Zero Trust
A new security architecture called Zero Trust verifies every request as if it came from an unmanaged network and presumes a breach. This post will teach you the fundamentals of Zero Trust and provide you with tools to put it into practice.
You must set up logical isolation with dedicated resource groups, use role-based access control (RBAC), secure virtual machine boot components, enable customer-managed keys and double encryption, manage installed apps, configure secure access and maintenance of virtual machines, and enable advanced threat detection and protection to apply Zero Trust principles to Azure virtual machines.
Three security-related Zero-Trust principles are as follows.
- Verify explicitly: Based on all the information at disposal, such as the user's identity, location, device, classification of health data, and abnormalities, authenticate and grant access.
- Use least privilege access: Reduce user access to risk-based adaptive controls, data protection, and just-in-time services that safeguard information and efficiency. Additionally, it provides the user with as limited access to resources as feasible so they can complete their task as quickly as possible.
- Assume breach: divide access based on network user devices and application awareness to reduce the extent of harm and stop lateral movement. Additionally, confirm that the entire session is encrypted.
Step 1. Set up logical isolation for virtual machines.
![Virtual machines]()
Step 2. Deploy role-based access control (RBAC).
You can leverage device status, data classification, anomalies, location, and identity with the Managed Identity and Conditional Access Policy to impose multifactor authentication and selectively grant access based on verified trust.
Go to the virtual machine's management blade and activate System Assigned Managed Identity, as demonstrated here, to expand your control beyond the system and enable safe access for your Microsoft Entra ID tenant using Microsoft Intelligent Security Graph.
![Management blade]()
Step 3. Secure components used in virtual machine boot-up.
Make sure that the boot components' security is configured when you construct the virtual machine. You can use vTPM and Secure Boot in addition to choosing a security type with enhanced virtual machine deployment.
Make sure the tasks are reliable and verifiable. By monitoring your virtual machine's complete boot chain, which includes the UEFI, OS, system, and drivers, the vTPM makes attestation possible.
![Boot components]()
Step 4. Double encryption and customer-managed keys are enabled.
![Double encryption]()
For the virtual machine settings, you choose the encryption type on the disk blade. As seen below, choose Double encryption with platform-managed and customer-managed keys under Encryption type.
Step 5. Manage the virtual machines' installed programs.
The function called Virtual Machine Applications allows you to manage the installed applications on virtual machines. You can choose which applications to install on your virtual computer with this feature.
This functionality streamlines virtual machine application management by utilizing the Azure Compute Gallery. You may make sure that users can access only trusted applications by combining RBAC with it.
![Azure Compute Gallery]()
Step 6. Set up secure access.
To set up safe entry
- Set up safe communication between components in the Azure environment that have direct access to virtual machines.
- Configure conditional access together with multifactor authentication.
- Utilize workstations with privileged access (PAWs)
Step 7. Configure virtual machine security maintenance.
Safe virtual machine maintenance consists of the following.
- Anti-malware software
- virtual machine update automation
Step 8. Activate powerful defense and threat identification
Microsoft Defender for Cloud offers threat prevention for Azure infrastructure. When you configure Microsoft Defender for Servers, virtual machines are also covered by this protection.
Summary
This article describes how to apply Azure virtual machines to the Zero Trust principles. Server-side encryption with customer-managed keys for managed disks will be covered in the upcoming post.