RaMP Checklist — Explicitly validate trust for all access requests
Article
This Rapid Modernization Plan (RaMP) checklist helps you establish a security perimeter for cloud applications and mobile devices that uses identity as the control plane and explicitly validates trust for user accounts and devices before allowing access, for both public and private networks.
To be productive, your employees (users) must be able to use:
Their account credentials to verify their identity.
Their endpoint (device), such as a PC, tablet, or phone.
The applications you have provided them to do their jobs.
A network over which traffic flows between devices and applications, whether they're on premises or in the cloud.
Each one of these elements are the targets of attackers and must be protected with the "never trust, always verify" central principle of Zero Trust.
This checklist includes using Zero Trust to explicitly validate trust for all access requests for:
After completing this work, you'll have built out this part of the Zero Trust architecture.
Identities
Verify and secure each identity with strong authentication across your entire digital estate with Microsoft Entra ID, a complete identity and access management solution with integrated security that connects hundreds of millions of people to their apps, devices, and data each month.
Program and project member accountabilities
This table describes the overall protection of your user accounts in terms of a sponsorship-program management-project management hierarchy to determine and drive results.
Lead
Owner
Accountability
CISO, CIO, or Director of Identity Security
Executive sponsorship
Program lead from Identity Security or Identity Architect
Drive results and cross-team collaboration
Security Architect
Advise on configuration and standards
Identity Security or an Identity Architect
Implement configuration changes
Identity Admin
Update standards and policy documents
Security Governance or Identity Admin
Monitor to ensure compliance
User Education Team
Ensure guidance for users reflects policy updates
Deployment objectives
Meet these deployment objectives to protect your privileged identities with Zero Trust.
Done
Deployment objective
Owner
Documentation
1. Deploy secured privileged access to protect administrative user accounts.
2. Deploy Microsoft Entra Privileged Identity Management (PIM) for a time-bound, just-in-time approval process for the use of privileged user accounts.
You have now built out the Identities section of the Zero Trust architecture.
Endpoints
Ensure compliance and health status before granting access to your endpoints (devices) and gain visibility into how they're accessing the network.
Program and project member accountabilities
This table describes the overall protection of your endpoints in terms of a sponsorship/program management/project management hierarchy to determine and drive results.
Lead
Owner
Accountability
CISO, CIO, or Director of Identity Security
Executive sponsorship
Program lead from Identity Security or an Identity Architect
Drive results and cross-team collaboration
Security Architect
Advise on configuration and standards
Identity Security or an Infrastructure Security Architect
Implement configuration changes
Mobile device management (MDM) Admin
Update standards and policy documents
Security Governance or MDM Admin
Monitor to ensure compliance
User Education Team
Ensure guidance for users reflects policy updates
Deployment objectives
Meet these deployment objectives to protect your endpoints (devices) with Zero Trust.
You have now built out the Endpoints section of the Zero Trust architecture.
Apps
Because apps are used by malicious users to infiltrate your organization, you need to ensure that your apps are using services, such as Microsoft Entra ID and Intune, that provide Zero Trust protection or are hardened against attack.
Program and project member accountabilities
This table describes a Zero Trust implementation for apps in terms of a sponsorship/program management/project management hierarchy to determine and drive results.
Lead
Owner
Accountability
CISO, CIO, or Director of Application Security
Executive sponsorship
Program lead from Apps Management
Drive results and cross-team collaboration
Identity Architect
Advise on Microsoft Entra configuration for apps Update authentication standards for on-premises apps
Developer Architect
Advise on configuration and standards for in-house on-premises and cloud apps
Network Architect
Implement VPN configuration changes
Cloud Network Architect
Deploy Microsoft Entra application proxy
Security Governance
Monitor to ensure compliance
Deployment objectives
Meet these deployment objectives to ensure Zero Trust protection for your Microsoft cloud apps, third-party SaaS apps, custom PaaS apps, and on-premises apps.
Done
Type of app or app usage
Deployment objectives
Owner
Documentation
Third-party SaaS apps and custom PaaS apps that are registered with Microsoft Entra ID
Microsoft Entra app registration uses Microsoft Entra authentication, certification, and app consent policies.
Use Microsoft Entra Conditional Access policies and Intune MAM and Application Protection Policies (APP) policies to allow app usage.
Cloud apps that are OAuth-enabled and registered in Microsoft Entra ID, Google, and Salesforce
Use app governance in Microsoft Defender for Cloud Apps for app behavior visibility, governance with policy enforcement, and detection and remediation of app-based attacks.
On-premises users accessing on-premises applications, which include applications running on both on-premises and IaaS-based servers
Ensure that your apps support modern authentication protocols such as OAuth/OIDC and SAML. Contact your application vendor for updates to protect user sign-in.
Identity Architect
See your vendor documentation
Remote users accessing on-premises applications through a VPN connection
Configure your VPN appliance so that it uses Microsoft Entra ID as its identity provider
Network Architect
See your vendor documentation
Remote users accessing on-premises web applications through a VPN connection
Publish the applications through Microsoft Entra application proxy. Remote users only need to access the individual published application, which is routed to the on-premises web server through an application proxy connector.
Connections take advantage of strong Microsoft Entra authentication and limits users and their devices to accessing a single application at a time. In contrast, the scope of a typical remote access VPN is all locations, protocols, and ports of the entire on-premises network.
After completing these deployment objectives, you'll have built out the Apps section of the Zero Trust architecture.
Network
The Zero Trust model assumes breach and verifies each request as though it originated from an uncontrolled network. Although this is a common practice for public networks, it also applies to your organization’s internal networks that are typically firewalled from the public Internet.
To adhere to Zero Trust, your organization must address security vulnerabilities on both public and private networks, whether on-premises or in the cloud, and ensure that you verify explicitly, use least privilege access, and assume breach. Devices, users, and apps aren't to be inherently trusted because they're on your private networks.
Program and project member accountabilities
This table describes a Zero Trust implementation for public and private networks in terms of a sponsorship/program management/project management hierarchy to determine and drive results.
Lead
Owner
Accountability
CISO, CIO, or Director of Network Security
Executive sponsorship
Program lead from Networking Leadership
Drive results and cross-team collaboration
Security Architect
Advise on encryption and access policy configuration and standards
Network Architect
Advise on traffic filtering and network architecture changes
Network Engineers
Design segmentation configuration changes
Network Implementers
Change networking equipment configuration and update configuration documents
Networking Governance
Monitor to ensure compliance
Deployment objectives
Meet these deployment objectives to ensure Zero Trust protection for your public and private networks, for both on-premises and cloud-based traffic. These objectives can be done in parallel.
Done
Deployment objective
Owner
Documentation
Require encryption for all traffic connections, including between IaaS components and between on-premises users and apps.
Zero Trust is not a product or tool, but an essential security strategy that seeks to continuously verify every transaction, asserts least privilege access, and assumes that every transaction could be a possible attack. Through the modules in this learning path, you'll gain an understanding of Zero Trust and how it applies to identity, endpoints, applications, networks, infrastructure, and data.
Since Zero Trust doesn't assume that requests are trustworthy, establishing a means to attest to the trustworthiness of the request is critical to proving its point-in-time trustworthiness. This attestation requires the ability to gain visibility into the activities on and around the request.
