However, as recent events have shown us, the cybersecurity landscape continues to evolve. Bad actors are getting more sophisticated and the need for a stronger security model has never been more important. Zero Trust is no longer an option, it’s now imperative for organizations that want to protect themselves while providing employees the flexibility they need to be productive.

Accelerating your hybrid work readiness with Zero Trust

Implementing a Zero Trust model means transitioning from implicit trust—where everything inside a corporate network is assumed to be safe—to a model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signal and data. A contextual, real-time policy helps enforce least-privileged access principles and minimize risks. Zero Trust not only strengthens security but also enables the transformation needed to embrace hybrid work.

I often hear from customers that implementing a Zero Trust security framework can be daunting and that they’re looking for help in creating a roadmap with the right prioritized milestones to maximize investments and positively impact their users. In this post, I’d like to provide an overview of the resources available to help accelerate your Zero Trust readiness and provide actionable guidance.

If you haven’t already, I suggest starting with our Zero Trust Maturity Model whitepaper, which breaks down Zero Trust requirements across identities, endpoints, apps, networks, infrastructure, and data. This paper provides a strong starting point to assess your current Zero Trust maturity, prioritize security efforts to maximize impact, and get a foundational understanding of overall capabilities and requirements.

My colleague, Mark Simos, also posted a blog, Zero Trust Strategy—what good looks like, based on his experience helping customers transform their security strategies that expands on many of the concepts in the maturity model.

Assess your Zero Trust maturity and plan the next steps in your journey with the updated assessment tool

We created the Microsoft Zero Trust Assessment tool to help you determine where you are in your Zero Trust implementation journey and provide to-dos and deployment guidance to help reach key milestones. This month, we released an updated version that provides more targeted guidance and a curated list of resources to help you better prioritize milestones based on your current progress. Now, when a gap is identified in your Zero Trust readiness, you’ll see which specific capabilities you need, the Microsoft products and services that can provide those and step-by-step guidance on implementation.

Get specific suggestions for next steps in your Zero Trust adoption with the assessment tool.

Get up to speed on the essentials of Zero Trust

This month, we’re kicking off our new Microsoft Mechanics video series focused on Zero Trust. In this series, Jeremy Chapman, Director of Microsoft 365, provides a breakdown of how you can adopt a Zero Trust approach across the six layers of defense—identities, endpoints, apps, networks, infrastructure, and data. This series will share tips and provide hands-on demonstrations of the tools for implementing the Zero Trust security model.

Our first two videos are out now:

• Microsoft Mechanics Zero Trust Essentials—An overview of Zero Trust and the six layers of defense.
• Zero Trust Essentials: Identity and Access Management—A deep dive into how Azure AD enables a Zero Trust security model.

Watch our new video series, starting with Microsoft Mechanics Zero Trust Essentials.

Other resources

Here are some of the other resources we’ve put together as a result of our efforts helping customers, managing our own Zero Trust deployment, and listening to all of you:

• For an in-depth look at our latest updates that will help accelerate your Zero Trust journey, check out Vasu Jakkal’s blog, How to secure your hybrid work world with a Zero Trust approach, from earlier this month.
• For technical guidance, visit our Zero Trust Resource Center—A repository of information that provides specific guidance on implementing Zero Trust principles across their identities, endpoints, data, applications, networks, and infrastructure.
• If you’d like to learn from our own Zero Trust deployment journey at Microsoft, our CISO Bret Arsenault and team share their stories at Microsoft Digital Inside Track.
• To hear from leaders who sponsored, guided, and oversaw the adoption of Zero Trust within organizations, check out the Zero Trust Business Plan.
• Learn how to get buy-in for Zero Trust in a recent webcast with Microsoft Corporate Vice President, Microsoft Identity, Alex Simons.
• If you’re into podcasts, please check out Episode 3 of the Strengthen and Streamline Your Security podcast to hear a discussion on the steps leading organizations are taking and get recommendations to reduce your risk and enable employee productivity.
• Lastly, Examining Zero Trust is an executive roundtable discussion with 10 security leaders sharing their own experiences and real-life examples of adopting the fundamentals of Zero Trust.

Learn more

For more information about Microsoft Zero Trust, please visit our website and keep up-to-date with product announcements, technical guidance, planning resources, and more in our Zero Trust blogs.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Resources for accelerating your Zero Trust journey appeared first on Microsoft Security Blog.

In this infographic, we explore how this shift is affecting IT leaders and how Microsoft can help apply threat protection to proactively prevent identity compromise and reduce alert fatigue.

1. There’s been a significant increase in identity-based attacks. As IT leaders rely more heavily on identity in their security strategies, cybercriminals have increased their efforts on this threat vector. And with the shift to remote work in response to COVID-19, we’ve seen a notable number of pandemic-related phishing attacks.
2. IT leaders need more visibility and protection. With the increase in threats, security professionals and admins are being overwhelmed with alerts. IT leaders are looking for more effective ways to manage alerts and better tools to proactively prevent attackers from being able to compromise accounts.
3. Preventing identity compromise is more critical than ever. As IT leaders evolve their security strategies, people increasingly working remotely, and the number of identity-based attacks are rising, it’s vital for organizations to implement real-time, AI-based protections that prevent identity compromise.

Check out the infographic for more details.

If you’re interested in how Microsoft can help, see how Azure Active Directory (Azure AD) Identity Protection and Microsoft 365 Defender use real-time, cloud-based AI to proactively prevent identity compromise. Also check out our Security Unlocked podcast with Data Scientist Lead for Microsoft’s Identity Security and Protection team, Maria Peurtas Calvo, to hear how AI is being used to protect identities inside Microsoft products and services.

Visit our Zero Trust page to stay up-to-date on how the latest Microsoft products, features, and resources that can help you implement Zero Trust principles in your organization.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why threat protection is critical to your Zero Trust security strategy appeared first on Microsoft Security Blog.

We surveyed IT leaders around the world to determine how they’re using Zero Trust practices to protect their devices and enable access to the corporate network from unsecured devices.

1. More personal devices are accessing corporate resources than ever. In response to the substantial shift to remote work, IT leaders report seeing more of their employees using personal devices to access their networks. As a result, they’re prioritizing device management solutions to improve security and control on personal devices.
2. Devices accessing the network are monitored but often left out of access decisions. While most IT leaders report that they’re monitoring device health and compliance, the majority aren’t currently using that status in their access decision making. Preventing unauthorized and risky devices is critical to protecting corporate data in a modern environment.
3. Personal devices are widely agreed to increase risk exposure. Over 92 percent of IT leaders agree that a proliferation of personal devices is increasing their attack surface area. However, much less say they’re prepared for managing access from unsecured devices.

Check out the infographic for more details.

If you’re looking at how to help prevent devices from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for endpoints.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How companies are securing devices with Zero Trust practices appeared first on Microsoft Security Blog.

In this short report, we surveyed IT leaders around the world to determine how they’re implementing Zero Trust practices to protect their identities and ensure their employees have secure access to resources.

1. Most IT leaders are already using Zero Trust practices with their identity management solutions. While the majority of IT leaders have already implemented Zero Trust practices into their identity and access solution, only a monitory have moved on to more advanced controls that utilize automation and AI-based threat analysis.
2. Multi-factor authentication (MFA) and Single Sign-On (SSO) are the most common. Additionally, a majority are analyzing risk before granting access—a critical proactive step to preventing unauthorized access to corporate resources.
3. Identities and devices are the top priority for most organizations. With employees working outside the corporate network and increasingly using personal devices, this is no surprise. However, surprisingly, the majority of IT leaders do not rate identities as the most mature component in their Zero Trust strategy.
4. Zero Trust is still in infancy. Despite substantial growth in Zero Trust efforts over the past twelve months, only one in ten IT leaders report feeling very confident in their Zero Trust identity management roadmap.

Read the full report for more details.

If you’re looking for how to help prevent endpoints from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for identities.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How IT leaders are securing identities with Zero Trust appeared first on Microsoft Security Blog.

We are committed to helping customers plan and deploy Zero Trust. Last month, we announced our Zero Trust Deployment Center, a repository of resources to help accelerate the deployment of Zero Trust across data, applications, network, identity, infrastructure, and devices.

This month, we’re excited to share the release of our Zero Trust Business Plan. This document captures lessons learned from leaders who sponsored, guided, and oversaw the adoption of Zero Trust within customers’ organizations. This document will provide guidance across the full lifecycle of your Zero Trust initiative:

• Plan: Build a business case focused on the outcomes that are most closely aligned with your organization’s risks and strategic goals.
• Implement: Create a multi-year strategy for your Zero Trust deployment and prioritize early actions based on business needs.
• Measure: Track the success of your Zero Trust deployment to provide confidence that the implementation of Zero Trust provides measurable improvements.

Other resources

Check out our growing repository of resources ready to help you with Zero Trust—regardless of where you are in your journey. Our Zero Trust assessment tool is a great way to measure your overall maturity and progress to Zero Trust (including your existing capabilities). This new business plan provides a practical guide to implementing a Zero Trust framework. Our Zero Trust deployment guidance provides clear technical implementation guidance. Visit our Zero Trust page to stay up-to-date on how the latest Microsoft products, features, and resources that can help you implement Zero Trust principles in your organization.

Bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Building a Zero Trust business plan appeared first on Microsoft Security Blog.

Over the past year, we have been hard at work helping customers navigate these challenges by listening to their difficulties, sharing our own learnings, and building controls, tools, and practices that enable the implementation of Zero Trust. However, one of the things we hear most consistently is the need for additional deployment support.

We are excited to announce the launch of the Zero Trust Deployment Center—a repository of information to improve their Zero Trust readiness as well as specific guidance on implementing Zero Trust principles across their identities, endpoints, data, applications, networks, and infrastructure. The Zero Trust Deployment Center breaks down deployment guidance into plain-language objectives across each of the technology pillars, providing an actionable list of steps needed to implement Zero Trust principles in your environment.

This repository is the perfect place to start planning and deploying your Zero Trust strategy.

Figure 1:  Zero Trust Deployment Center web page.

If you are already well underway in your journey, these objectives will provide a great framework to help measure your progress and ensure you are meeting critical milestones. If you’re interested in measuring your Zero Trust maturity, we’ve also created a Zero Trust assessment tool to help measure your current maturity and identify possible next milestones and priorities along with technologies.

Learn more about Zero Trust and Microsoft Security. Also, bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

The post Announcing the Zero Trust Deployment Center appeared first on Microsoft Security Blog.

Companies found that traditional security models required bringing users and data to ‘safe’ network places, which doesn’t scale and doesn’t provide the needed visibility. Employees are getting their work done any way they can– using personal devices, sharing data through new services, and collaborating outside the confines of traditional protections of the corporate network. Earlier adopters of Zero Trust approaches were able to adapt quickly, but many others instantly faced an expanded attack surface area and new security challenges they were not fully prepared for.

At Microsoft, we have been helping customers navigate these challenges by sharing our learnings and building controls, tools, and practices to enable daily application of Zero Trust principles. We have been focusing on providing organization quick wins that close critical gaps today and laying a strong foundation of Zero Trust expertise and technology to build on in the future.

Today and in my presentation at Blackhat 2020, I’d like to share some insights we’ve learned through this journey to help you with yours:

1. Start with strong authentication

Many customers I meet with share that trying to figure out where to start their Zero Trust journey is a major challenge. I always recommend starting with multi-factor authentication (MFA). Verifying a user’s identity with strong authentication before granting them access to corporate resources is the most effective step to quickly improve security. Our studies have shown that accounts secured with MFA are 99.9% less likely to be compromised. Strong authentication strengthens your overall security posture and minimizes risk, it lays a strong foundation to build on—such as securely connecting employees to apps with single sign-on (SSO) experiences, controlling access to resources with adaptive access policies, and more.

2. Endpoint visibility is critical and getting more challenging

In a Zero Trust security model, we want to have visibility into any and all endpoints accessing the corporate network so we can only allow healthy and compliant devices to access corporate resources. Device security posture and compliance should be used in your access policies to restrict access from vulnerable and compromised devices. This not only helps strengthen security and minimize risk, but also enables you to improve your employees’ productivity by supporting more device types and experiences. In a recent Microsoft study, more than 50% of organizations reported seeing a greater variety of endpoint platforms because of supporting remote work.

3. Apps and data are primary attack surfaces

With employees increasingly accessing corporate data on new devices and collaborating in new ways, most security teams are seeing that their application and data security tools aren’t giving them the visibility and control they need. This de facto expansion of the enterprise attack surface makes it critical to discover the cloud apps in use, assess them for risk, and apply policy controls to ensure that data isn’t leaking through these applications. Finally, make sure the sensitive data in these apps is protected wherever it travels or lives by automatically classifying, labeling, and applying protection to files.

4. Integrated solutions are more critical than ever

CISOs reported in a recent Microsoft study that Threat Protection is now a higher priority for them. With an increasing attack surface area and velocity, integrated threat protection solutions can now share signals across detection, prevention, investigation, and response. While most organizations already use threat protection tools, most don’t share signals or support end-to-end workflows. Because most attacks involve multiple users, endpoints, app, data, and networks, it’s imperative for tools to work together to deliver streamlined experience and end-to-end automation. Look for opportunities to integrate your threat protection solutions to remove manual tasks, process friction, and the morale issues they generate.

5. Zero Trust improves end-user experience

Security leaders are often challenged to balance security and a more streamlined end-user experience. Fortunately, Zero Trust enables both at the same time because security is built around the users and business assets, rather than the other way around. Instead of users signing in multiple times, dealing with VPN bandwidth constraints, and working only from corporate devices, Zero Trust enables users to access their content and apps from virtually any device and location securely.

To listen to my presentation on Zero Trust at Blackhat register here. Check out the Microsoft Zero Trust Maturity Model vision paper (click to download) detailing the core principles of Zero Trust, and our maturity model, which breaks down the top-level requirements across each of the six foundational elements.

We’re also publishing deployment guides for each of the foundational elements.  Read the latest guides for Identities, Devices, and Networking. Look out for additional guides in the Microsoft Security blog.

Learn more about Zero Trust and Microsoft Security.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust: From security option to business imperative overnight appeared first on Microsoft Security Blog.

With such a large influx of employees working remotely, many of the traditional network-based security controls are unable to protect the organization. For many organizations, there are two options: route all remote traffic through a strained legacy network architecture, resulting in poor performance and user productivity; or relax restrictions and risk losing protection, control, and visibility. Many organizations are turning to Zero Trust security framework to better support remote work and manage risk.

The Zero Trust security framework helps organizations effectively meet these challenges by gating access to resources individually using granular access policies that take advantage of dynamic user and device risk signals and other telemetry to make more adaptive access decisions.

Support for your Zero Trust journey

Getting started on your Zero Trust journey can be daunting, but we’re here to help. We’ve created the Microsoft Zero Trust Assessment tool to help you determine where you are in your Zero Trust journey. Our assessment tool will help you assess your readiness across identities, devices, apps, infrastructure, network and data, and then provide go-dos and deployment guidance to help you reach key milestones.

Every company is at a different stage of their Zero Trust journey. Given the current situation with remote work, maybe you are working to unify your identity management to enable single sign-on (SSO), or you are digging into projects like multi-factor authentication (MFA) or desktop virtualization. Maybe identity and device management are your top priorities right now. Every IT leader needs to define the priorities to enable productivity from anywhere across their organization’s workforce depending on the situation. We understand and we’re here to help.

We recently published Microsoft Zero Trust Maturity Model vision paper detailing the core principles of Zero Trust, along with our maturity model, which breaks down the top level requirements across each of the six foundational elements.

Upcoming, we’ll be publishing deployment guides for each of the foundational elements. Look out for additional guides in the Microsoft Security blog.

Learn more about Zero Trust and Microsoft Security.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust framework to enable remote work appeared first on Microsoft Security Blog.

All authenticators are vulnerable

There is a broad range of mechanisms to break authenticators. That doesn’t make all authenticators equally vulnerable. Costs vary massively by attack type, and attacks that preserve anonymity and don’t require proximity to the target are much easier to achieve. Channel-Jacking and Real-Time Phishing are the most dominant ways we see non-password authenticators compromised.

Channel independent, verifier impersonation-resistant authenticator types—such as smartcards, Windows Hello, and FIDO—are incredibly hard to crack. Given an overall strong authentication rate of only about 10 percent, doing any form of MFA takes you out of reach of most attacks. Turn on MFA now and start building a long-term authenticator strategy that relies on “phish proof” authenticators, such as Windows Hello and FIDO.

To learn more, read All your creds are belong to us!

To learn more about how you can protect your time and empower your team, check out the cybersecurity awareness page this month.

The post Your password doesn’t matter—but MFA does! appeared first on Microsoft Security Blog.