Automating cybersecurity guardrails with new Zero Trust blueprint and Azure integrations

Publicado el 11 mayo, 2020

General Manager, Azure Global

In our day-to-day work, we focus on helping customers advance the security of their digital estate using the native capabilities of Azure. In the process, we frequently find that using Azure to improve an organization’s cybersecurity posture can also help these customers achieve compliance more rapidly.

Today, many of our customers in regulated industries are adopting a Zero Trust architecture, moving to a security model that more effectively adapts to the complexity of the modern environment, embraces the mobile workforce, and protects people, devices, applications, and data wherever they’re located.

Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” In a Zero Trust model, every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before granting access. This approach can aid the process of achieving compliance for industries that use NIST-based controls including financial services, defense industrial base, and government.

A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end-to-end strategy, across three primary principles: (1) verify explicitly, (2) enforce least privilege access, and (3) assume breach.

Use the Azure blueprint for faster configuration of Zero Trust

The Azure blueprint for Zero Trust enables application developers and security administrators to more easily create hardened environments for their application workloads. Essentially, the blueprint will help you implement Zero Trust controls across six foundational elements: identities, devices, applications, data, infrastructure, and networks.

Using the Azure Blueprints service, the Zero Trust blueprint will first configure your VNET to deny all network traffic by default, enabling you to extend it and/or set rules for selective traffic based on your business needs. In addition, the blueprint will enforce and maintain Azure resource behaviors and configuration in compliance with specific NIST SP 800-53 security control requirements using Azure Policy.

The blueprint includes Azure Resource Manager templates to deploy and configure Azure resources such as Virtual Network, Network Security Groups, Azure Key Vault, Azure Monitor, Azure Security Center, and more. If you’re working with applications that need to comply with FedRAMP High or DoD Impact Level 4 requirements or just want to improve the security posture of your cloud deployment, the blueprint for Zero Trust is designed to help you get there faster.

The Azure blueprint for Zero Trust is currently in preview with limited support. To learn more and find instructions to deploy into Azure, see Azure blueprint for Zero Trust. For more information, questions, and feedback, please contact us at Zero Trust blueprint feedback.

In addition to this new blueprint, we’re announcing two new integrations with Azure to bring faster authorization and increased flexibility to the public sector and regulated industries:

Accelerate risk management for Azure deployments with Xacta

Increasing the speed with which cloud-based initiatives achieve authorization is a critical part of modernization. Often this process is highly manual and lacks the ability to provide a clear picture for continuous monitoring

Xacta now integrates with Azure Policy and Azure Blueprints, enabling customers to centrally manage compliance policies, track their compliance status, and more easily enforce policies to ensure ongoing compliance. For example, Xacta streamlines and automates many labor-intensive tasks associated with key security frameworks such as the NIST Risk Management Framework (RMF), NIST Cybersecurity Framework (CSF), FedRAMP, and ISO 27001.

Through this new integration, Azure Policy automatically generates a significant portion of the required accreditation package directly into Xacta, instantiating a risk management framework and reducing the manual effort required of risk professionals, freeing up their time to focus on critical risk decisions.

Enable continuous monitoring of containers using Anchore

Customers using containers to achieve greater flexibility within regulated environments commonly encounter security and governance challenges. To address those challenges, Anchore recently announced their support for Windows containers, delivering more choice for public sector agencies and enterprises developing container-based applications and implementing broad DevSecOps initiatives. Anchore Enterprise 2.3 performs deep image inspection of Windows container images, helping teams establish policy-based approaches to container compliance without compromising velocity.

Whether you’re using containers today or evaluating services, such as Azure Kubernetes Service, you can count on us to continue to provide world-class cybersecurity technology, controls, and best practices to help you accelerate both security and compliance.

Learn more

To learn more about how to implement Zero Trust architecture on Azure, read the six-part blog series on the Azure Government Dev blog. You may also want to bookmark the Security blog to keep up with our coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.