Since the global popularization of remote work in recent years, IT security teams are facing ever-increasing challenges to ensure effective and secure access to organizations’ critical assets, resources, and data.
Elaborate phishing attacks, through which user credentials are being exposed, allowing for lateral movement attacks or installing ransomware on mission-critical infrastructure. Zero-day vulnerabilities enable malicious actors to disrupt accessed services.
These are just a few examples of threats that lead to companies losing money, most critical assets, credibility and their market image.
In the Cost of a Data Breach 2023 Report published by IBM, analyzing data breaches that occurred between March 2022 and March 2023, the average total cost of a breach amounted to $4.45M. Compared to the previous year’s report, this total has increased by 2.3% and 15.3% since 2020.
With that in mind, we need to design our organizations’ systems to be able to withstand these and many more challenges. Employing IT Security specialists will lead to increased safety in digital transformation, but we cannot only rely on technology – each organization should define and implement an anti-breach strategy but also educate their employees to navigate the digital ecosystem securely.
What is the Zero Trust Model?
For many years, organizations relied on a perimeter-based security approach, also known as “castle and moat,” where the assumption was that every actor on the outside was malicious and everyone on the inside was trusted.
While deeply flawed, this approach was all we needed until we faced a need to open our internal resources to remote workers. The solution came with the use of a VPN, creating a secure gateway from the Internet to the Intranet.
Unfortunately, with technological progress came the ever-evolving threat in the form of cyber-attacks. Nowadays, VPN technology and physical access restrictions can’t be the only security measures, and we need to seek more complex solutions.
According to IBM’s report, the two most common initial attack vectors were phishing and stolen or compromised credentials at 16% and 15%, respectively. Moreover, the two most costly types of initial attack vectors were malicious insider and again phishing, averaging $4.90 million and $4.76 million.
Many of these attacks could be caused by placing too much trust in actors from within the organizations and lacking proper security systems to prevent external attacks.
This is where the Zero Trust Security Model comes to the rescue. At its core, Zero Trust assumes a “never trust, always verify” approach, which leaves behind the idea that any user or device should be trusted by default.
Many organizations established their infrastructure with implicit rather than explicit trust models to ease access and operations for workers and workloads. Attackers abuse this implicit trust in infrastructure to establish malware and then move laterally to achieve their objectives.”
said John Watts, VP Analyst at Gartner.
Zero trust is a shift in thinking to address these threats by requiring continuously assessed, explicitly calculated and adaptive trust between users, devices, and resources.”
[Gartner PR Note: source]
Another report, presented by Okta, shows that a number of organizations have already started working on defining and introducing a Zero Trust initiative. Notably, we can also see a great increase in the companies’ interest in Zero Trust. In 2021, 24% of reported organizations were actively working on defining a Zero Trust initiative, while just two years later, this statistic reached 61% – with 35% planning to start working on the initiative in the following 18 months.
Source: Octa Report
Okta also reports that the majority of companies actively invest in their Zero Trust strategies. Visibly, 80% of the reported organizations increased their budgets, 18% didn’t change it, and very few actually decreased it.
Source: Octa Report
Zero Trust at work in Azure
At the base of the Zero Trust architecture is identity management, which – in Azure – is taken care of by Microsoft Entra ID (formerly Azure Active Directory) and Role Based Access Control (RBAC) integrated into all Azure Services.
Microsoft Entra ID enables control over the access to the organization’s resources – in all public, private and hybrid cloud environments, on many levels of granularity in permission assignment:
- through singular permissions – like reading files in file shares,
- role definitions – that define permissions sets, e.g., Cloud Developer
- and group assignments – assigning the same permissions rules to multiple people, for example, working in the same team.
To ensure Zero Trust’s least privilege principle, Access Review feature enables efficient management of group membership, access to enterprise applications, and role assignments. The process collects feedback from users, supervisors and suggestions from Microsoft Entra ID to review and validate the permissions set.
With such input, the IT Security specialists can update the users’ access rules by adding or removing permissions – effectively working towards achieving just-in-time and just-enough-access (JIT and JEA).
Next fundamental feature in Microsoft Entra, is the Conditional Access module – a centralized engine to gather signals, make decisions, and enforce policies defined across the organization.
The Conditional Access, along with Microsoft Entra ID, enables the “always verify” principle of Zero Trust. Defining policies in both services, the IT Security team can secure the organization’s resources without hindering the users’ productivity, wherever and whenever they are working.
Additionally, Microsoft Entra ID can enforce security measures for user identity and authentication, through Single Sign-On or mandatory Multi-Factor Authentication.
Enabling ZTNA with Azure technologies
With the identity and verification engine in Microsoft Entra, Zero Trust principles can be introduced to an organization’s resources – through Zero Trust Network Access (ZTNA).
This concept, brings the core Zero Trust principles into network access. Using an identity broker, in our case Microsoft Entra, each user must be verified before accessing any resource or application in an organization’s network. Furthermore, the communication inside the network should be monitored and still follow the “never trust, always verify” principle.
Storage on the network
Azure Storage provides diverse ways for storing your data, but they all have one thing in common – the idea of being Secure by Default. Any data in the Azure Storage services is not publicly available over the Internet by default.
The access can be assigned through multiple secure mechanisms:
- Shared Access Signature tokens – they provides the means to authorize access without the user credentials, with only a specific set of permissions and within a specified time frame.
- OAuth2 JWT Token – JWT Tokens can be generated through Microsoft Entra, such token conveys user’s permissions, allowing the authorization to storage services.
- Private Endpoint access – It is possible to allow access entirely through an endpoint integrated into a Private Virtual Network. Storage data can be accessed only by clients connected to the designated Virtual Network
Especially the last two access methods enable the Zero Trust Model. So, with correctly defined permissions and Azure Storage services available inside the organization’s network, users have wide and secure access based on what they need.
Virtual Machines on the network
To fully take advantage of the cloud, it is necessary to plan the usage of Virtual Machines within the Zero Trust enabled network. Such a strategy should include the guidelines for how the resources should be created, the monitoring integration, and the networking baseline for communication over the network.
A possible solution for some organizations may be either defining a set of strict processes for provisioning said resources or creating a tool to abstract the cloud provider and bring the standards in the form of an immutable baseline.
The first element of such a strategy should be the segmentation of the resources in the cloud. Taking advantage of the multi-layered approach to user permissions, the logical grouping of resources can be achieved with Resource Groups, Subscriptions and Management Groups within Azure.
To ensure the VMs that are initialized inside the network are secure, it is also vital to define policies for the operating system and applications running on them. These can be enforced through features like Secure Boot, vTPM, and Virtual Machine Extensions.
Following that, the security strategy for accessing the VMs should be defined. Enabling a public IP address on each VM and protecting them with user account credentials may be tempting, but it also opens the door for malicious actors to try brute forcing the access.
Alternative approaches include using Azure Bastion service, which enables access to VMs through the web browser, or using MFA and Conditional Access to log into VM connected to Microsoft Entra ID.
Azure Firewall Premium
After defining identity management policy, along with storage and compute security, Zero Trust Network Access requires extended network traffic security. To achieve this, Azure Firewall Premium provides a rich set of features to monitor, detect, and prevent potential threats.
Azure Firewall can monitor the incoming, outgoing and internal traffic inside the organization’s network. Azure Cloud integrates its Threat Intelligence feed, which is constantly updated with data on malicious activity sources. Enabling this feature in Alert and Deny mode is best to accomplish the “always verify” Zero Trust principle.
The next step should be enabling the TLS Inspection feature, which monitors encrypted network traffic for potential illegal and malicious activity. It generates an on-the-fly SSL certificate using the customer-provided CA certificate, acting as a proxy in the connection between the client and the private network behind the Firewall.
Another feature complimentary to TLS Inspection is the Intrusion Detection and Prevention System (IDPS). It focuses on non-encrypted traffic, but with TLS Inspection enabled, it also works for encrypted network activity.
IDPS enables automatic alerting and access denial for any communication that looks suspicious. It emphasizes fingerprinting malware, botnet Command and Control servers, exploit kits, and in the wild, malicious activity missed by traditional prevention methods. With over 67,000 rules and 20-40+ new releases daily, this malware detection system has a meager false positive rating.
Azure Firewall also supplies features like extensive routing rules, URL filtering, rule exceptions, Microsoft Defender integration, Azure DDoS Protection, and Forced Tunneling to secure the whole network further.
Microsoft Defender for Cloud
Microsoft Azure is a vast landscape of different technologies that require specialization for effective use. To remedy this problem and to ease the steep learning curve, Microsoft introduced Defender for Cloud – a diagnostics service that provides alerting and recommendations for improving the security posture of your cloud resources.
Microsoft Defender comes with multiple advanced features that empower IT Security teams’ operations through dashboards that provide insight into:
- Security Score – based on Microsoft’s recommendations of best practices.
- Regulatory compliance – shows Security Benchmark compliance through automated assessment.
- Inventory status – health assessment and alerts for all resources
Another essential feature is the external attack surface management module, which continuously discovers and maps your digital attack surface. It shows the external view of your online infrastructure, giving insight into potential vulnerabilities.
Microsoft Defender can also integrate into Storage Services with Microsoft Defender for Storage. It helps prevent significant impacts on your data and workload – malicious file uploads, sensitive data exfiltration, and data corruption. It’s an extra layer of protection, powered by Microsoft Threat Intelligence, Microsoft Defender Antimalware technologies, and Sensitive Data Discovery.
Microsoft Defender isn’t the only report and remedy service available in Azure’s ecosystem. Azure Sentinel is deeply integrated into Azure’s other services, supplying intelligent security analytics and threat intelligence across the enterprise.
Using Azure Log Analytics Workspace, this service can collect and analyze data from any Azure Service and any app that can integrate the Log Analytics API for logging and metrics.
With Azure Sentinel, you can enable multiple data connectors for Microsoft services and third-party options. Using a common event format, Syslog, or REST-API to connect your data sources with Microsoft Sentinel is also possible. IT Security is improved through a single solution for attack detection, threat visibility, proactive hunting, and threat response.
Artificial Intelligence and IT Security
As the latest trends show – AI seems to be a perfect assistant. ChatGPT and similar tools prove what AI can do to help professionals with day-to-day tasks. We can also see similar technical improvements, specifically in Cloud Security.
As it often happens, security professionals are required to perform mundane tasks, like security policy review and adjustment. In an ever-changing corporate environment, IT workers need to react to new people coming on board, employees changing departments, and new applications being introduced, whether for internal or external use. All these events require security engineers to act to keep all the access permissions up to date and ensure that all processes and services are secure.
For that to happen, the security team needs to understand each user’s role inside the organization, which is nearly impossible on a bigger scale. This is where AI can shine and remove tedious work burdens by constantly monitoring how users interact with the different systems.
When gathered, AI can choose the data of a high confidence level, and it should initiate a permission assignment review. Security Engineers will be able to focus on the specific reported set of permissions and not analyze every user’s role in the company.
Azure has already introduced a similar functionality in their Access Review system, where sophisticated Machine Learning (ML) Models enhance the recommendations. Through suggesting affiliation to groups and inactivity periods, ML helps to decide whether the user should possess certain permissions.
Not only can AI help with ensuring the principle of least privilege promoted by Zero Trust, but it can also be helpful in other IT Security fields. With the use of various AI models, it is possible to perform tasks that seem impossible for humans.
AI pattern recognition models can detect invisible patterns to the human eye. Using AI-aided monitoring tools, enabling anomaly detection, and alerting can illuminate possible hidden vulnerabilities in the system.
As useful as detection is, AI can still do more. It is possible to provide AI with tools to remedy the issues it finds and do it before or right after those are exploited in near real-time. Effectively mitigating most, if not all, threats from outside and inside the organization’s IT infrastructure.
With Azure Sentinel, it is possible to define automated responses with Automation Rules and Automation Playbooks. This way, a defined response can be automatically executed when Sentinel detects an alert based on extensive trigger and condition definition.
What threats AI brings to Cloud Security
Two kinds of Security threats come with AI:
- Attacks can be targeted at AI models and services.
- AI can aid the attacks.
Both scenarios need to be planned for, and proper security solutions need to be considered to negate the potential issues that may come.
Due to the complex nature of Artificial Intelligence, we need to learn plenty about how it works, and sometimes, the models we train can perform unexpectedly. Such issues reportedly happened with some popular AI tools; for example, in the early releases of ChatGPT, even though it was restricted to obeying specific rules, it was able to bypass these rules with the use of an exploit called prompt injection. The users could converse with the chatbot in a specific way, enabling previously restricted behaviors.
What is more, not only are live AI services vulnerable to specific new and unexpected types of cyber-attacks, but also those unreleased ones. Depending on the type of AI model, it could take its learning data sets from publicly available data.
This data can be tampered with using techniques called data poisoning. Even though it’s hard to target a specific AI Service with this technique, it indeed can cause harm to the learning process of new AI models. On the other hand, the same modifications can be used as Intellectual Property protection against unlawful use of digital images publicized on the Internet.
Another similar cyber-attack aimed at AI is an adversarial attack; it derives from data poisoning by modifying the input data. However, the goal is not to make the AI fail at achieving its intended goal but it tries to manipulate the outputs in a way that will take more work to detect. It aims to disrupt the AI model’s decision-making process and cause misclassifications or simply faulty outputs.
Using AI to aid in more standard cyber-attack techniques is a completely different approach. With some advanced AI models, one could analyze outputs from internet-facing services and possibly deduce technical details of the service implementation. With those details, a chatbot could be asked if there are any known exploits to those technologies.
Artificial Intelligence could also be used as a Control and Command server operator and perform unattended botnet operations like DDoS attacks.
With all these threats waiting for businesses on the modern-day Internet, bringing your IT Solutions to the market may seem challenging. We need to keep in mind, however, that not only do the hackers work hard to develop new attack strategies but also the Security specialists work on providing better and better ways to keep the threats away.
Often, it may be necessary to onboard the company’s security team, which is always beneficial in the long run. But it is also worth knowing that countless Security Service Providers, like Azure, offer a broad spectrum of security measures an organization needs to implement.