Zero Trust is a security strategy. It isn't a product or a service, but an approach in designing and implementing the following set of security principles.
Principle
Description
Verify explicitly
Always authenticate and authorize based on all available data points.
Use least privilege access
Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
Assume breach
Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
These principles are the core of Zero Trust. Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to "never trust, always verify."
Zero Trust is designed to adapt to the complexities of the modern environment that embraces the mobile workforce. Zero Trust protects user accounts, devices, applications, and data wherever they're located.
A Zero Trust approach should extend throughout the entire organization and serve as an integrated security philosophy and end-to-end strategy.
Different organizational requirements, existing technology implementations, and security stages all affect how a Zero Trust security model implementation is planned and executed. Our guidance helps you assess your readiness for Zero Trust, and helps you build a plan to get to Zero Trust. Our guidance is based on our experience helping customers secure their organizations, and by implementing our own Zero Trust model for ourselves.
With Zero Trust, you move away from a trust-by-default perspective to a trust-by-exception one. An integrated capability to automatically manage those exceptions and alerts is important. You can more easily detect threats, respond to threats, and prevent or block undesired events across your organization.
Zero Trust and the US Executive Order 14028 on Cybersecurity
US executive order 14028, Improving the Nation's Cyber Security, directs federal agencies on advancing security measures that drastically reduce the risk of successful cyberattacks against the federal government's digital infrastructure. On January 26, 2022, the Office of Management and Budget (OMB) released the federal Zero Trust strategy in memorandum 22-09, in support of Executive Order 14028. Microsoft provides guidance to help organizations meet these requirements — Meet identity requirements of memorandum 22-09 with Microsoft Entra ID.
Zero Trust and Microsoft Secure Future Initiative (SFI)
Microsoft's Secure Future Initiative (SFI), launched in November of 2023, is a multiyear commitment that advances the way Microsoft designs, builds, tests, and operates our Microsoft technology to ensure that our solutions meet the highest possible standards for security. Microsoft’s Secure Future Initiative is, in large part, a rigid implementation of Zero Trust for our unique environment to improve our security posture.
Use this module to learn about best practices that cybersecurity architects use and some key best practice frameworks for Microsoft cybersecurity capabilities. You also learn about the concept of Zero Trust, and how to get started with Zero Trust in your organization.
Zero Trust is not a product or tool, but an essential security strategy that seeks to continuously verify every transaction, asserts least privilege access, and assumes that every transaction could be a possible attack. Through the modules in this learning path, you'll gain an understanding of Zero Trust and how it applies to identity, endpoints, applications, networks, infrastructure, and data.
