The Zero Trust Workshop -- Your Free Nitro-Boosted Cybersecurity Strategy - virtualizationreview.com

Skip to main content Add as a preferred source on Google HOME PAPERS WEBCASTS NEWSLETTERS ADVERTISE TRAINING SUMMITS MORE CLOUDEDGE & AICONTAINERS/KUBERNETESEND USER COMPUTING & DAASNETWORKING & SECURITYVIRTUALIZATION PLATFORMSBACKUP & DATA RESILIENCE IN-DEPTH The Zero Trust Workshop -- Your Free Nitro-Boosted Cybersecurity Strategy Paul Schnackenburg, our 1-person SOC from Down Under, explains in detail how the Zero Trust workshop guide, workbook, and assessment tool turn principles into a practical roadmap for staged adoption across people, process, and technology. By Paul Schnackenburg02/09/2026 Key Takeaways Zero Trust is a program of cultural, strategic, and technical change -- not a single product. The workshop guide and workbook provide a structured roadmap across the six Zero Trust pillars. The Zero Trust Assessment PowerShell module inventories tenant settings and highlights remediation priorities. The consensus among cybersecurity professionals is that a Zero Trust-based cybersecurity strategy is the best approach, and many pundits, including myself, have been banging that drum for years now. But the big question everyone has is how do you actually "do Zero Trust?" Where do you start? You cannot buy an application or a service, turn it on and "have Zero Trust" (notwithstanding nearly every cybersecurity vendor slapping Zero Trust stickers on their wares, but of course those stickers have now been replaced with "Agentic AI powered"). There are cultural, strategic and structural changes required, as well as tactical configurations across the board, so it's overwhelming to even know where to start, let alone have a map to continue going. Turns out Microsoft offers a free workshop guide, and a couple of tools that help answer those questions, handy both for partner organizations helping their clients, and for businesses themselves as they're adopting Zero Trust. To be completely accurate, these tools are maintained as free open source by several Microsoft employees, but it's not an official tool that you can call Microsoft support about if you're having issues. This article will look at Zero Trust at a high level, the challenges of actually making it real in an organization, how to use the tools Microsoft provides, and how to use the workshop guidance to improve cybersecurity. Zero Trust -- Should that Be 'Trust After verification?' I've heard many people say, particularly from the academic world, that Zero Trust is a negative term and puts people off, and I can understand that. What it actually means is that implicit trust is dangerous, and trust can only be earned after explicit verification. As an example, in the "old world" your laptop was automatically trusted if it was on the local area network. No matter if it had been compromised and was running malware, or if the user account using it had been compromised by an attacker who was using this beachhead to attack other systems. It was a trusted corporate laptop, on a trusted network and thus OK, and that implicit trust is dangerous and will lead to compromise. If on the other hand we verify explicitly, the laptop is checked for its current cybersecurity posture, and only after found to be acceptable is access granted, ditto for the user account. Microsoft lists three principles for Zero Trust: Verify explicitly Assume breach Least privilege access Across six pillars: Identity Endpoints Applications Network Infrastructure Data In other words, for identity, endpoints etc. every connection should be explicitly verified and permissions granted should be the minimum any application or user needs to do their work, no more. This access needs to be verified over time -- Entra calls this Access Reviews. And rather than expecting that your defenses will keep the bad guys out, design your systems assuming that they're already in there, by compartmentalizing areas so that a breach doesn't automatically grant access to everyone and everything, plus make sure you have telemetry to spot intrusions when they do happen. The Open Group offers a vendor-neutral approach, and they list 13 commandments, across four areas: Practice Deliberate Security Secure Assets by Risk Validate Trust Explicitly Support Business Objectives Enable Modern Work Implement Asset-Centric Controls Enable Sustainable Security Develop a Security-Centric Culture Practice Accountability Enable Pervasive Security Utilize Least Privilege Deploy Simple Security Deploy Agile and Adaptive Security Make Informed Decisions Improve and Evolve Security Controls Utilize Defense in Depth Enable Resiliency As you can see, the challenge with infusing Zero Trust into a company's culture isn't (just) about technical controls and "nerd stuff," it heavily involves those two other cornerstones -- people and process . Building a culture around that in an organization is the real challenge. The question still remains -- how do you actually implement these principles / commandments in a business? What configuration steps do you start with? The Zero Trust Workshop Version 2 The first version of this workshop was created to help answer the most common question Microsoft's clients had -- "I understand about Zero Trust, but I don't know how to implement it." This new version (I was lucky enough to be part of the private preview testing of it) is more comprehensive and comes with a built-in tool to evaluate the current configuration of a tenant. Access the workshop guide here and the workbook here. Yes, you read that right, it's an Excel workbook, which isn't as crazy as it sounds. It helps you keep track of each pillar (they each have a spreadsheet tab in the workbook), and lays out logical "swim lanes" of steps to follow. The second tool is a PowerShell script that inventories your current security posture across several areas of Entra ID & Microsoft 365 -- more about this below. It's called a workshop because it's meant to be delivered as a series of meetings where each individual tile is discussed, and progress is tracked over time. The workshop can be used by an internal IT department, or if a Microsoft partner is delivering it with their client (the guide for customizing the branding of the sheet is here). The accompanying documentation is comprehensive, and there's also a video covering each of the workshop pillars. To make it real, here's a portion of the Identity Roadmap sheet in the workbook: [Click on image for larger view.] Zero Trust Workbook - Identity Roadmap The first part of this pillar is Design a Conditional Access (CA) posture, and under the Access area swim-lane, there are six tiles to attend to. It starts with CA policies for Authentication Strength, then policies for device state and app management, followed by policies with risk controls. Each tile lets you know the implementation effort (High, Medium and Low), the user impact and also has a hyperlink directly to the relevant portion of the workshop documentation. This documentation has an overview paragraph, followed by links to the relevant technical documentation. Each step has a drop-down to track progress: [Click on image for larger view.] Zero Trust Workbook - Progress Tracking Apart from the obvious In planning, Planned, In progress etc. there's Blocked, First Party other or Third Party. If there's a technical reason you can't roll this out now, you're blocked, if the control is satisfied by another Microsoft technology it is first party and if you're using some other vendor's technology to fulfil this criterion, it's Third Party. Another handy tip is using the Note functionality in Excel to add comments to each Tile as you work through it with the relevant stakeholders. Each spreadsheet also has a single tile at the start of each swim lane to do first, then one or more in the "then" phase, followed by one or more in the "next" phase -- clearly conveying priorities. The Identity Roadmap has over 30 swim lanes covering everything from "Stop buying or building Active Directory dependent apps" through "Develop credential (incl. Passwordless) strategy" to "Rollout Privileged Identity Management for Tier-Zero roles". The Devices Roadmap covers Mobile Application Management, MDM for iOS & Android, Windows, MacOS and more. The Data Roadmap is a bit shorter (but will probably take longer to implement in the real world), and looks at discovering and protecting your data, managing access to it, and protecting critical data assets. In the Network Roadmap you'll look at modernizing VPN and protecting legacy apps, securing access to all internet resources plus network application protection and control. The Infrastructure Roadmap on the other hand has many areas for governance, compliance, servers, containers, storage, databases, APIs and infrastructure services. 1 2 next » Recommended: Solving VMware Backup Challenges with the Cloud Featured KubeCon 2026 EU Final Day Recap -- The Evolution and Future of Kubernetes KubeCon 2026 EU Day 2 Recap -- Digital Sovereignty and Real-life Experiences with Kubernetes KubeCon 2026 EU Day 1 Recap -- The World's Largest Open-Source Meet Up Subscribe on YouTube Most Popular Articles KubeCon 2026 EU Day 1 Recap -- The World's Largest Open-Source Meet Up KubeCon 2026 EU Final Day Recap -- The Evolution and Future of Kubernetes NVIDIA, AWS and Google Cloud Spotlight AI Infrastructure Push at GTC 2026 KubeCon 2026 EU Pre-event Recap Sovereign Cloud: Microsoft's Answer to Geopolitical Uncertainty Upcoming Training Events Live! 360 6-Week Training & Certification Course: Mastering the Microsoft AI Framework: Building Enterprise-Ready AI Agents with Microsoft Foundry March 10-April 14, 2026 Live! 360 2-Day Hands-On Seminar: Copilot Studio, Microsoft Agent Framework and Foundry: Building Multi-Agent AI Systems June 8-9, 2026 Live! 360 2-Day Hands-On Seminar: AI-Powered .NET Development with Claude & Claude Code July 9-10, 2026 VSLive! 4-Day Hands-On Training Seminar: Immersive .NET Full Stack Training with CoPilot: 4-Day Hands-On Experience July 14-17, 2026 Visual Studio Live! @ Microsoft HQ July 27-31, 2026 Visual Studio Live! @ San Diego September 14-18, 2026 The AI Pivot September 25, 2026 Live! 360 6-Week Training & Certification Course: Mastering the Microsoft AI Framework: Building Enterprise-Ready AI Agents with Microsoft Foundry October 6–November 10, 2026 Live! 360 Orlando November 15-20, 2026 Artificial Intelligence Live! Orlando November 15-20, 2026 AI Enterprise Architecture Live! Orlando November 15-20, 2026 Cybersecurity & Ransomware Live! Orlando November 15-20, 2026 Data Platform Live! Orlando November 15-20, 2026 Visual Studio Live! Orlando November 15-20, 2026 VSLive! 4-Day Hands-On Training Seminar: Immersive .NET Full Stack Training with CoPilot: 4-Day Hands-On Experience December 15-18, 2026 Free White Papers State of platform engineering in the age of AI Red Hat Trusted Software Supply Chain AI-assisted app dev for the enterprise 6 considerations for choosing a modern application platform More Tech Library Sponsored Webcasts Splunk Enterprise Security Unmasked: Cybersecurity Insights From the Shadows Defending What Matters in SLED: A Candid Conversation on Cyber Resilience Beyond Backup: Building True Cloud Cyber Resilience with Rubrik Top 5 Advantages of Cloud Virtualization: Agility for Supply-Constrained Markets More Webcasts This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Do Not Sell My Personal Information Do Not Sell My Personal Information Your Privacy Strictly Necessary Cookies Functional Cookies Performance Cookies Sale of Personal Data Your Privacy When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link. More information Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Functional Cookies Functional Cookies Active These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Performance Cookies Performance Cookies Active These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Sale of Personal Data Sale of Personal Data Active As a consumer, you have the right to opt-out from the sale or sharing of your personal information at any time across business platform, services, businesses and devices. You can opt-out of the sale and sharing of your personal information by using this toggle switch. As a California, Virginia, Utah, Colorado and Connecticut consumer, you have the right to opt-out from the sale of your personal data and the processing of your personal data for targeted advertising. You can opt-out of the sale of your personal data and targeted advertising by using this toggle switch. For more information on your rights as a United States consumer see our privacy notice. Targeting Cookies Switch Label label These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Cookie List Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All