Securing infrastructure according to the Zero Trust Framework

Vincent Villerius
20 Nov, 2023

The first Security Blog of this series explained the Zero Trust Framework. For securing IT assets, the infrastructure layer is an important part of the framework. IT infrastructure consists of solutions that support multiple applications. Traditionally, this has been thought of as referring to compute, storage and network. Matters about which - in the on-premises world - it is (probably) clear as to how they should be protected. But what about in the cloud? Vincent Villerius, Managing Consultant Azure & Integration explains.

Shared responsibility

When you use cloud services, there is a shared responsibility (shared responsibility model) for information security between the cloud provider and the customer. In this model, the cloud provider is always responsible for things like physical access security, energy, cooling and physical hardware, but for the services that are purchased on top of that, the responsibility varies by delivery model. When it comes to proprietary data, end-user devices, accounts and access management, the responsibility for each delivery model lies with the customer. In IaaS (Infrastructure as a Service), the customer has more responsibilities than in PaaS and SaaS models. To keep things clear, for the remainder of this blog we'll look specifically at the IaaS model. Where are the responsibilities as a customer and what tools does Microsoft offer to take that responsibility?

IaaS

In the IaaS model, you purchase compute, storage and network from Azure. The customer is responsible for the setup and thus security of virtual servers, virtual networks, identity infrastructure and applications. Fortunately, Azure offers several solutions that allow Zero Trust principles to be applied to proprietary resources.

Verify the identity of everything and everyone who wants access and apply this to the systems themselves. Ask questions like, "is trusted software being used?" and "can your own virtual machines be trusted?" The following tips can help with this first principle:

  • Use generation 2 virtual machines. These use verified bootloaders, operating systems and drivers.
  • Deploy Azure Policy for reporting on and enforcing secure standards.
  • Use Azure Bastion so that access to virtual machines is first controlled by Azure AD (Active Directory) and does not require RDP (Remote Desktop Protocol) traffic through public IP addresses.
  • Use Adaptive Application Controls to ensure that only trusted applications are run. This is part of Defender for Servers plan 2.

Take responsibility

Cloud services are enormously powerful, scalable and rich in configuration options. Organizations often mistakenly assume that security is the full responsibility of the cloud vendor, resulting in vulnerabilities and data breaches. Especially when a customer uses IaaS and PaaS services, they have many responsibilities. Fortunately, there is a rich set of tools that can be deployed to secure systems in the cloud in a way that does justice to your requirements and wishes.

Learn more

From our Infrastructure and Security experts

Connect with us

Want to know how your organization can take an active stance on IT security? Our experts are ready to help.

By using this form you agree to the storage and processing of the data you provide, as indicated in our privacy policy. You can unsubscribe from sent messages at any time. Please review our privacy policy for more information on how to unsubscribe, our privacy practices and how we are committed to protecting and respecting your privacy.