Zero Trust: A new security architecture called Zero Trust verifies every request as if it came from an unmanaged network and presumes a breach. This post will teach you the fundamentals of Zero Trust and provide you with tools to put it into practice.
You must set up logical isolation with dedicated resource
groups, use role-based access control (RBAC), secure virtual machine boot
components, enable customer-managed keys and double encryption, manage
installed apps, configure secure access and maintenance of virtual machines,
and enable advanced threat detection and protection to apply Zero Trust
principles to Azure virtual machines.
Three security-related Zero-Trust principles are as
follows:
Ø Ø Verify Explicitly: Based on all the information at disposal, such as the user's identity, location, device, classification of health data, and abnormalities, authenticate and grant access.
Ø
Use the least privilege access: Reduce user
access to risk-based adaptive controls, data protection, and just-in-time
services that safeguard information and efficiency. Additionally, it provides
the user with as limited access to resources as feasible so they can complete
their task as quickly as possible.
Ø Ø Assume breach: divide access based on network user devices and application awareness to reduce the extent of harm and stop lateral movement. Additionally, confirm that the entire session is encrypted.
Step 1:
Set up logical isolation for virtual machines.
Step 2: deploy
role-based access control (RBAC).
You can leverage device status, data classification,
anomalies, location, and identity with the Managed Identity and Conditional
Access Policy to impose multifactor authentication and selectively grant access
based on verified trust.
Go to the virtual machine's management blade and activate
System Assigned Managed Identity, as demonstrated here, to expand your control
beyond the system and enable safe access for your Microsoft Entra ID tenant
using Microsoft Intelligent Security Graph.
Step 3:
Secure components used in virtual machine boot-up
Make sure that the boot components' security is configured
when you construct the virtual machine. You can use vTPM and Secure Boot in
addition to choosing a security type with enhanced virtual machine deployment.
Make sure the tasks are reliable and verifiable. By
monitoring your virtual machine's complete boot chain, which includes the UEFI,
OS, system, and drivers, the vTPM makes attestation possible.
Step 4:
Double encryption and customer-managed keys are enabled.
For the virtual machine settings, you choose the encryption
type on the disk blade. As seen below, choose Double encryption with
platform-managed and customer-managed keys under Encryption type.
Step 5:
Manage the virtual machines' installed programs
The function called Virtual Machine Applications allows you
to manage the installed applications on virtual machines. You can choose which
applications to install in your virtual computer with this feature.
This functionality streamlines virtual machine application
management by utilising the Azure Compute Gallery. You may make sure that users
can access only trusted applications by combining RBAC with it.
Step 6: Set up secure access.
To set up safe entry:
- Set up safe communication between components in the Azure environment that have direct access to virtual machines.
- Configure conditional access together with multifactor authentication.
- Utilize workstations with privileged access (PAWs)
Step 7: Configure virtual machine security maintenance
Safe virtual machine maintenance consists of the following:
- Anti-malware software
- Virtual machine update automation
Step 8:
Activate powerful defense and threat identification
Microsoft Defender for Cloud offers threat prevention for
Azure infrastructure. When you configure Microsoft Defender for Servers,
virtual machines are also covered by this protection.
0 Comments