Hi Community,
When attending Microsoft Ignite this year I had the privilege to proctor a lab regarding this workshop. Microsoft has provided us with the necessary tools that you can use to help your company or customers out with your road to Zero Trust.
In this blog I will try to quickly show you what’s in store.
All of this has been developped by Merill Fernando (Principal Product Manager with Microsoft) and his team. So a big thank you for all the hard work!
What is Zero Trust
Tackling modern security can be tough, but a Zero Trust strategy makes it easier. By adopting Zero Trust, your organization can boost its security, cut down on risks and complexity, and improve compliance and governance.
Zero Trust is a security strategy. It is not a product or a service, but an approach in designing and implementing the following set of security principles. This assesment tool will guide you through your journey.
This workshop will guide you through applying Zero Trust principles across the Microsoft Security landscape, including:
- Verifying explicitly
- Using least privilege access
- Assuming compromise
Zero Trust is all about not assuming everything behind the corporate firewall is safe. Instead, it assumes a breach and verifies each request as if it came from an uncontrolled network. No matter where the request comes from or what resource it accesses, Zero Trust teaches us to “never trust, always verify.”
This approach is designed to handle the complexities of today’s environment, which includes a mobile workforce and the need to protect user accounts, devices, applications, and data wherever they are.
A Zero Trust strategy should cover the entire digital estate and act as an integrated security philosophy and end-to-end strategy. Different organizational needs, existing tech setups, and security stages all play a role in how a Zero Trust model is planned and executed. With our experience in helping customers secure their organizations and implementing our own Zero Trust model, Microsoft has developed guidance to assess your readiness and help you build a plan to achieve Zero Trust.
With Zero Trust, you shift from a trust-by-default mindset to a trust-by-exception one. It’s crucial to have an integrated capability to automatically manage those exceptions and alerts so you can easily find and detect threats, respond to them, and prevent or block unwanted events across your organization.
There is a good documentation set provided by Microsoft, check these out here:
I also attended a breakout session on Zero Trust at Ignite. This session showed 10 security controls that you can implement now, if you have not done this yet.
The Workshop Delivery Guide
On the Zero Trust Workshop plan site you will find all the things you need to get you started.
The Zero Trust Workshop is all about helping you create a clear and actionable strategy for a secure Zero Trust posture. It has two main parts:
First, we assess your current environment with programmatic checks to spot any gaps and areas for improvement. Then, we help you identify the projects and initiatives you need to implement to advance your adoption of Zero Trust capabilities and transform your environment.
The ideal customer for this engagement:
- Understands and aligns to the Microsoft Zero Trust security vision. The Zero Trust Fundamentals Assessment is a great prerequisite to drive this alignment prior to these pillar-focused workshops.
- Has the intent and resources to invest in projects to deploy Microsoft Security products
The 1st step of course is to prepare. You need to identify the correct stakeholders and your deployment partners for each pillar. In order to get the most out of these workshops, it is recommended to have people on the call from your or the customer’s side that can cover the following areas:
- Identity and Access Management (IAM)
- Security (Governance/CERT/SOC)
- Devices/Endpoint
- App Dev
- Networking
There are 3 pillars defined, these are the recommendations for your or the customer stakeholders that should attend each of the pillar workshops are as follows:
- Identity
- Identity and Access Management (IAM) team
- Security Operations team
- Devices/Endpoint team
- Enterprise Application Developers
- CISO (if possible)
- IT Director (if possible)
- Devices
- MDM Admin (Architect, Ops)
- Security (Architect, Ops)
- Conditional Access Admin (Security, Identity, MDM)
- Governance and Risk
- CISO (if possible)
- IT Director (if possible)
- Data
- Information Protection architects and officers
- Compliance officers and administrators
- Data Platform administrators focused on data security (Exchange, SharePoint, etc.)
- CISO (if possible)
- IT Director or Lead Architect (if possible)
Running the Zero Trust Assesment tool
The tool consists of a powershell command you can run. You need powershell 7 or higher to run the tool it will not run with lower versions.
Run the following command:
Install-Module ZeroTrustAssessment
Invoke-ZTAssessment
For subsequent runs of the assessment, use Import-Module instead:
Import-Module ZeroTrustAssessment
Invoke-ZTAssessment
This app uses Microsoft Graph to read the tenant configuration and provide recommendations on improving the end to end security configuration.
When you run the cmdlet, you will be prompted to log in to your Entra ID tenant. It is recommended to use a non-guest account for logging in.
You can specify an option whether to collect telemetry on the usage of this cmdlet. The only telemetry that is collected is the Entra ID tenant id (GUID) that the cmdlet is being run against. No other personal or tenant information is collected.
The switch available is -EnableTelemetry and it defaults to $true. The two values for this switch are:
- $true, which is the default value, indicates that the Entra ID tenant ID (GUID) will be collected
- $false, indicates that the Entra ID tenant ID (GUID) will NOT be collected
An example of running the cmdlet with telemetry enabled is:
Invoke-ZTAssessment -EnableTelemetry $true
Permissions
The app requires Application Admin to consent to the following read-only permissions.
- Agreement.Read.All
- CrossTenantInformation.ReadBasic.All
- Directory.Read.All
- Policy.Read.All
- User.Read
- DeviceManagementServiceConfig.Read.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementRBAC.Read.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementApps.Read.All
- RoleAssignmentSchedule.Read.Directory
- RoleEligibilitySchedule.Read.Directory
- PrivilegedEligibilitySchedule.Read.AzureADGroup
The app does not store any tenant data and the session is revoked when the user signs out.
The tool in action
Watch this video to see the tool in action
Now that the Excel file is generated lets take a deeper dive into this file. You will notice that i’m not that good in recording video’s so forgive my amateurism here 😉
I hope you also see the benefits of this Zero Trust Assesment tool for your company and you customers and will use it to plan your strategy to begin your journey towards Zero Trust.
And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!
0 Comments