Implementation of Zero Trust Security in the Public Sector

Since the groundbreaking Zero Trust publication "No more chewy centers" in 2010, cybersecurity experts have questioned trust in end devices and users within their own network boundaries. The guiding principle of "Never trust, always verify" turns the traditional security architecture on its head by throwing the concept of implicit trust overboard and subjecting every system event to rigorous scrutiny.

Zero Trust embodies the philosophy of robust IT security and places high demands on workload management structures. This is where the Delos Cloud comes in and simplifies the implementation of this security strategy. While cloud platforms and zero trust principles are already established as a key technology in the private sector, the Delos Cloud offers German authorities a way to use cloud solutions securely while maintaining digital sovereignty. This article explains the Delos Cloud's key components for the zero trust recipe.

Zero Trust already carries its philosophy in its name. It is a cyber security strategy that uses security policies based on context rather than inherent trust. The core of the Zero Trust security model is: "never trust, always verify". This means that users and devices are not trusted by default, even if they are inside the network. With the Zero Trust approach, all users, systems, and applications are initially considered untrusted, which significantly increases the overall system's security.

Zero Trust reduces an organization's attack surface. To do this, user access is limited to the necessary minimum, and networks are divided into the smallest possible segments. To build and use a Zero Trust security model, organizations need to use supporting technology solutions, particularly to manage their own network and the associated users.

A zero trust model defends against ransomware and cybersecurity threats by granting only the minimum access required for specific tasks.

A crucial part of Zero Trust's identity-centric approach is the robust verification of user identities to ensure that they are indeed who they say they are.

Entra ID is a powerful tool that provides significant support for implementation in the Delos Cloud. In addition to proven best practices such as multi-factor authentication - a method in which an additional feature is used to verify identity - Entra ID also offers context-based access controls.

This enables the creation of finely granulated policies that ensure that access rights are only granted when defined conditions are met. These could include, for example, geographical dependencies, prior device checks, or time restrictions.

The implementation of a Zero Trust architecture typically starts with the creation of access policies tailored to an organization's specific requirements. These policies should be based on a comprehensive resource map to account for all devices, users, and applications within the system. Planning for potential risks and threats is just as important as continuously evaluating and updating access policies to maintain an optimal level of security.

In addition to the current view of identity management as a central component of a zero-trust architecture, the concept was developed from the "Assume Breach" approach, which assumes that potential attackers may already have access to the network. Based on this premise, network areas, applications, and data were systematically isolated from one another – an approach known as micro-segmentation.

The primary purpose of micro-segmentation is to minimize damage in the event of a security incident. Should an attacker gain unauthorized access, it will be limited to specific components instead of having access to the entire system. This isolation significantly reduces the risk of a large-scale compromise. In addition, further advantages can be derived from the detailed explanation of how it works.

In the Delos Cloud, micro-segmentation is implemented through the use of virtualized networks and NSGs (Network Security Groups). Similar resources are grouped into specific segments, which are additionally isolated from each other by NSGs. This means that each resource is not only protected within its group, but communication between the groups is also subject to strict security guidelines.

This concept goes beyond traditional firewall security approaches by securing workload-level communication. This significantly reduces the attack surface as every connection is checked and its legitimacy monitored.

Micro-segmentation is widely recognized as a key technology for zero-trust security approaches, especially in the context of Zero Trust Network Access (ZTNA). Combined with the Zero Trust model, companies can ensure the security of their workloads - regardless of their location or deployment type.

One specific point of criticism of the Delos Cloud compared to the classic Azure infrastructure concerns the available deployment variants for virtual machines. Although numerous types are offered, the so-called DC VM variant, which was specially developed for maximum security, is missing from the service portfolio.

Azure Policies enable governance guidelines to be implemented directly in the infrastructure and automatically enforced. Authorities can define specifications for resource configuration, security standards, or compliance requirements, for example, and ensure that these are adhered to in real time. Automated enforcement not only reduces administrative complexity but also minimizes human error, which is often a security risk. This leads to clear and consistent compliance with regulatory requirements, which is particularly crucial in sensitive areas such as the public sector.

An example to illustrate this would be a measure for network security: A user wants to ensure that all virtual machines are only accessible via private networks and that no public IP addresses make them accessible from the internet. Policies can be used to define a rule that automatically checks whether new or existing VMs have been assigned a public IP address. In the event of violations, the creation of such resources is blocked, or a notification is triggered so that the administrator can investigate the case in more detail.

Azure Monitor complements the Delos Cloud by enabling comprehensive monitoring of the entire infrastructure. All activities and events – from key performance indicators to security-critical incidents – are recorded and analyzed in real time. This creates a central overview that speeds up identifying and resolving potential problems.

Another advantage is auditability: Azure Monitor can be used to document policy violations and their remediation in a transparent and traceable manner. Customers benefit from the ability to provide evidence in a structured form, which makes audits and certifications much easier.

With the Delos Cloud, data traceability can be implemented by exporting logs to audit-proof storage. In addition to the possibility of outsourcing logs, protection against unauthorized deletion or modification of this data plays a particularly important role. This approach is essential to the IT security strategy and supports adherence to regulatory compliance requirements.