{"id":114057,"date":"2022-05-23T10:00:00","date_gmt":"2022-05-23T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=114057"},"modified":"2023-05-15T23:03:27","modified_gmt":"2023-05-16T06:03:27","slug":"how-to-improve-risk-management-using-zero-trust-architecture","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/23\/how-to-improve-risk-management-using-zero-trust-architecture\/","title":{"rendered":"How to improve risk management using Zero Trust architecture"},"content":{"rendered":"\n

\u201cCompliance is all about risk management and lessening risk, and the same is true of Zero Trust<\/a>.\u201d <\/em><\/p>\u2014Abbas Kudrati<\/em><\/cite><\/blockquote>\n\n\n\n

What’s risk management and why is it important?<\/h2>\n\n\n\n

Risk management, the process of developing a strategy for addressing risk throughout its lifecycle, normally involves four phases: risk identification, assessment, response, and monitoring and reporting.<\/p>\n\n\n\n

\"Phases<\/figure>\n\n\n\n

Risk management plays a critical role in helping organizations with their security posture enhancement. Taking insider incidents as an example, they are not only costly to organizations but also time-consuming to be contained. Given the limited resources available, we have seen many organizations often prioritize investment in security controls, which can address the more critical risks. As such, the return on investment (ROI) is maximized in effectively protecting the organizations\u2019 assets as well as ensuring their business operations. Risk management is an ongoing activity. Are the long-established risk management programs in the enterprises staying on top of the evolving digital and threat landscapes?<\/p>\n\n\n\n

With trends like digital transformation, cloud migration, and hybrid work, traditional trust boundaries are getting blurred. Perimeter-driven defense is no longer adequate in protecting against the rising attack vectors. More attention has been drawn to the Zero Trust security model<\/a> that assumes attackers are in the enterprise environment and encourages organizations to always verify explicitly and enforce least-privilege access.<\/p>\n\n\n\n

\"Why<\/figure>\n\n\n\n

How can Zero Trust architecture help with risk management?<\/h2>\n\n\n\n

Microsoft approaches the following Zero Trust architecture as a reference for customers to defend their digital estates.<\/p>\n\n\n\n

\"Zero<\/figure>\n\n\n\n

Let\u2019s look at how Zero Trust architecture can help an organization effectively manage enterprise risk management practice throughout the four phases:<\/p>\n\n\n\n

1. Identification: More thorough asset discovery and risk identification with the six pillars<\/h3>\n\n\n\n

In the initial step of risk management, organizations need to categorize the system and information processed, stored, and transmitted based on impact analysis. With prioritization, activities of identifying threats and vulnerability to the assets are then performed. The Zero Trust architecture emphasizes the full coverage of organization assets across the entire digital estate, with six pillars specified as identity, endpoint, network, data, application, and infrastructure. Following the reference architecture would allow organizations to obtain a holistic view of their IT landscapes and associated risks.<\/p>\n\n\n\n

Some questions for organizations to consider during the asset discovery and risk identification phase:<\/p>\n\n\n\n