{"id":101481,"date":"2021-11-17T09:00:13","date_gmt":"2021-11-17T17:00:13","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=101481"},"modified":"2023-05-15T22:58:00","modified_gmt":"2023-05-16T05:58:00","slug":"adopting-a-zero-trust-approach-throughout-the-lifecycle-of-data","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/17\/adopting-a-zero-trust-approach-throughout-the-lifecycle-of-data\/","title":{"rendered":"Adopting a Zero Trust approach throughout the lifecycle of data"},"content":{"rendered":"

Instead of believing everything behind the corporate firewall is safe, the Zero Trust<\/a> model assumes breach and verifies each request as though it originates from an uncontrolled network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to \u201cnever trust, always verify.\u201d<\/p>\n

At Microsoft, we consider Zero Trust an essential component of any organization\u2019s security plan based on these three principles:<\/p>\n

    \n
  1. Verify explicitly:<\/strong> Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.<\/li>\n
  2. Use least privileged access:<\/strong> Limit user access with just-in-time (JIT) and just-enough-access (JEA), risk-based adaptive policies, and data protection to protect both data and productivity.<\/li>\n
  3. Assume breach:<\/strong> Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.<\/li>\n<\/ol>\n

    In this article, we will focus on the third principle (assume breach) and how encryption and data protection play a significant role in getting prepared for a potential breach in your data center.<\/p>\n

    Protect data with end-to-end encryption<\/h2>\n

    As part of a comprehensive security posture, data should always be encrypted so that in the event where an attacker is able to intercept customer data, they are unable to decipher usable information.<\/p>\n

    End-to-end encryption is applied throughout the following three stages: at rest, in transit, and in use.<\/p>\n

    \"Three<\/p>\n

    Data protection is critical across all three of these stages, so let\u2019s dive a little deeper into how each stage works and how it can be implemented.<\/p>\n

    Protect data at rest<\/h3>\n

    Encryption at rest provides data protection for stored data (at rest). Attacks against data at rest include attempts to obtain physical access to the hardware on which the data is stored, and then compromising the contained data. In such an attack, a server’s hard drive may have been mishandled during maintenance allowing an attacker to remove the hard drive. Later the attacker would put the hard drive into a computer under their control to attempt to access the data.<\/p>\n

    Encryption at rest is designed to prevent the attacker from accessing the unencrypted data by ensuring the data is encrypted when on disk. If an attacker obtains a hard drive with encrypted data but not the encryption keys, the attacker must defeat the encryption to read the data. This attack is much more complex and resource-consuming than accessing unencrypted data on a hard drive. For this reason, encryption at rest is highly recommended and is a high priority requirement for many organizations.<\/p>\n

    \"Flow<\/p>\n

    At rest, it is important that your data is protected through disk encryption which enables IT administrators to encrypt your entire virtual machine (VM) or operating system (OS) disks.<\/p>\n

    One of the concerns that we hear from customers is how can they reduce the chances that certificates, passwords, and other secrets may accidentally get leaked. A best practice is to use central storage of application secrets in a secured vault to have full control of their distribution. When using a secured vault, application developers no longer need to store security information in their applications, which reduces risk by eliminating the need to make this information part of the code.<\/p>\n

    Data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty. These Microsoft Azure security services are recommended for this purpose:<\/p>\n