ZERO TRUST

Never Trust, Always Verify

A security framework requiring all users, whether in or outside the

organization's network, to be authenticated, authorized, and continuously
validated for security configuration.
 The main reason of Zero Trust
• To Verify explicitly.
• To least-privilege access.
• To Assume breach

2
Beneficial implement Zero Trust
strategy
• Simplify security with a strategy, processes, and automated tools that verify
every transaction and apply advanced detection and response to threats.
• Maximize the business value of your data while minimizing security and
compliance risks.
• Creates a far more secure environment that protects against unauthorized
access etc.

3
What needs us to implement in
M365 to achieve Zero Trust?

4
 Implement a Zero strategy?
• Roll out device protection, multifactor authentication, least-previlege access and conditional
access policies.
• Enroll endpoints in a device-management solution to ensure devices and apps are up to date
and meet requirement.
• Deploy an extended detection and response solution to detect, investigate to threats across
endpoint, could apps and emails.
• Protect and govern sensitive data with solutions that provide visibility into all data and apply
data loss prevention policies.
 Conditional Access

• Conditional Access policies at their simplest are if-then statements.

• Primary Goals : Empower users to be productive & protect the organization's
assets

6
 Multi-factor authentication

• A factor in authentication is a way of confirming your identity

• Your sign-in experience differs depending on what you choose to use as your
second factor.

7
 The user reset their own passwords
• Use self-service password reset tool.
• The self-service password reset for cloud users free with any Microsoft 365
business, education, or nonprofit paid plan.
• If you're using an on-premises Active Directory, it requires a paid
subscription to Azure AD Premium.

8
 Register your personal device
• Windows registers your device to your work or school network.
• Based on your organization's choices, you might be asked to set up two-step
verification.
• You might be automatically enrolled in mobile device management, such as
Microsoft Intune.

9
 Automatically add or assign
Microsoft applications
• Set up Microsoft Intune.
• End users must install and use the Company Portal app to install an app made
available by Intune.

10
 Make sure you should update your in-
house app on a regular basis
• What types of updates exist: Bug Fixes or New\Remove Features etc.
• Where to update: Play Store, App Store, Microsoft Store etc.
• Why need to update: To improve the security of your device, improve the
user experience etc.

11
 Mobile Threat Defense
• Key capabilities like Web Protection, Malware Protection, Network
Protection etc.
• Mobile Threat Defense best practices like enable connector, deploy
compliance policy and conditional access policy.

12
 Manage Microsoft Defender in

business enviroment
Provides advanced attack detection and investigation capabilities seamlessly
through the Microsoft 365 Defender console.

Provides deeper insight into server activities, coverage for kernel and memory
attack detection, and enables response actions.

Onboard servers automatically, have servers monitored by Microsoft Defender
for Cloud appear in Defender for Endpoint, and conduct detailed
investigations as a Microsoft Defender for Cloud customer.

Limitation:
- Automatic exclusions for server roles aren't supported on Windows Server 2012 R2.
- Operating system upgrades aren't supported. Off-board then uninstall before upgrading.
- An operating system update can introduce an installation issue on machines with slower disks due to a
timeout with service installation.
13
Example Zero Trust security concepts in Microsoft

14