RaMP Checklist — Explicitly validate trust for all access requests

This Rapid Modernization Plan (RaMP) checklist helps you establish a security perimeter for cloud applications and mobile devices that uses identity as the control plane and explicitly validates trust for user accounts and devices before allowing access, for both public and private networks.

To be productive, your employees (users) must be able to use:

  • Their account credentials to verify their identity.
  • Their endpoint (device), such as a PC, tablet, or phone.
  • The applications you have provided them to do their jobs.
  • A network over which traffic flows between devices and applications, whether they're on premises or in the cloud.

Each one of these elements are the targets of attackers and must be protected with the "never trust, always verify" central principle of Zero Trust.

This checklist includes using Zero Trust to explicitly validate trust for all access requests for:

After completing this work, you'll have built out this part of the Zero Trust architecture.

A diagram highlighting the identities, endpoints, apps, and network sections of the Zero Trust architecture.

Identities

Verify and secure each identity with strong authentication across your entire digital estate with Microsoft Entra ID, a complete identity and access management solution with integrated security that connects hundreds of millions of people to their apps, devices, and data each month.

Program and project member accountabilities

This table describes the overall protection of your user accounts in terms of a sponsorship-program management-project management hierarchy to determine and drive results.

Lead Owner Accountability
CISO, CIO, or Director of Identity Security Executive sponsorship
Program lead from Identity Security or Identity Architect Drive results and cross-team collaboration
Security Architect Advise on configuration and standards
Identity Security or an Identity Architect Implement configuration changes
Identity Admin Update standards and policy documents
Security Governance or Identity Admin Monitor to ensure compliance
User Education Team Ensure guidance for users reflects policy updates

Deployment objectives

Meet these deployment objectives to protect your privileged identities with Zero Trust.

Done Deployment objective Owner Documentation
1. Deploy secured privileged access to protect administrative user accounts. IT implementer Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID
2. Deploy Microsoft Entra Privileged Identity Management (PIM) for a time-bound, just-in-time approval process for the use of privileged user accounts. IT implementer Plan a Privileged Identity Management deployment

Meet these deployment objectives to protect your user identities with Zero Trust.

Done Deployment objective Owner Documentation
1. Enable self-service password reset (SSPR), which gives you credential reset capabilities IT implementer Plan a Microsoft Entra self-service password reset deployment
2. Enable multifactor authentication (MFA) and select appropriate methods for MFA IT implementer Plan a Microsoft Entra multifactor authentication deployment
3. Enable combined User Registration for your directory to allow users to register for SSPR and MFA in one step IT implementer Enable combined security information registration in Microsoft Entra ID
4. Configure a Conditional Access policy to require MFA registration. IT implementer How To: Configure the Microsoft Entra multifactor authentication registration policy
5. Enable user and sign-in risk-based policies to protect user access to resources. IT implementer How To: Configure and enable risk policies
6. Detect and block known weak passwords and their variants and block additional weak terms specific to your organization. IT implementer Eliminate bad passwords using Microsoft Entra Password Protection
7. Deploy Microsoft Defender for Identity and review and mitigate any open alerts (in parallel with your security operations). Security operations team Microsoft Defender for Identity
8. Deploy passwordless credentials. IT implementer Plan a passwordless authentication deployment in Microsoft Entra ID

You have now built out the Identities section of the Zero Trust architecture.

A diagram highlighting the Identities section of the Zero Trust architecture.

Endpoints

Ensure compliance and health status before granting access to your endpoints (devices) and gain visibility into how they're accessing the network.

Program and project member accountabilities

This table describes the overall protection of your endpoints in terms of a sponsorship/program management/project management hierarchy to determine and drive results.

Lead Owner Accountability
CISO, CIO, or Director of Identity Security Executive sponsorship
Program lead from Identity Security or an Identity Architect Drive results and cross-team collaboration
Security Architect Advise on configuration and standards
Identity Security or an Infrastructure Security Architect Implement configuration changes
Mobile device management (MDM) Admin Update standards and policy documents
Security Governance or MDM Admin Monitor to ensure compliance
User Education Team Ensure guidance for users reflects policy updates

Deployment objectives

Meet these deployment objectives to protect your endpoints (devices) with Zero Trust.

Done Deployment objective Owner Documentation
1. Register devices with Microsoft Entra ID. MDM Admin Device identities
2. Enroll devices and create configuration profiles. MDM Admin Device management overview
3. Connect Defender for Endpoint to Intune (in parallel with your security operations). Identity Security Admin Configure Microsoft Defender for Endpoint in Intune
4. Monitor device compliance and risk for Conditional Access. Identity Security Admin Use compliance policies to set rules for devices you manage with Intune
5. Implement a Microsoft Purview information protection solution and integrate with Conditional Access policies. Identity Security Admin Use sensitivity labels to protect content

You have now built out the Endpoints section of the Zero Trust architecture.

A diagram highlighting the Endpoints section of the Zero Trust architecture.

Apps

Because apps are used by malicious users to infiltrate your organization, you need to ensure that your apps are using services, such as Microsoft Entra ID and Intune, that provide Zero Trust protection or are hardened against attack.

Program and project member accountabilities

This table describes a Zero Trust implementation for apps in terms of a sponsorship/program management/project management hierarchy to determine and drive results.

Lead Owner Accountability
CISO, CIO, or Director of Application Security Executive sponsorship
Program lead from Apps Management Drive results and cross-team collaboration
Identity Architect Advise on Microsoft Entra configuration for apps
Update authentication standards for on-premises apps
Developer Architect Advise on configuration and standards for in-house on-premises and cloud apps
Network Architect Implement VPN configuration changes
Cloud Network Architect Deploy Microsoft Entra application proxy
Security Governance Monitor to ensure compliance

Deployment objectives

Meet these deployment objectives to ensure Zero Trust protection for your Microsoft cloud apps, third-party SaaS apps, custom PaaS apps, and on-premises apps.

Done Type of app or app usage Deployment objectives Owner Documentation
Third-party SaaS apps and custom PaaS apps that are registered with Microsoft Entra ID Microsoft Entra app registration uses Microsoft Entra authentication, certification, and app consent policies.

Use Microsoft Entra Conditional Access policies and Intune MAM and Application Protection Policies (APP) policies to allow app usage.
Identity Architect Application management in Microsoft Entra ID
Cloud apps that are OAuth-enabled and registered in Microsoft Entra ID, Google, and Salesforce Use app governance in Microsoft Defender for Cloud Apps for app behavior visibility, governance with policy enforcement, and detection and remediation of app-based attacks. Security Engineer Overview
Third-party SaaS apps and custom PaaS apps that are NOT registered with Microsoft Entra ID Register them with Microsoft Entra ID for authentication, certification, and app consent policies.

Use Microsoft Entra Conditional Access policies and Intune MAM and APP policies.
Apps Architect Integrating all your apps with Microsoft Entra ID
On-premises users accessing on-premises applications, which include applications running on both on-premises and IaaS-based servers Ensure that your apps support modern authentication protocols such as OAuth/OIDC and SAML. Contact your application vendor for updates to protect user sign-in. Identity Architect See your vendor documentation
Remote users accessing on-premises applications through a VPN connection Configure your VPN appliance so that it uses Microsoft Entra ID as its identity provider Network Architect See your vendor documentation
Remote users accessing on-premises web applications through a VPN connection Publish the applications through Microsoft Entra application proxy. Remote users only need to access the individual published application, which is routed to the on-premises web server through an application proxy connector.

Connections take advantage of strong Microsoft Entra authentication and limits users and their devices to accessing a single application at a time. In contrast, the scope of a typical remote access VPN is all locations, protocols, and ports of the entire on-premises network.
Cloud Network Architect Remote access to on-premises applications through Microsoft Entra application proxy

After completing these deployment objectives, you'll have built out the Apps section of the Zero Trust architecture.

A diagram highlighting the Apps section of the Zero Trust architecture.

Network

The Zero Trust model assumes breach and verifies each request as though it originated from an uncontrolled network. Although this is a common practice for public networks, it also applies to your organization’s internal networks that are typically firewalled from the public Internet.

To adhere to Zero Trust, your organization must address security vulnerabilities on both public and private networks, whether on-premises or in the cloud, and ensure that you verify explicitly, use least privilege access, and assume breach. Devices, users, and apps aren't to be inherently trusted because they're on your private networks.

Program and project member accountabilities

This table describes a Zero Trust implementation for public and private networks in terms of a sponsorship/program management/project management hierarchy to determine and drive results.

Lead Owner Accountability
CISO, CIO, or Director of Network Security Executive sponsorship
Program lead from Networking Leadership Drive results and cross-team collaboration
Security Architect Advise on encryption and access policy configuration and standards
Network Architect Advise on traffic filtering and network architecture changes
Network Engineers Design segmentation configuration changes
Network Implementers Change networking equipment configuration and update configuration documents
Networking Governance Monitor to ensure compliance

Deployment objectives

Meet these deployment objectives to ensure Zero Trust protection for your public and private networks, for both on-premises and cloud-based traffic. These objectives can be done in parallel.

Done Deployment objective Owner Documentation
Require encryption for all traffic connections, including between IaaS components and between on-premises users and apps. Security Architect Azure IaaS components

IPsec for on-premises Windows devices
Limit access to critical data and applications by policy (user or device identity) or traffic filtering. Security Architect or Network Architect Access policies for Defender for Cloud Apps Conditional Access App Control

Windows Firewall for Windows devices
Deploy on-premises network segmentation with ingress and egress traffic controls with micro-perimeters and micro-segmentation. Network Architect or Network Engineer See your on-premises network and edge devices documentation.
Use real-time threat detection for on-premises traffic. SecOps Analysts Windows threat protection

Microsoft Defender for Endpoint
Deploy cloud network segmentation with ingress and egress traffic controls with micro-perimeters and micro-segmentation. Network Architect or Network Engineer Recommendations for networking and connectivity
Use real-time threat detection for cloud traffic. Network Architect or Network Engineer Azure Firewall threat intelligence-based filtering

Azure Firewall Premium network intrusion detection and prevention system (IDPS)

After completing these deployment objectives, you'll have built out the Network section of the Zero Trust architecture.

A diagram highlighting the Network section of the Zero Trust architecture.

Next step

Continue the user access and productivity initiative with Data, Compliance, and Governance.