How ‘Varah Risk Advisory Services LLP’ Operates: Cloud-Native, Zero Trust, and the “No Download” Policy
Varah Risk Advisory Services LLP (hereafter referred to as Varah) is a modern enterprise that has embraced a Cloud-Only and Cloud-Native IT architecture, operating with a stringent Zero Local Data (ZLD) policy and enforced by a company-wide Zero Trust Architecture (ZTA). By leveraging the comprehensive security and compliance capabilities of Microsoft 365 and Microsoft Azure, Varah has virtually eliminated its on-premises infrastructure and the associated security risks, delivering a powerful combination of business agility and unparalleled data protection.
The Core Philosophy: Cloud-Only and Zero Trust
Varah’s entire Information and Communications Technology (ICT) operation is based on two fundamental pillars:
- Cloud-Native Operation (Zero On-Premise): All corporate data, applications, and services reside solely within Microsoft 365 and Azure. There are no on-premises servers, traditional network firewalls, or physical data storage devices. This inherently reduces the attack surface by removing an entire category of security risks (physical theft, server patching, data center failure).
- Zero Trust Architecture (ZTA): The core principle is “Never trust, always verify.” No user, device, or application is implicitly trusted, regardless of its location (inside or outside a traditional “perimeter”). Every access request to any resource—a file in SharePoint, an email in Exchange Online, or an application in Azure—is authenticated and authorized based on all available data points.
The Zero Local Data (ZLD) and “No Download” Policy
To maximize the benefits of its cloud-only approach and reinforce ZTA, Varah enforces a strict Zero Local Data (ZLD) policy, also known as the “No Download” Policy.
Implementation in Microsoft 365: OneDrive and SharePoint settings are configured to use Files On-Demand. This ensures that documents are only stored on the cloud and do not automatically synchronize a local copy to the user’s computer.
Security Benefit: If a device is lost or stolen, no sensitive corporate data is stored on its hard drive. Data remains safe in the Microsoft Cloud.
Implementation in Microsoft 365: Conditional Access Policies (via Microsoft Entra ID) are used to restrict document and email attachment downloads to unmanaged or non-compliant devices.
Security Benefit: Prevents data exfiltration. Users can only view and edit documents in the secure web browser environment (e.g., Word Online), making it impossible to save a local copy to an unapproved device.
Implementation in Microsoft 365: Users are restricted to accessing data via secure, compliant web browsers or Intune-managed Microsoft 365 mobile apps.
Security Benefit: The browser acts as the secure perimeter, ensuring that data is never fully “outside” the corporate control.
Identity as the New Perimeter: Secure Application Access
In a cloud-native environment, identity (via Microsoft Entra ID) replaces the traditional network firewall as the primary security perimeter.
- Mandatory Single Sign-On (SSO): All non-Microsoft Software-as-a-Service (SaaS) applications used by Varah – from HR and finance platforms to project management tools – are strictly access-controlled via Microsoft Entra ID Single Sign-on (SSO). This ensures that every third-party application access is subject to the same ZTA policies, including Multi-Factor Authentication (MFA) and device compliance checks defined in Conditional Access. This eliminates the use of weak, disparate passwords and provides a single, central point for access governance.
- External Collaboration via B2B: To maintain its ZLD policy even when working with clients, Varah utilizes the Microsoft Entra B2B (Business-to-Business) collaboration route. Varah employees are invited as Guest Users into the client’s Microsoft 365/Azure tenancy. This means:
- No Data Migration: Varah staff work directly on the client’s environment, preventing client data from ever leaving the client’s tenancy or entering Varah’s tenancy, thereby honouring the client’s data governance rules.
- Secure Authentication: The Varah employee uses their own corporate Microsoft Entra ID credentials for authentication, which is secured by Varah’s MFA and ZTA policies, extending a high level of assurance to the client.
Industry Grading and Compliance of Microsoft Cloud Services
Varah’s choice of Microsoft 365 and Azure is underpinned by the platforms’ deep commitment to global security and regulatory compliance. These cloud services are built and operated to meet the world’s most stringent industry and government standards, reducing the compliance burden on Varah itself.
Key Compliance Offerings: ISO 27001, SOC 1/2/3, and CSA STAR certification.
Relevance for Varah: Demonstrates that Microsoft’s infrastructure and management processes meet international security best practices.
Key Compliance Offerings: ISO 27018 (protection of Personally Identifiable Information in the public cloud) and GDPR (General Data Protection Regulation) compliance.
Relevance for Varah: Crucial for handling client and employee personal data and for operating within the EU and other regulated markets.
Key Compliance Offerings: HIPAA (Healthcare), CJIS (Criminal Justice), and FedRAMP (Federal Risk and Authorization Management Program).
Relevance for Varah: Provides a pre-certified platform necessary to engage clients in highly regulated sectors.
This comprehensive list of third-party compliance attestations means Varah inherits the robust security foundation, allowing it to focus its ZTA efforts on user access and data-handling policies, confident in the security of the underlying cloud infrastructure.