Solutions & Products
ZeroTrust_AdobeStock_895308611

Implementation of Zero Trust Security in the Public Sector

Challenges and opportunities with the Delos Cloud

Zero Trust Security for German Authorities
09.01.2025
Security
Cloud
Sovereign IT
Microsoft Azure

Since the groundbreaking Zero Trust publication “No more chewy centers” in 2010, cyber security experts have questioned trust in end devices and users within their network boundaries. The guiding principle “Never trust, always verify” turns the traditional security architecture on its head by throwing the concept of implicit trust overboard and subjecting every system event to rigorous scrutiny.
 

Zero Trust embodies the philosophy of robust IT security and places high demands on workload management structures. This is where the Delos Cloud comes in and simplifies the implementation of this security strategy. While cloud platforms and zero trust principles are already established principle in the private sector, the Delos Cloud offers German authorities a way to use cloud solutions securely while maintaining digital sovereignty. This article explains the Delos Cloud's key components for the zero-trust recipe.

What Is Zero Trust and What Do You Need for It?

Zero Trust already carries its philosophy in its name. It is a cyber security strategy that uses security policies based on context rather than inherent Trust. The core of the Zero Trust security model is: "Never trust, always verify". This means that users and devices are not trusted by default, even within the network. With the Zero Trust approach, all users, systems, and applications are initially considered untrustworthy, significantly increasing overall security.
 

Zero Trust reduces an organization's attack surface. To this end, user access is limited to the necessary minimum, and networks are divided into the smallest possible segments. To build and use a zero-trust security model, organizations must use supporting technology solutions, particularly to manage their own network and the associated users.

 

A zero-trust model defends against ransomware and cybersecurity threats by granting only the minimum access required for specific tasks.

Access Control with Entra ID

The most critical component of Zero Trust's identity-centric approach is the robust verification of user identities to ensure that they are who they say they are.

 

Entra ID is a powerful tool that significantly supports implementation in the Delos Cloud. In addition to proven best practices such as multi-factor authentication—a method in which an additional feature is used to verify identity—Entra ID also offers context-based access controls. It is crucial to ensure that identities are protected to the maximum and that access using them is secure.
 

This enables the creation of fine-grained policies that ensure access rights are only granted when defined conditions are met. These could include, for example, geographical dependencies, prior device checks, or time restrictions. Defined rules must be established within Entra ID: Who is allowed to access which resources with which device?

Our Experience in Implementing a Zero Trust Architecture

The implementation of a zero-trust architecture typically starts with the creation of access policies tailored to an organization's specific requirements. These policies should be based on a comprehensive resource overview that considers all system devices, users, and applications. End-to-end access management is the basic prerequisite for ensuring that access to applications and data does not create a breakthrough point.
 

Therefore, proactive planning of potential risks and threats is just as important as the continuous evaluation and updating of access policies to maintain an optimal level of security.

Logical Abstraction of the Infrastructure

In addition to the current view of identity management as a central component of a zero-trust architecture, the concept was developed from the “Assume Breach” approach, which assumes that potential attackers may already have access to the network. Based on this premise, network areas, applications, and data were systematically isolated from each other - an approach known as micro-segmentation.
 

The primary purpose of micro-segmentation is to minimize damage in the event of a security incident. Should an attacker gain unauthorized access, it is limited to specific components instead of having access to the entire system. This isolation significantly reduces the risk of a large-scale compromise. In addition, further advantages can be derived from the detailed explanation of how it works.
 

In the Delos Cloud, micro-segmentation is implemented through the use of virtualized networks and NSGs (Network Security Groups). Similar resources are grouped into specific segments, which are additionally isolated from each other by NSGs. This means that each resource is not only protected within its group, but communication between the groups is also subject to strict security guidelines.
 

This concept goes beyond traditional firewall security approaches by securing communication at the workload level. This significantly reduces the attack surface, as every connection is checked and its legitimacy monitored. However, it is essential to note that only micro-segmentation and identity protection can ensure the highest possible level of security—without the addition, limited access cannot be assured.
 

One specific criticism of the Delos Cloud compared to the classic Azure infrastructure concerns the available deployment variants for virtual machines. Although numerous types are offered, the so-called DC VM variant, which supplements Zero Trust with Confidential Computing, is missing from the service portfolio.

Automation Through Azure Policies

Azure Policies enable governance guidelines to be implemented directly in the infrastructure and automatically enforced. Authorities can define specifications for resource configuration, security standards, or compliance requirements, for example, and ensure that these are adhered to in real-time. Automated enforcement not only reduces administrative complexity but also minimizes human error, which is often a security risk. This leads to clear and consistent regulatory compliance, particularly crucial in sensitive areas such as the public sector.
 

An example would be a measure for network security: a user wants to ensure that all virtual machines are only accessible via private networks and that no public IP addresses lead to them being accessible from the internet. The policies can be used to define a rule that automatically checks whether new or existing VMs have been assigned a public IP address. In the event of violations, the creation of such resources is blocked, or a notification is triggered so that the administrator can investigate the case in more detail. Automation should be used to design measures to protect identities, data, and applications following Zero Trust.

Azure Monitor

Azure Monitor complements the Delos Cloud by enabling comprehensive monitoring of the entire infrastructure. All activities and events—from key performance indicators to security-critical incidents—are recorded and analyzed in real time. This creates a central overview that speeds up identifying and resolving potential problems.
 

Another advantage is auditability: Azure Monitor can be used to transparently and traceably document policy violations and their remediation transparently and traceably. Customers benefit from the ability to provide structured evidence, making audits and certifications much easier.
 

Data traceability can be implemented by exporting logs to audit-proof storage as part of the Delos Cloud. In addition to the option of outsourcing logs, protection against unauthorized deletion or modification of this data plays a particularly important role. This approach is essential to the IT security strategy and supports adherence to regulatory compliance requirements.
 

Restrictions and recommendations: Functions such as Cloud Defender and Endpoint Manager are not yet available within the Delos Cloud. However, these tools can help ensure security at the device and network layers. It would, therefore, be helpful to integrate these features into the Delos Cloud offering in the future to provide a more comprehensive security portfolio.

Conclusion

The Delos Cloud offers its customers an established platform for implementing zero-trust security while maintaining digital sovereignty. Technology solutions such as Entra ID, microsegmentation, and Azure Policies lay the foundation for a high level of security, taking regulatory requirements into account.

You May Also Be Interested In

Delos Cloud: The Available Office 365 Features at a Glance

From 2025, the Delos Cloud will offer a secure and sovereign cloud platform for the public sector in Germany with comprehensive Office 365 integration. Find out more about the benefits of productivity and collaboration.

Delos Cloud Azure Service Portfolio

Delos Cloud has presented its Azure service portfolio. We have reviewed it and made an initial assessment based on our cloud experience.

Checklist for Migrating to the Delos Cloud

You should consider essential points before, during, and after migrating to the Delos Cloud. A step-by-step guide, tips, tricks for a quick and easy migration, and much more can be found here.

Public

The comprehensive digitization of public administration is an important task. Learn more about our solutions for the public sector.

Written by

tiny_Robin_Hamel_Picture (1)
Robin Hamel
Expert for cloud security