Zero Trust involves applying multiple disciplines of security and information protection together. , this multi-discipline approach is applied to each of the units of work for infrastructure components as follows:
Apply Zero Trust principles to Azure storage
- Protect data in all three modes: data at rest, data in transit, and data in use
- Verify users and control access to storage data with the least privileges
- Logically separate or segregate critical data with network controls
- Use Defender for Storage for automated threat detection and protection
Apply Zero Trust principles to virtual machines in Azure
- Configure logical isolation for virtual machines
- Leverage Role Based Access Control (RBAC)
- Secure virtual machine boot components
- Enable customer-managed keys and double encryption
- Control the applications installed on virtual machines
- Configure secure access
- Set up secure maintenance of virtual machines
- Enable advanced threat detection and protection
Apply Zero Trust principles to a spoke VNet in Azure
- Leverage Microsoft Entra RBAC or set up custom roles for networking resources
- Isolate infrastructure into its own resource group
- Create a network security group for each subnet
- Create an application security group for each virtual machine role
- Secure traffic and resources within the VNet
- Secure access to the VNet and application
- Enable advanced threat detection and protection
Apply Zero Trust principles to a hub VNet in Azure
- Secure Azure Firewall Premium
- Deploy Azure DDoS Protection Standard
- Configure network gateway routing to the firewall
- Configure threat protection
