the Microsoft environment, you natively have the SECURE SCORE tool to help you
evaluate your current security posture and give you a list of recommendations to
proactively improve it. This feature comes in two flavors: Secure Score applicable to
PaaS, IaaS, hybrid and multi-cloud workloads, and Microsoft Secure Score applicable
to Microsoft SaaS applications.

28 Initiating a Zero Trust transformation project

 9 Monitor security
One of the principles of Zero Trust is to "Assume Breach", i.e. the assumption that,
despite all the security controls put in place, an attack could take place and provide
an entry into the information system.

In their article Zero Trust Doesn't Mean Zero Breaches, Forrester answers a question
they are commonly asked: would Zero Trust have prevented this or that attack
(SolarWinds, NOELIUM, etc.)? The answer is that "Zero Trust acknowledges that bad
things happen to good people and prescribes techniques in place to limit the blast
radius, detect the incident, and respond automatically." This statement highlights the
interest of an early detection of the incident, of a quick reaction – if possible
automatic – to limit the impacts of the blast.

Although security monitoring is not specified as a pillar of Zero Trust, it is

nonetheless a cross-cutting component as shown in the diagram below. It must be
considered for the entire perimeter, including the on-premises and cloud parts.

Since identity being the "new perimeter" and the prime target of attacks, its
monitoring becomes a necessity. For example, you can upload activity logs from
Azure AD to Azure Monitor or transfer them to your own SIEM12 for processing. You
can also rely on Identity Protection to analyze signals, detect and remediate identity
risks.

To monitor the security of Windows endpoints, you can rely on your own EDR or
choose to use Microsoft Defender for Endpoint. To extend monitoring beyond that,
you can either opt for solutions by services or functions and perform processing and
correlation in your SIEM (Security Information and Event Management), or for a first
level of integration with a suite such as Microsoft 365 Defender which integrates
several tools (Microsoft Defender for Endpoint, Defender for Office 365, Defender
for Identity, etc.).

Monitoring of cloud resources is a must, whether it is for Azure or other cloud

providers, for your IaaS, PaaS and containerized applications. For example,

12
Azure AD activity logs in Azure Monitor

29 Initiating a Zero Trust transformation project

 Azure Defender will be able to detect threats in your environment and generate
security alerts.

The highest-level monitoring element remains the SIEM, which collects signals from
a multitude of heterogeneous sources to try to extract weak signals, raise meaningful
alerts and give the possibility to investigate without juggling between consoles.
Unfortunately, traditional SIEM solutions tend to multiply false positives due to the
exponential increase in the number of signals to be processed. Newer solutions
based on the cloud and Artificial Intelligence (AI) are proving to be more efficient in
processing these masses of signals, limiting the number of false positives and
offering orchestration and automatic response capabilities. One example is Microsoft
Azure Sentinel, which leverages AI to quickly identify threats and remove the flaw in
traditional SIEMs by eliminating the need for infrastructure configuration,
maintenance and evolution.

In summary, security monitoring is a major component of a Zero Trust architecture,

especially since its scope goes far beyond what was previously monitored, as it
extends to all six pillars, including devices, hybrid identity, on-premises and cloud
applications, etc. A Zero Trust project is an opportunity to reconsider certain choices,
with the possibility of maintaining monitoring solutions that are still relevant,
provided that they are upgraded or, on the contrary, replacing them by more suitable
solutions that take advantage of more recent technological advances.

30 Initiating a Zero Trust transformation project

 10 Internet as corporate network
The extension of the information system to the cloud and new remote working
scenarios have changed the way we think about the corporate network. Gone are
the days when VPN was the only way to connect to the network to access
applications and the Internet in a controlled manner. One of the principles of Zero
Trust is to ensure the same level of security regardless of where the user and device
access the application or service.

In addition, most applications are now accessible from the Internet, whether they are
SaaS-based vendor applications or the organization's own applications that have
migrated to the cloud. Device management services (MDM for mobile devices and
PCs), security services (XDR, etc.) and directory services (Azure Active Directory) are
also available as SaaS services, making security management accessible with a simple
Internet connection.

All of this contributes to the fact that, from an IT perspective, " Internet becomes the
corporate network ". Indeed, when identities are managed in your Azure AD cloud
directory, when all workstations are controlled from cloud services, when
applications are accessible from the outside, and when security systems are
themselves able to operate from the cloud, the notion of a network becomes
commonplace. No matter where a user's device is located, all they need is the ability
to connect to the Internet to access all the resources they need for their work with
the same level of security.

This is the choice adopted by Microsoft's internal IT department, which provides two
types of on-site Internet access: the "Unmanaged Internet" network is reserved for
people such as guests, seminar participants…, or for employees' devices used in
BYOD mode; the "Managed Internet" network is reserved for employees accessing
the Internet from a device managed by the company. The latter network offers, in
addition to Internet access, the possibility to access on-site resources such as
printers. Both networks are accessible through the Wi-Fi on each Microsoft site.

31 Initiating a Zero Trust transformation project

 The internal network (Corpnet), which used to host employees’ computers and all
the resources (application servers, collaboration servers, file servers, etc.), under the
control of the internal Active Directory, has been greatly reduced as a result of this
deprovisioning. It now only hosts a few Windows and Linux servers and
administration workstations that are properly hardened and accessible only by
registered administrators. Specific network segments were created to host IoT/OT
resources according to their level of sensitivity and a few critical applications kept in-
house13. To give a scale, the number of on-premises servers has been reduced by
80%, in line with the migration of applications since 96% are now hosted in our Azure
Cloud, of which 65% in PaaS, the rest in IaaS.

The benefits in terms of security are obvious: the attack surface of the internal
network is greatly reduced following the contraction of the internal network; attacks
coming mainly from compromised workstations and targeted on Active Directory
become ineffective; the role of the Active Directory becomes minor due to its
deprovisioning and makes it less critical; the use of strictly secure administration
workstations limits the possibilities of compromise; finally, isolating critical resources
in network segments reinforces their immunity to attacks..

13
Implementing a Zero Trust security model at Microsoft

32 Initiating a Zero Trust transformation project

 The network security architecture best practices that were followed for internal
applications also apply to applications hosted in the cloud, for segmentation of
subnets, DMZs, use of network controls, etc14.

This example will certainly have to be adapted to your own existing environment but
it constitutes a target and sets out the main principles:

• The transition is made by a contraction of the internal network in favor of a switch to

Internet links;
• It is recommended to set up a network segmentation for resources that remain
internally hosted and to take into account OT/IoT resources15. For OT and IoT systems,
it is recommended to use different network segments. For OT systems, a finer
granularity in the segmentation is recommended by applying several levels in
accordance with the Purdue model16.
• Applications that have migrated to the cloud or developed specifically must adhere to
best practices of network security architecture.

14
Azure best practices for network security
15
How to apply a Zero Trust approach to your IoT solutions
16
Purdue Enterprise Reference Architecture - Wikipedia

33 Initiating a Zero Trust transformation project

 11 Define a roadmap
The roadmap is the outcome of your reflections during this initiation phase of your
Zero Trust project. This is the deliverable that you need to build to position all the
topics that will need to be addressed, order them and evaluate their duration. You
must take into account the priority expectations (defined in Chapter 3 WHY A ZERO
TRUST PROJECT?), the quick wins – even if they do not appear directly in the overall
vision – and indicate the important steps. The topics will be divided according to the
six major pillars of Zero Trust.

The figure will represent a synthetic view of all of the workstreams that await you,
and will take into account the subjects related to integration into the existing
environment and the impacts on the security solutions already in place: certain
solutions will be continued and will have to be considered in the integration with the
other Zero Trust building blocks, while others will disappear or, at the very least, will
be preserved within a much smaller scope. This roadmap will not have the precision
of a detailed project plan but will provide an overall vision sufficiently precise to
defend your transformation project.

To get to the heart of the matter, let's take an example of a roadmap based on the
real-life cases of customers who have conducted this Zero Trust scoping phase. You
will notice that many of the building blocks are based on Microsoft solutions, which
was a choice dictated by a desire to limit integration costs and to simplify security
administration by limiting the number of administration portals, among other things.

In the remainder of the chapter, we provide a quick description of each workstream

and the technological building blocks implemented.

34 Initiating a Zero Trust transformation project

 First, notice the structure according to the six pillars of Zero Trust that appear on the
left.

The Identity pillar is, unsurprisingly, quite rich, with the Azure AD directory becoming
the reference directory for identities after the migration from the previous on-
premises identity management platform and its subsequent removal 17. Eventually,
the synchronization links with Active Directory are disabled with the provisioning of
identities from the Human Resources system. Conditional access is set up from the
beginning for users (it's a quick win) and then extended to devices that are managed
from Microsoft Intune (MDM) and whose security and health status are transmitted
by the EDR in place. The Windows Hello for Business biometric authentication project
is launched from the start as a proof of concept (another quick win) before being
generalized and then associated with passwordless authentication available natively
with Azure AD.

The "Achieve modern authentication" stage is indicated on the roadmap, as it is

considered important for securing user access. Finally, the Azure AD Governance &
Administration workstream is crucial as soon as the directory becomes the reference
for identities. In addition, best practices for administering and securing access to this
component must be put in place from the outset.

The Devices pillar follows three phases in the path to “modern” management,
starting with a pilot where the workstations and mobiles in this first scope are joined

17
We are talking about the identity management platform and not Active Directory, whose footprint
will be reduced but which will not be deleted.

35 Initiating a Zero Trust transformation project

 to Azure AD and then registered and managed in Microsoft Intune. The next phase
is to extend the scope for new devices by adding the automated and quick process
for building workstations with Windows Autopilot, the implementation of which was
deemed necessary to cover the remote work scenario.

Considerations on the security of the administration of all applications and services

have led to the deployment of secure administration workstations (Privileged Access
Workstation or PAW18); these workstations are built on a constrained and controlled
Windows 10/Windows 11 master and dedicated to administration tasks. The base
OS hosts a Windows 10 "productivity virtual machine" workstation, allowing the use
of Office productivity applications and access to the Internet without the restrictions
imposed on the base. This is the solution that was chosen to regain control of the
administration workstations and limit the risk of compromising privileged accounts.

The Data pillar starts with the implementation of the classification of data hosted in
the cloud, a large part of the data having migrated to SharePoint Online. Some
sensitive data will remain on-premises, hosted on secure servers in isolated network
segments with rigorous access constraints. The Data Classification Governance
workstream will be launched to define the data management processes according
to their sensitivity. The data protection workstream will follow to apply encryption to
data based on sensitivity following classification, whether automatic or under the
responsibility of the creator/owner of the information.

The attainment of the "Achieve Data Protection and Compliance" milestone seals an
important moment in the Zero Trust project, as it will have provided the opportunity
to implement a classification solution that has often been postponed due to a lack
of suitable technical solutions.

Finally, the DLP (Data Loss Prevention) functionality will then be activated and
configured at the level of the CASBs (Cloud Access Security Broker) already deployed
by the company (see below).

The Applications pillar begins with the deployment of the CASB function at the
enterprise level, with the choice of using the Microsoft Cloud App Security solution.
The CASB will be able to discover all the cloud applications used, including some
SaaS applications not referenced by the internal IT ("Shadow IT"). It will be possible
to assign them a risk level and approve or not their use.

SaaS applications will then be gradually connected to Azure AD (for those that are
not natively connected 19 ) to rely on the directory's identity repository and take
advantage of SSO. Two workstreams will be carried out in parallel: the first to migrate
eligible legacy applications to the cloud; the second to publish older Web
applications through reverse-proxies based on Azure AD authentication.

18
Protecting high-risk environments with secure admin workstations
19
List of applications natively integrated with Azure AD

36 Initiating a Zero Trust transformation project

 The "Achieve Applications Migration" stage is important because all applications
eligible for a transition to the cloud have been migrated. Only those applications and
resources considered especially critical in terms of the company's security policy or
regulatory requirements remain hosted on-premises. The last step is to impose the
use of secure PAW stations to access to these particular resources.

The Infrastructure pillar starts with the deployment of the Microsoft Defender for
Identity solution to monitor Active Directory and be able to detect attacks or
compromises while waiting to drastically reduce its attack surface.
Windows 10/Windows 11 workstations will then gradually migrate to Azure AD in
conjunction with Windows Intune for their management. The federation function
between Active Directory (and possibly other internal directories) and Azure Active
Directory will be removed once all applications have transitioned to Azure AD
authentication (see Applications pillar).

The final workstream covers the gradual deprovisioning of Active Directory as users
and machine accounts migrate to Azure: the infrastructure, which can include many
forests and a multitude of domain controllers, can be reduced to the minimum size
that would still be needed to administer the ultimate internal resources. This
reduction in the Active Directory footprint has the advantage of drastically reducing
the attack surface of the Information System, thus limiting the probability of
compromise with commonly used attack scenarios. Monitoring will continue to be
required to protect internal resources.

The final Network pillar will focus on optimizing remote access to productivity
applications and services, such as Office 365 collaborative tools. In a context where
telecommuting has become the new norm, it is necessary to offer users the means
to work efficiently from home. The era of the all-VPN is over and remote accesses
must reconcile performance and respect of the security level 20. Particular attention
must be paid to audio and video streams, which require near-real-time conditions
to provide an optimal user experience.

The internal network architecture will need to be redesigned to ensure a high-

performance connection to the cloud, whether through the Internet or through
direct connections to cloud providers. The company's sites will need to be adapted
to host workstations in differentiated network segments (see Chapter 10 INTERNET AS
CORPORATE NETWORK) with the goal of making the Internet the company's default
network for the majority of users. Finally, the segmentation of the internal network
will be adapted to host internal resources according to their sensitivity, with
controlled access that also takes into account the level of health and compliance of
workstations.

20
See the white paper Optimize Office 365 remote work with split-tunneling available in English and
French.

37 Initiating a Zero Trust transformation project

 The way in which the projects will be carried out – for example in the form of sprints
within the framework of an agile approach – is not detailed at this level to leave each
project free to choose the best method.

38 Initiating a Zero Trust transformation project

 C onclusion
To conclude, we can quote this description from the document EXAMINING ZERO TRUST
AN EXECUTIVE ROUNDTABLE DISCUSSION : “Zero Trust security is not a product or solution.
It is a broader strategy for modern security that adapts to the complexity of today’s
business environment, embraces the mobile workforce, and protects people, devices,
apps, and data wherever they’re located”.

This quote, which sums up the soul of Zero Trust, must however be translated into a
real transformation project of the security model, induced by a new way of
addressing security in order to face the current cyber threats. Moving towards Zero
Trust is not just a simple revision of network security: six pillars must be considered,
with identity as a priority. Indeed, "Identity is the new perimeter": the focus must be
on strengthening authentication and generalizing a conditional access control based
on identity, the level of associated risk and more broadly on the context of access –
including the device and its status.

To start a Zero Trust project, one must be ambitious in the vision, start with
reasonable steps while being quick in the execution, which can be summarized by
the formula "Think big, start small, move fast". You must think big because it is a
transformation project: the establishment of the roadmap must develop this vision
by mapping it technologically on the time axis. You will need to define your priority
expectations in the two categories of strengthening security and enabling new
business scenarios; quick steps with visible gains will allow you to quickly show the
benefits of your Zero Trust project.

It is by no means a question of starting from scratch but of taking into account the
existing environment by evaluating your level of maturity and by building your own
solution: some technological components will be preserved and adapted, others will
be replaced by more powerful ones with, as an objective, to limit the number of
disparate security tools to gain in effectiveness while reducing costs.

In conclusion, as cybersecurity becomes a major issue in the life of companies and

organizations, it is time to assume that the old vision of a perimeter security is now
obsolete, and that only the adoption of the new Zero Trust security model will enable
you to solve today's challenges.

39 Initiating a Zero Trust transformation project

© 2021 Microsoft France. All rights reserved.