Can Zero Trust Apply to Azure?
How does the zero-trust model translate to an Azure environment? According to O’Keefe, it’s not as different as you might think. “Zero trust for Azure is pretty similar to zero trust for any infrastructure,” he said. “The biggest difference is the responsibility is shared between you and Microsoft.”
For example, when universities and colleges leverage Infrastructure as a Service, Platform as a Service or Software as a Service, Microsoft has a greater responsibility for protecting the virtual infrastructure and application. “And you have greater responsibility for protecting the data,” O’Keefe said.
Regardless of the deployment model, O’Keefe emphasized the importance of having strong identity protection and segmenting resources.
“You need to focus on configuration governance,” he said. “Follow that least-privilege access to data and infrastructure. Many organizations tackle these challenges through automation. It’s a great solution to rely on surface accounts to ensure that you have consistent and audited deployments, and then ensure that individuals only have access to the resources they need.”
How Azure Sentinel Can Provide Secure Automation
O’Keefe went on to explain how Azure Sentinel, a cloud-native security information and event management platform, uses built-in artificial intelligence to aggregate and analyze large volumes of data from both on-premises devices and devices that run in the cloud. “It lets you correlate those events across those multiple sources over the millions of records and in just a few seconds,” he said.
By leveraging predefined playbooks, the technology also allows IT staff to automatically remediate security events. This means that Sentinel has logs from several different systems. “It collects logs for activities like authentication or access,” O’Keefe explained. “It allows you to use those logs to reconstruct a complete picture of activities.”
When suspicious activities or patterns are identified, Sentinel automatically starts scripts that can, for example, disable a user’s account or block an IP address associated with malicious traffic. “But it’s important to remember that Sentinel and all SIEM products are really only as good as what you collect and what you do with that data,” he warned.
For instance, if a university or college only collects data on user authentication but not file access information, the institution will be unable to reconstruct a complete picture of how a breach occurred. With that said, striking a balance is key. “On the other end of the spectrum, it’s important not to collect so much that you’re overwhelmed and never look at those logs,” O’Keefe said.