How do you secure a device according to Zero Trust principles? Part 1

Luc Frijters
27 Nov, 2023

Recently, we introduced you to Microsoft's Zero Trust Framework. With the mass adoption of cloud services and the move towards XaaS'ing (Anything as a Service) of the IT landscape, the security focus is shifting primarily to identities and devices. These devices are also called endpoints. Luc Frijters explains how to handle securing and managing endpoints as an organization, based on the principles of Zero Trust.

Endpoint means a (usually) physical device that connects and exchanges information with a computer network. In the Microsoft Cloud, an endpoint is often thought of as the point from which a user accesses services in the Microsoft (Public) Cloud. For example, sending an email via Outlook on a laptop, sharing a file via the OneDrive app on an Android smartphone, participating in a Teams meeting from an iPad or completing timekeeping in Dynamics 365 from a desktop. In short, laptops, desktops, tablets, smartphones and nowadays web browsers or full virtual (cloud) workstations such as Windows 365, can all be endpoints.

Microsoft's Zero Trust Framework is based on three principles:

  1. verify explicitly
  2. provide as few rights as possible
  3. assume an intrusion

For the Zero Trust way of security, it is of secondary importance what different types of devices are used and where they are located. The exact same security policy must be continuously applied on every device and in every location.

How do you secure an endpoint according to Zero Trust principles (with Microsoft technology)?

A number of cornerstones can be identified from the Microsoft Cloud:

  • Azure Active Directory (AD): This involves an identity and access management service in the (Microsoft) cloud.
  • Microsoft Intune: A mobile device/endpoint management solution in the cloud.
  • Conditional Access (integrated into Azure AD): This security mechanism enables secure access to applications, services and data based on various conditions.
  • Microsoft Defender for Endpoint (MDE): This (cloud) endpoint security platform is an extension on top of the Windows-integrated antivirus software, Microsoft Defender.
  • Windows Hello for Business (WHFB): The most secure authentication mechanism on a Windows 10 or 11 device. This replaces passwords with more secure two-factor (biometric) authentication options.

Using these cornerstones from the Microsoft Cloud allows you to apply Zero Trust principles to endpoint security

In an ideal, modern scenario, endpoints are added or registered in Azure Active Directory, depending on whether they are business or private endpoints. Business endpoints in particular are managed with Microsoft Intune, with Conditional Access validating, defining and securing access to applications and data, and Microsoft Defender for Endpoint providing prevention and detection of malware and other threats. All this while Windows Hello for Business handles authentication on (managed) endpoints, based on biometrics, combined with local hardware-based security mechanisms such as Secure Boot and TPM chip.

Read part 2 of this blog on how to approach this practically and why certain choices are made.

Want to get started yourself?

Of course, there is much more to discover about Azure Active Directory, Microsoft Intune, securing endpoints and the Zero Trust Framework. Want to learn more about how your organization is taking an active stance on IT security? Read more about our Security offerings and expertise.

Connect with us

Our Security experts are ready to help!

By using this form you agree to the storage and processing of the data you provide, as indicated in our privacy policy. You can unsubscribe from sent messages at any time. Please review our privacy policy for more information on how to unsubscribe, our privacy practices and how we are committed to protecting and respecting your privacy.