Introducing the security model
Zero Trust is a security model based on the principle of “never trust, always verify”. This means that access to resources is granted based on strict identity verification & continuous monitoring. Zero Trust helps organizations move away from the traditional perimeter-based security model, which assumes that everything inside the network is safe. By implementing Zero Trust, organizations can reduce the risk of data breaches and unauthorized access. It helps in detecting and mitigating potential threats in real-time. Organizations can achieve a higher level of security by implementing Zero Trust principles across their network infrastructure, applications, and data systems. Implementing Zero Trust requires a shift in mindset and a holistic approach to security. Organizations can leverage technologies such as multi-factor authentication, encryption, least privilege access, micro-segmentation, and continuous monitoring to enforce Zero Trust principles effectively.
The philosophy behind the Zero Trust security model
The basic assumption of this security model is that everyone is compromised. No one is to be trusted (inside or outside the network) unless their identification/device is checked. The main difference between Zero Trust and VPN (Virtual Private Network) is that Zero Trust provides secure access to users on a per-resource basis, regardless of the user's location. Access to applications, resources, and data is not based on location—trust is never assumed by default. Users, irrespective of their location, must be verified and are granted only the minimum access they need.
The 3 Pillars of Verification
Zero Trust uses three pillars of verification: identity, context & security posture. Let’s take a closer look:
1. Identity: The security model uses the formula Identification + Authentication + Authorization. Identification refers to the process of uniquely identifying individuals or entities within a system. In the context of Zero Trust, every entity that interacts with the network must first establish its identity. Authentication is the process of verifying the claimed identity of an entity. It ensures that the entity is who or what it claims to be before granting access to resources. Authorization determines what actions an authenticated entity is permitted to perform within the network or on specific resources. It defines the permissions and privileges granted to users, devices, or applications based on their verified identities.
2. Context: to clarify, context refers to how the user is trying to access the resource or the application. By analyzing the context of the request and comparing it to established security policies, organizations can make more informed decisions about granting access to resources. This aspect of verification adds an extra layer of security by considering factors such as the location of the user, time of access, type of device used, and behavior patterns, adding depth to the authentication process.
3. Security Posture: The third pillar of verification focuses on the device the user is connecting in on. The posture refers to the overall security readiness and compliance status of a device (e.g., laptop, smartphone, server) attempting to access network resources within an organization. It involves evaluating various aspects of the device's configuration, software updates, adherence to security policies, and potential vulnerabilities.
Zero Trust does not stop on verification
The security model goes further than verification. The basic scheme is as follows: When access is granted, it requires continuous monitoring and validation. If any changes happen, they will be reevaluated and revoked as necessary.
1. Continuous Monitoring: Zero Trust requires ongoing monitoring of user activities, device behaviors, and network traffic patterns throughout an access session.
2. Validation of Changes: If any changes occur during an access session, such as a sudden change in user behavior, unusual data access patterns, or a device's security posture deteriorating, Zero Trust mandates that these changes are promptly reevaluated against established security policies.
3. Dynamic Adjustments: Based on the monitoring and validation outcomes, Zero Trust enables dynamic adjustments to access privileges. For instance, access may be temporarily restricted or revoked if suspicious activity or non-compliance with security policies is detected.
Trust Broker: the core piece of technology that enables Zero Trust Principles
Zero Trust Network Access (ZTNA) leverages a Trust Broker to provide secure, application-specific access, ensuring that users are continuously authenticated and authorized, regardless of their location. The Trust Broker is responsible for managing the three pillars of verification above: identification, context, and security posture. It verifies the user's identity, evaluates contextual factors such as device health and location, and assesses the device's security posture before establishing a connection with the specific application.
Depending on where the applications are hosted, the Trust Broker can vary. If applications are accessed through a Secure Access Service Edge (SASE) architecture, the Trust Broker typically resides within the cloud provider's infrastructure. Here, the cloud provider acts as the Trust Broker, overseeing access control and security enforcement. On the other hand, if applications are hosted on-premises, whether in a data center or headquarters location, the Trust Broker may take the form of a traditional network security device like a firewall. In this scenario, the firewall acts as the intermediary ensuring that Zero Trust principles are applied to control access and monitor security posture.
Regardless of its form, the Trust Broker continuously monitors and validates the three pillars of Zero Trust, identification, context, and security posture, throughout the access session. This ongoing monitoring ensures that access remains secure and compliant, promptly responding to any changes or anomalies that may arise.
eShare's Approach
eShare offers a transformative solution for access to unstructured data, tailored for the modern workplace. Our platform not only aligns with the principles of Zero Trust but also enhances them, providing a seamless experience especially for users familiar with M365 working environment. Fundamentally, Zero Trust is an access control model. You need to make decisions about who to give access to, based off policies that you set in advance, and then have the mechanism to enforce those policies in real-time. As a result, we provide IT administrators a holistic solution:
With eShare, organizations gain the ability to maintain file continuity, eliminate data redundancy, and facilitate secure collaboration. By integrating with a policy-driven authorization solution, organizations can deploy fine-grained attribute-based access control (ABAC) policies. The shift towards ABAC and an external authorization architecture empowers organizations with comprehensive controls. These controls provide real-time policy enforcement without being anchored to the application’s update cycle.
eShare's solution supports multiple identity providers, allowing for a Bring Your Own Identity (BYOI) approach. This capability automates authentication and attestation, reducing the admin burden and supporting various authentication methods like OTP, SAML, OpenID, and existing authentication mechanisms. By respecting existing control decisions and continuously verifying the user's identity, context, and security posture, eShare ensures that external recipients are granted access within seconds, provided all conditions are met.
Additionally, eShare integrates with Microsoft Purview Sensitivity Labels and DLP (Data Loss Prevention). Our sharing policies and underlying controls are applied based on site, channel and file sensitivity labels, with optional sharer and recipient label overrides with provided business justifications. Given file and folder contents can change after they are shared, labels are evaluated both at the time of sharing and at the time of access. And for those organizations who have not yet rolled out labels, especially at the file level, we integrate with Purview DLP so that a pseudo-label can be applied to files based on detected Sensitive Information Types (SITs). With eShare, your file sharing is always compliant with your data protection policies.
In conclusion, eShare offers solutions for managing and governing the sharing of data within M365 workspaces. Whether it’s SharePoint, Teams or OneDrive, eShare’s solutions provide the tools and insights needed to keep your sensitive information safe and your organization compliant.
Aiming to offer a complete solution, we don’t stop there. eShare, also offers solutions that revolutionize how organizations share sensitive data externally. For us it’s all about secure data & file sharing, and collaboration, whether it’s inside or outside your organization.
Lastly, we understand the frustration of not being able to maximize the value of your M365 investment. Our mission is to guide you through this maze, ensuring you unlock the full potential of M365 while keeping your data secure and compliant. We have a dedicated team of Microsoft experts at the ready.
By embracing the Zero Trust model, leveraging existing security tools, and partnering with experts like eShare, organizations can navigate the digital workplace with confidence, ensuring that data remains secure, collaboration is seamless, and productivity reaches new heights.
Ready to transform the way you collaborate?
Discover our solutions, here & let them guide you to a future where your data is secure, compliant, and empowering your organization's growth. Our team includes security experts and the innovators behind Digital Guardian, ensuring unparalleled expertise.
Take the first step and contact us!
