Overview – Apply Zero Trust principles to Azure networking
Article
This series of articles help you apply the principles of Zero Trust to your networking infrastructure in Microsoft Azure based on a multi-disciplinary approach. Zero Trust is a security strategy. It isn't a product or a service, but an approach in designing and implementing the following set of security principles:
Verify explicitly
Use least privileged access
Assume breach
Implementing the Zero Trust mindset to "assume breach, never trust, always verify" requires changes to cloud networking infrastructure, deployment strategy, and implementation.
The following articles show you how to apply Zero Trust approach to networking for commonly deployed Azure infrastructure services:
This Zero Trust guidance describes how to use and configure several security solutions and features available on Azure for a reference architecture. Several other resources also provide security guidance for these solutions and features, including:
To describe how to apply a Zero Trust approach, this guidance targets a common pattern used in production by many organizations: a virtual-machine-based application hosted in a VNet (and IaaS application). This is a common pattern for organizations migrating on-premises applications to Azure, which is sometimes referred to as "lift-and-shift."
Threat Protection with Microsoft Defender for Cloud
For the Assume breach Zero Trust principle for Azure networking, Microsoft Defender for Cloud is an extended detection and response (XDR) solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your environment. Defender for Cloud is intended to be used together with Microsoft Defender XDR to provide a greater breadth of correlated protection of your environment, as shown in the following diagram.
In the diagram:
Defender for Cloud is enabled for a management group that includes multiple Azure subscriptions.
Microsoft Defender XDR is enabled for Microsoft 365 apps and data, SaaS apps that are integrated with Microsoft Entra ID, and on-premises Active Directory Domain Services (AD DS) servers.
For more information about configuring management groups and enabling Defender for Cloud, see:
Zero Trust is not a product or tool, but an essential security strategy that seeks to continuously verify every transaction, asserts least privilege access, and assumes that every transaction could be a possible attack. Through the modules in this learning path, you'll gain an understanding of Zero Trust and how it applies to identity, endpoints, applications, networks, infrastructure, and data.