Never trust, Always verify

Here on this site, you’ll find information about the Zero Trust security model. Through an example of a fictional company, I’ll guide you through the implementation of Zero Trust within Microsoft Azure.

Zero Trust

Zero Trust is a security model based on the "Never trust, Always verify" principle. This means that all users, devices, and applications must be verified before granted access. Zero Trust is not a product that can be purchased but a security strategy. Products like Azure can be utilized to follow the Zero Trust principles.

Verify explicitly

Verify every identity, regardless of whether the request comes from inside or outside the network.

Use least privilege access

Use Identity Access Management (IAM) to assign an identity only the minimal access rights required to complete an operation.

Assume breach

Assume that there are malicious actors on the network/ infrastructure and take steps to protect resources accordingly.

Breaches

Data breaches and hacks can cause severe financial losses, damage to reputation, and legal liabilities for companies. Individuals can experience identity theft, financial losses, and damage to credit scores. It can also cause emotional distress and a loss of trust in companies that handle personal information. Some examples of data breaches below.

The SolarWinds hack was a major supply chain attack discovered in December 2020. Hackers inserted malicious code into a software update, giving them access to the networks of SolarWinds customers, including government agencies and Fortune 500 companies. The attack was highly sophisticated and is believed to have been carried out by a state-sponsored group.

Marriott International experienced a data breach in 2018 that compromised the personal information of around 500 million guests. The breach occurred in the Starwood guest reservation database and included names, addresses, phone numbers, email addresses, passport numbers, and credit card information. The breach started in 2014 and continued until September 2018.

The Ashley Madison breach in 2015 exposed personal information of millions of users seeking extramarital affairs, causing embarrassment and highlighting the risks of storing sensitive information online. It sparked discussions about privacy and the ethics of online dating services.

Frequently Asked Questions

What is the goal of this site?

This site guides you in implementing Zero Trust within Microsoft Azure using a fictional company/application as an example.

For who is this site?

This site is designed for engineers who want to deepen their understanding of Zero Trust and learn how to leverage Microsoft Azure for Zero Trust implementation. It primarily focuses on infrastructure-related topics, with potential future expansions to developer-oriented subjects.

Why did I create this site?

As security risks increase, it is essential to understand how to mitigate these risks. As a cloud consultant, I get asked about security a lot. I created this site to share my knowledge and experience with Zero Trust and Microsoft Azure.

What is OneFinance?

OneFinance is a fictional company made up for the purpose of this site. Read more about OneFinance here.

What is SmartMoney?

SmartMoney, developed by OneFinance, is an application designed for customer accounting record management. This site will walk you through implementing Zero Trust in Microsoft Azure for the SmartMoney application. Read more about SmartMoney here.

How is the site structured?

Start with reading about the Zero Trust security model. Continue with the introduction of the fictional company OneFinance and their SmartMoney application. In each article, I create a new part of SmartMoney's new architecture, following the Zero Trust principles.

The fictional company: OneFinance

This website provides guidance on implementing the Zero Trust principles while utilizing Microsoft Azure. In order to illustrate best practices, I’ll be using the example of OneFinance, a fictional company that provides financial services to its customers. Customers entrust their accounting records to OneFinance. These records are managed by OneFinance’s employees in the SmartMoney application. Based on this data, they offer customers insights and advice for achieving financial independence.

Assume breach and minimize the impact with network security groups

Network security groups are a set of rules that allow or deny traffic to a subnet or a network interface. With network security groups, we can isolate workloads and follow the Zero Trust principles.

Access internal applications with Microsoft Entra Application Proxy

Application Proxy allows us to provide secure remote access to internal applications without the need to open inbound ports in the corporate firewall.

Secure Azure PaaS services with Azure Private Link

By using Private Link, we can securely connect to PaaS services from a VNET without exposing the service to the public internet.