Microsoft’s cloud-first strategy enables most Microsoft employees to directly access applications and services via the internet, but remote workers still use the company’s virtual private network (VPN) to access some corporate resources and applications when they’re outside of the office.

This became increasingly apparent when Microsoft prepared for its employees to work remotely in response to the global pandemic. VPN usage increased by 70 percent, which coincides with the significant spike in users working from home daily.

So then, how is Microsoft ensuring that its employees can securely access the applications they need?

With split tunneling and a Zero Trust security strategy.

As part of the company’s Zero Trust security strategy, employees in Microsoft Digital Employee Experience (MDEE) redesigned the VPN infrastructure by adopting a split-tunneled configuration that further enables the company’s workloads moving to the cloud.

“Adopting split tunneling has ensured that Microsoft employees can access core applications over the internet using Microsoft Azure and Microsoft Office 365,” says Steve Means, a principal cloud network engineering manager in MDEE. “This takes pressure off the VPN and gives employees more bandwidth to do their job securely.”

Eighty percent of remote working traffic flows to cloud endpoints where split tunneling is enabled, but the rest of the work that employees do remotely—which needs to be locked down on the corporate network—still goes through the company’s VPN.

“We need to make sure our VPN infrastructure has the same level of corporate network security as applications in the cloud,” says Carmichael Patton, a principal security architect on Microsoft’s Digital Security and Resilience team. “We’re applying the same Zero Trust principles to our VPN traffic, by applying conditional access to each connection.”

[Learn how Microsoft rebuilt its VPN infrastructure. Learn how Microsoft transitioned to modern access architecture with Zero Trust. Read how Microsoft is approaching Zero Trust Networking.]
For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=bleFoL0NkVM, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

Securing remote workers with device management and conditional access

Moving most of the work that employees require to the cloud only became possible after the company adopted modern security controls that focus on securing devices.

“We no longer rely solely on the network to manage firewalls,” Patton says. “Instead, each application that an employee uses enforces its own security management—this means employees can only use an app after it verifies the health of their device.”

To support this transformed approach to security, Microsoft adopted a Zero Trust security model, which manages risk and secures working remotely by managing the device an employee uses.

“Before an employee can access an application, they must enroll their device, have relevant security policies, and have their device health validated,” Patton says. “This ensures that only registered devices that comply with company security policies can access corporate resources, which reduces the risk of malware and intruders.”

The team also recommends using a dynamic and scalable authentication mechanism, like Azure Active Directory, to avoid the trouble of certificates.

While most employees rely on our standard VPN infrastructure, Microsoft has specific scenarios that call for additional security when accessing company infrastructure or sensitive data. This is the case for MDEE employees in owner and contributor roles that are configured on a Microsoft Azure subscription as well as employees who make changes to customer-facing production services and systems like firewalls and network gear. To access corporate resources, these employees use Privileged Access Workstations, a dedicated operating system for sensitive tasks, to access a highly secure VPN infrastructure.

Phil Suver, a principal PM manager in MDEE, says working remotely during the global pandemic gives employees a sense of what the Zero Trust experience will be like when they return to the office.

“Hardened local area networks that previously accessed internal applications are a model of the past,” Suver says. “We see split tunneling as a gateway to prepare our workforce for our Zero Trust Networking posture, where user devices are highly protected from vulnerability and employees use the internet for their predominant workload.”

It’s also important to review your VPN structure for updates.

“When evaluating your VPN configuration, identify the highest compliance risks to your organization and make them the priority for controls, policies, and procedures,” Patton says. “Understand the security controls you give up by not flowing the connections through your internal infrastructure. Then, look at the controls you’re able to extend to the clients themselves, and find the right balance of risk and productivity that fits your organization.”

Keeping your devices up-to-date with split tunneling

Enterprises can also optimize patching and manage update compliance using services like Microsoft Endpoint Manager, Microsoft Intune, and Windows Update for Business. At Microsoft, a split-tunneled VPN configuration allows these services to keep devices current without requiring a VPN tunnel to do it.

“With a split-tunneled configuration, update traffic comes through the internet,” says Mike Carlson, a principal service engineering manager in MDEE. “This improves the user experience for employees by freeing up VPN bandwidth during patch and release cycles.”

At Microsoft, device updates fall into two categories: feature updates and quality updates. Feature updates occur every six months and encompass new operating system features, functionality, and major bug fixes. In contrast, monthly quality updates include security and reliability updates as well as small bug fixes. To balance both user experience and security, Microsoft’s current configuration of Windows Update for Business prompts Microsoft employees to update within 48 hours for quality updates and 7 days for feature updates.

“Not only can Windows Update for Business isolate update traffic from the VPN connection, but it can also provide better compliance management by using the deadline feature to adjust the timing of quality and feature updates,” Carlson says. “We can quickly drive compliance and have more time to focus on employees that may need additional support.”

Evaluating your VPN configuration

When your enterprise evaluates which VPN configuration works best for your company and users, you must evaluate their workflows.

“Some companies may need a full tunnel configuration, and others might want something cloud-based,” Means says. “If you’re a Microsoft customer, you can work with your sales team to request a customer engagement with a Microsoft expert to better understand our implementation and whether it would work for your enterprise.”

Means also said that it’s important to assess the legal requirements of the countries you operate in, which is done at Microsoft using Azure Traffic Manager. For example, split tunneling may not be the right configuration for countries with tighter controls over how traffic flows within and beyond their borders.

Suver also emphasized the importance of understanding the persona of your workforce, suggesting you should assess the workloads they may need to use remotely and their bandwidth capacity. You should also consider the maximum number of concurrent connections your VPN infrastructure supports and think through potential seasonal disruptions.

“Ensure that you’ve built for a snow day or a pandemic of a global nature,” Suver says. “We’ve had to send thousands of customer support agents to work from home. Typically, they didn’t use VPN to have voice conversations with customers. Because we sized and distributed our infrastructure for a global workforce, we were able to quickly adapt to the dramatic shift in workloads that have come from our employees working from home during the pandemic. Anticipate some of the changes in workflow that might occur, and test for those conditions.”

It’s also important to collect user connection and traffic data in a central location for your VPN infrastructure, to use modern visualization services like Microsoft Power BI to identify hot spots before they happen, and to plan for growth.

Means’s biggest piece of advice?

Focus on what your enterprise needs and go from there.

“Identify what you want to access and what you want to protect,” he says. “Then build to that model.”

Tips for retooling VPN at your company

Azure offers a native, highly-scalable VPN gateway, and the most common third-party VPN and Software-Defined Wide Area Network virtual appliances in the Azure Marketplace.

For more information on these and other Azure and Office network optimizing practices, please see:

• Office Connectivity Principles
• Network considerations for Teams
• Azure OpenVPN client
• Azure VPN Gateways
• Azure Point-to-site VPN
• VPN Network Virtual Appliances in the Azure Marketplace
• Publishing web applications using Azure Active Directory’s Application Proxy
• VPN split tunneling for Office 365
• How-to guides for common VPN platforms
• Updates for improving work-from-home employee access

• Here are some alternative ways for security professionals and IT to achieve modern security controls in remote work scenarios.
• Check our best practices and guidelines for security professionals on how to work remotely and stay secure.

Here are additional resources to learn more about how Microsoft applies networking best practices and supports a Zero Trust security strategy:

• Learn how Microsoft rebuilt its VPN infrastructure.
• Learn how Microsoft transitioned to modern access architecture with Zero Trust.
• Read how Microsoft is approaching Zero Trust Networking.

The post Using a Zero Trust strategy to secure Microsoft’s network during remote work appeared first on Inside Track Blog.

• A developer may want HR info, stack overflow, other technical info specific to their organization, or technical info from places like Microsoft Azure and Microsoft.com.
• A salesperson may want HR info, customer information from our account management software and support services, or the latest public information about their customers.

This blog explores the challenge of delivering the full scope of content each employee expects to find in search from their subjective view. This is what we call search completeness.

To start on the journey of getting to search completeness, you first must understand your user community:

• How do they search? Do they use smart phones? Do they use Bing’s Work search tool? Do they use a corporate SharePoint portal? For Microsoft employees, it’s a mix of all of these.
• Why are they searching? Are they trying to find another person? Are they researching content? Are they trying to find reference material?
• What are they searching for? What content is most important for your employees to find?

[Read the first blog in our series, making content more accessible and searches more efficient at Microsoft.]

Understanding your user community

Reviewing search term frequency was one of our early steps in understanding our users. Looking at the number of times each search term was used, then looking at a sampling of those search terms made it very clear that the most common searches are for common employee actions, and that less common searches are typically persona specific. The chart below shows this well: high volume search terms that are common across most employees, and low-volume ones that tend to be org- or persona-specific.

Sometimes we could easily identify desired content from these popular search terms such as search terms related to documents. Microsoft.com and Stack overflow were also fairly popular.

Next, we realized there was a lot of content that was impossible to identify from search terms. We needed some other way of identifying desired content and found a way via Microsoft Azure Active Directory (AAD).

By using its authentication volume, we are able to see the most popular registered apps within the company. Many of these are included in Microsoft Search by default. SharePoint and OneDrive are good examples. Others have their own search capability that meets user expectations and doesn’t need its content included in enterprise search. Outlook is such an example. This left us with a significant volume of highly used apps whose content would be beneficial to add to enterprise search. The chart below gives you a taste of these results.

Gathering the list of popular apps left us with a challenge of identifying popular content that isn’t defined as an app in AAD. We explored various ways of capturing this information but, so far, have not found any better method than user feedback and surveys.

The result of this work has yielded a “Top 100” list of content we want to add to enterprise search. So how do we go about getting this content added into our search results?

Methods of achieving search completeness

Microsoft Search provides a number of different methods with which to bring in all the content. Each method has its own strengths and weaknesses, which we’ve summarized in the table below.

What we are doing

So now the stage is set, we know the content we want to include, we know the methods available for doing it, we just need to implement the right method in each case.

We also use Microsoft Viva Topics and other product capabilities, which will be discussed in a future blog post.

At this point, search indexing encompasses 70 percent of the AAD Top Apps list as weighted by usage volume. We expect to reach 80 percent within the next year.

• The content added through connectors and federated search is receiving 75,000 clicks per month––about 8 percent of our total click volume.
• These connections have added 10 percent to the admin effort. For more detail, see the previous blog post in this series: Generating great results: Administering search at Microsoft.

We’ve also realized there are occasions where content should not be included in enterprise search but should be included in targeted custom search portals. The same methods described above can typically be used to support such custom portals. Our learning thus far will also be described in a future post.

We see some continuing challenges for which we do not yet have answers:

1. At some point the administrative and resource overhead associated with adding additional sources of content will outweigh the benefit because we will be getting down to very seldom used content. We don’t know where that boundary is yet.
2. We need to figure out how to stay in touch with continuing changes across the company, deprecating content when appropriate while adding new content sources when they come up.
3. We haven’t figured out how to tune search relevance in a manner that works well for each persona.

Please return to this space for future stories in our ongoing series on transforming search completeness here at Microsoft.

• Read the first blog in our series, making content more accessible and searches more efficient at Microsoft.
• Unpack how internal search bookmarks boost productivity at Microsoft.
• Explore generating great results: Administering search at Microsoft.

The post Getting to ‘search completeness’ internally at Microsoft appeared first on Inside Track Blog.

Our Software Licensing Service (SLS) is the Microsoft Digital Employee Experience team responsible for software asset management.

“When you think about software asset management, you want to track a license’s lifecycle from requisition through allocation and deployment,” says Patrick Graff, the senior service engineer leading the SLS team. “Then you need to maintain it until you can reclaim it at the end-of-life stage.”

If individual departments and employees manage their own software licenses, organizations are open to all kinds of inefficiencies and risks—not to mention a subpar experience for employees who need access to third-party software. Manually tracking the number of licenses enterprise-wide, total spend, and overall software entitlements is incredibly labor-intensive.

Under those fragmented circumstances, how can a procurement department know the total entitlements from a particular vendor? How do they ensure their company maintains the proper enterprise licensing position at scale? Do they know how many unallocated licenses are available? And how do they manage reclamation, reallocation, and rightsizing during renewal and true-up cycles?

SLS wanted an enterprise-level platform that would both streamline the employee experience and optimize license management. So they partnered with Microsoft Procurement and Infrastructure Engineering Services (IES) to implement a unified software catalog.

[Learn about streamlining vendor assessment with ServiceNow VRM at Microsoft. See how Microsoft is Modernizing the support experience with ServiceNow. Read about instrumenting ServiceNow with Azure Monitor.]

A strategic partnership drives software licensing excellence

Since 2015, we’ve used ServiceNow to automate our helpdesk support process. When they introduced their Software Asset Management (SAM) module, it was a natural fit for implementing a centralized software catalog.

“The scope of work and the objective resonated with SLS because they understood the pain points of using disconnected tools,” says Sherif Mazhar, principal product manager for the IES team partnered with SLS. “They were interested in consolidating those tools and gaining the ability to track license usage accurately.”

We started seeing better control, better insights, better reporting, and also better visibility into unused licenses and how we could reassign them.

—Sherif Mazhar, principal product manager, Infrastructure Engineering Services

Thanks to collaboration with ServiceNow engineering teams, ServiceNow features well-tuned, out-of-the-box compatibility with Microsoft technologies. They also maintain an enterprise roadmap to streamline large integrations.

The teams started small with a single license portfolio: Adobe Creative Cloud. Tools like Adobe Photoshop and Premiere Pro are essential for creatives, but many groups had purchased their own licenses on an ad-hoc basis.

Once the Adobe licenses were consolidated into ServiceNow SAM, the team saw rapid results. “The value realization was quick with Adobe,” Mazhar says. “We started seeing better control, better insights, better reporting, and also better visibility into unused licenses and how we could reassign them.”

Within 12 months, the team had cut back excess licenses across Microsoft, resulting in significant savings. With such a successful pilot already showing results, SLS decided to move forward with a more universal ServiceNow SAM implementation.

Implementing ServiceNow Software Asset Management across Microsoft

ServiceNow features several out-of-the box enterprise integrations, but the work of developing one process for license management required extensive collaboration between SLS and IES.

Several different technologies needed to come together to facilitate a unified experience:

• Microsoft System Center Configuration Manager (SCCM) connectors provide one-directional imports into ServiceNow, bringing relevant data into the ServiceNow instance from an SQL Server database and mapping it to ServiceNow’s SAM database.
• Microsoft SharePoint grants automatically provisioned access to relevant download files once the software is allocated to the end user.
• Microsoft Azure Active Directory (AAD) handles identity and access management for software acquisition, enabling single-sign-on (SSO) and multi-factor authentication (MFA) capabilities for cloud-based and SaaS tools.
• A Microsoft Teams integration for the ServiceNow Virtual Agent helps employees troubleshoot and seek support via chat within a Teams App.

Once the ServiceNow implementation was complete, the team needed to loop the whole project into the existing employee workflow by connecting it with internal procurement and IT portals. SLS ensured that employees felt at home in the new experience by unifying the catalog’s color coding and UI with the portals employees already know how to navigate.

The result is a streamlined experience for employees and a management environment that delivers optimization and compliance.

A transformative third-party software licensing experience

When one of our employees wants access to third-party software, they log in to the IT or procurement portal of their choice and navigate to the Unified Software Catalog in ServiceNow. From there, they simply find the software tool they need and submit a request.

If a piece of software requires no extra permissions, the employee can simply requisition it. Otherwise, they fill out a request form, which initiates an automated workflow that manages permissions, their device’s operating system, relevant purchase orders and cost centers, and our entitlements within that software portfolio.

The real power of the tool is that we can set up configurable workflows for different types of products.

—Tony Bouker, senior product manager, Infrastructure Engineering Services

When the license allocation is complete, the end user gets an email with installation instructions. They can then proceed to an automatically provisioned SharePoint folder to download and install the software.

For SaaS tools and cloud-based suites like Adobe Creative Cloud, the team has created another way to access their software. The system adds the employee’s alias to an internal identity group, which grants access through SSO powered by AAD.

“The real power of the tool is that we can set up configurable workflows for different types of products,” says Tony Bouker, senior product manager with IES.

Efficiency, optimization, and compliance

Microsoft SLS has integrated the software requisitioning process into the Bing search engine. Now, employees can search software titles through Bing, which then points to the Unified Software Catalog.

Employees no longer have to conduct manual, online searches for third-party software or send emails asking for requisitions. Now they simply search in Bing or head directly into the Unfied Software Catalog and initiate an automated requisition workflow.

For SLS, the outcomes are about data-driven insights and license consolidation. The team can track Microsoft’s overall licensing position across all third-party software without the need for time-consuming detective work or manual uploads. When the time comes for renewals and true-ups, that visibility is essential.

It also mitigates risk through robust governance and policy by reducing vulnerabilities, data breaches, and license compliance violations.

On a more strategic level, the tool helps SLS optimize our software licensing frameworks for individual providers. For example, if one employee uses several tools within a provider’s toolkit, the team has the data it needs to decide whether it’s more efficient to allocate those licenses individually or as part of an “all-apps” subscription.

On the macro level, it gives us the ability to negotiate volume licenses more accurately, at exactly the level that fulfils our organizational needs. Good data drives informed decision making.

As those optimizations scale, Graff estimates that we’re saving an average of 10 percent across all of our enterprise license positions. For an organization the size of Microsoft, that represents cost savings in the millions.

Beyond Microsoft, this implementation is laying the groundwork for a wide-ranging change in how enterprises manage their third-party software. “If you look at the Microsoft presence in the market, every single customer who’s using our technologies leverages our endpoint management tools for asset management and license tracking,” Mazhar says. “So this will open the door for a lot of opportunity for Microsoft, for ServiceNow, and for our customers.”

• Start small with a targeted publisher and gain early wins to build confidence with stakeholders.
• Have a close relationship with your partner teams so you can recognize needs and grab opportunities.
• Build out your key process areas first, and identify workflow patterns you can reuse to scale your software asset management program.
• Establish policies to make sure the changes you put into effect have teeth.
• When working with a third-party partner, make sure you have the right connections to ensure you can provide feedback at the right level.
• Ensure leadership understands your priorities so they can manage those relationships at the highest level.

• Learn about streamlining vendor assessment with ServiceNow VRM at Microsoft.
• See how Microsoft is Modernizing the support experience with ServiceNow.
• Read about instrumenting ServiceNow with Azure Monitor.

The post Rethinking software licensing at Microsoft with ServiceNow Software Asset Management appeared first on Inside Track Blog.

Providing a seamless remote access experience

Remote access at Microsoft is reliant on the VPN client, our VPN infrastructure, and public cloud services. We have had several iterative designs of the VPN service inside Microsoft. Regional weather events in the past required large increases in employees working from home, heavily taxing the VPN infrastructure and requiring a completely new design. Three years ago, we built an entirely new VPN infrastructure, a hybrid design, using Microsoft Azure Active Directory (Azure AD) load balancing and identity services with gateway appliances across our global sites.

Key to our success in the remote access experience was our decision to deploy a split-tunneled configuration for the majority of employees. We have migrated nearly 100% of previously on-premises resources into Microsoft Azure and Microsoft Office 365. Our continued efforts in application modernization are reducing the traffic on our private corporate networks as cloud-native architectures allow direct internet connections. The shift to internet-accessable applications and a split-tunneled VPN design has dramatically reduced the load on VPN servers in most areas of the world.

Using VPN profiles to improve the user experience

We use Microsoft Endpoint Manager to manage our domain-joined and Microsoft Azure AD–joined computers and mobile devices that have enrolled in the service. In our configuration, VPN profiles are replicated through Microsoft Intune and applied to enrolled devices; these include certificate issuance that we create in Configuration Manager for Windows 10 devices. We support Mac and Linux device VPN connectivity with a third-party client using SAML-based authentication.

We use certificate-based authentication (public key infrastructure, or PKI) and multi‑factor authentication solutions. When employees first use the Auto-On VPN connection profile, they are prompted to authenticate strongly. Our VPN infrastructure supports Windows Hello for Business and Multi-Factor Authentication. It stores a cryptographically protected certificate upon successful authentication that allows for either persistent or automatic connection.

For more information about how we use Microsoft Intune and Endpoint Manager as part of our device management strategy, see Managing Windows 10 devices with Microsoft Intune.

Configuring and installing VPN connection profiles

We created VPN profiles that contain all the information a device requires to connect to the corporate network, including the supported authentication methods and the VPN gateways that the device should connect to. We created the connection profiles for domain-joined and Microsoft Intune–managed devices using Microsoft Endpoint Manager.

For more information about creating VPN profiles, see VPN profiles in Configuration Manager and How to Create VPN Profiles in Configuration Manager.

The Microsoft Intune custom profile for Intune-managed devices uses Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings with XML data type, as illustrated below.

Installing the VPN connection profile

The VPN connection profile is installed using a script on domain-joined computers running Windows 10, through a policy in Endpoint Manager.

For more information about how we use Microsoft Intune as part of our mobile device management strategy, see Mobile device management at Microsoft.

Conditional Access

We use an optional feature that checks the device health and corporate policies before allowing it to connect. Conditional Access is supported with connection profiles, and we’ve started using this feature in our environment.

Rather than just relying on the managed device certificate for a “pass” or “fail” for VPN connection, Conditional Access places machines in a quarantined state while checking for the latest required security updates and antivirus definitions to help ensure that the system isn’t introducing risk. On every connection attempt, the system health check looks for a certificate that the device is still compliant with corporate policy.

Certificate and device enrollment

We use an Azure AD certificate for single sign-on to the VPN connection profile. And we currently use Simple Certificate Enrollment Protocol (SCEP) and Network Device Enrollment Service (NDES) to deploy certificates to our mobile devices via Microsoft Endpoint Manager. The SCEP certificate we use is for wireless and VPN. NDES allows software on routers and other network devices running without domain credentials to obtain certificates based on the SCEP.

NDES performs the following functions:

1. It generates and provides one-time enrollment passwords to administrators.
2. It submits enrollment requests to the certificate authority (CA).
3. It retrieves enrolled certificates from the CA and forwards them to the network device.

For more information about deploying NDES, including best practices, see Securing and Hardening Network Device Enrollment Service for Microsoft Intune and System Center Configuration Manager.

VPN client connection flow

The diagram below illustrates the VPN client-side connection flow.

When a device-compliance–enabled VPN connection profile is triggered (either manually or automatically):

1. The VPN client calls into the Windows 10 Azure AD Token Broker on the local device and identifies itself as a VPN client.
2. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. A device check is performed by Azure AD to determine whether the device complies with our VPN policies.
3. If the device is compliant, Azure AD requests a short-lived certificate. If the device isn’t compliant, we perform remediation steps.
4. Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
5. The VPN client uses the Azure AD–issued certificate to authenticate with the VPN gateway.

Remote access infrastructure

At Microsoft, we have designed and deployed a hybrid infrastructure to provide remote access for all the supported operating systems—using Azure for load balancing and identity services and specialized VPN appliances. We had several considerations when designing the platform:

• Redundancy. The service needed to be highly resilient so that it could continue to operate if a single appliance, site, or even large region failed.
• Capacity. As a worldwide service meant to be used by the entire company and to handle the expected growth of VPN, the solution had to be sized with enough capacity to handle 200,000 concurrent VPN sessions.
• Homogenized site configuration. A standard hardware and configuration stamp was a necessity both for initial deployment and operational simplicity.
• Central management and monitoring. We ensured end-to-end visibility through centralized data stores and reporting.
• Azure AD­–based authentication. We moved away from on-premises Active Directory and used Azure AD to authenticate and authorize users.
• Multi-device support. We had to build a service that could be used by as much of the ecosystem as possible, including Windows, OSX, Linux, and appliances.
• Automation. Being able to programmatically administer the service was critical. It needed to work with existing automation and monitoring tools.

When we were designing the VPN topology, we considered the location of the resources that employees were accessing when they were connected to the corporate network. If most of the connections from employees at a remote site were to resources located in central datacenters, more consideration was given to bandwidth availability and connection health between that remote site and the destination. In some cases, additional network bandwidth infrastructure has been deployed as needed. The illustration below provides an overview of our remote access infrastructure.

VPN tunnel types

Our VPN solution provides network transport over Secure Sockets Layer (SSL). The VPN appliances force Transport Layer Security (TLS) 1.2 for SSL session initiation, and the strongest possible cipher suite negotiated is used for the VPN tunnel encryption. We use several tunnel configurations depending on the locations of users and level of security needed.

Split tunneling

Split tunneling allows only the traffic destined for the Microsoft corporate network to be routed through the VPN tunnel, and all internet traffic goes directly through the internet without traversing the VPN tunnel or infrastructure. Our migration to Office 365 and Azure has dramatically reduced the need for connections to the corporate network. We rely on the security controls of applications hosted in Azure and services of Office 365 to help secure this traffic. For end point protection, we use Microsoft Defender Advanced Threat Protection on all clients. In our VPN connection profile, split tunneling is enabled by default and used by the majority of Microsoft employees. Learn more about Office 365 split tunnel configuration.

Full tunneling

Full tunneling routes and encrypts all traffic through the VPN. There are some countries and business requirements that make full tunneling necessary. This is accomplished by running a distinct VPN configuration on the same infrastructure as the rest of the VPN service. A separate VPN profile is pushed to the clients who require it, and this profile points to the full-tunnel gateways.

Full tunnel with high security

Our IT employees and some developers access company infrastructure or extremely sensitive data. These users are given Privileged Access Workstations, which are secured, limited, and connect to a separate highly controlled infrastructure.

Applying and enforcing policies

In Microsoft Digital, the Conditional Access administrator is responsible for defining the VPN Compliance Policy for domain-joined Windows 10 desktops, including enterprise laptops and tablets, within the Microsoft Azure Portal administrative experience. This policy is then published so that the enforcement of the applied policy can be managed through Microsoft Endpoint Manager. Microsoft Endpoint Manager provides policy enforcement, as well as certificate enrollment and deployment, on behalf of the client device.

For more information about policies, see VPN and Conditional Access.

Early adopters help validate new policies

With every new Windows 10 update, we rolled out a pre-release version to a group of about 15,000 early adopters a few months before its release. Early adopters validated the new credential functionality and used remote access connection scenarios to provide valuable feedback that we could take back to the product development team. Using early adopters helped validate and improve features and functionality, influenced how we prepared for the broader deployment across Microsoft, and helped us prepare support channels for the types of issues that employees might experience.

Measuring service health

We measure many aspects of the VPN service and report on the number of unique users that connect every month, the number of daily users, and the duration of connections. We have invested heavily in telemetry and automation throughout the Microsoft network environment. Telemetry allows for data-driven decisions in making infrastructure investments and identifying potential bandwidth issues ahead of saturation.

Using Power BI to customize operational insight dashboards

Our service health reporting is centralized using Power BI dashboards to display consolidated data views of VPN performance. Data is aggregated into an SQL Azure data warehouse from VPN appliance logging, network device telemetry, and anonymized device performance data. These dashboards, shown in the next two graphics below, are tailored for the teams using them.

With our optimizations in VPN connection profiles and improvements in the infrastructure, we have seen significant benefits:

• Reduced VPN requirements. By moving to cloud-based services and applications and implementing split tunneling configurations, we have dramatically reduced our reliance on VPN connections for many users at Microsoft.
• Auto-connection for improved user experience. The VPN connection profile automatically configured for connection and authentication types have improved mobile productivity. They also improve the user experience by providing employees the option to stay connected to VPN—without additional interaction after signing in.
• Increased capacity and reliability. Reducing the quantity of VPN sites and investing in dedicated VPN hardware has increased our capacity and reliability, now supporting over 500,000 simultaneous connections.
• Service health visibility. By aggregating data sources and building a single pane of glass in Microsoft Power BI, we have visibility into every aspect of the VPN experience.

• Learn more about how we’re moving past the corporate network using Microsoft Azure.
• Get info on our Office 365 Network Connectivity Principles.
• Here’s how to prepare your network for upgrading to Microsoft Teams.
• Learn more about VPN Gateways.
• Get more info on Microsoft Azure Point-to-Site VPN.
• Check out VPN Network Virtual Appliances in the Microsoft Azure Marketplace.
• Discover more about working remotely using Microsoft Azure networking services.

The post Enhancing VPN performance at Microsoft appeared first on Inside Track Blog.

Until recently, those kinds of protections had to be implemented by hand for each individual work project, which resulted in a patchwork experience for employees and managers alike and was a primary driver for support tickets.

Today, this capability is enabled by Microsoft Azure Active Directory (Azure AD) EM, a transition that has centralized access provisioning and governance and has freed up resources for teams across the company.

“By centralizing this functionality into an easy-to-use service, provisioning for a whole ecosystem can be linked to a single, role-based package,” says Lionel Godolphin, a senior software engineer with the Microsoft Federal team in Microsoft Cloud and AI. “Both onboarding—and equally importantly, offboarding—are managed via a single policy with built-in approval processes.”

Integration and the implementation of seamless onboarding and offboarding experiences are challenges for every large and small organization. The way some of these integration services have been envisioned created unnatural barriers, which then require additional provisioning, access, and management. Enterprise organizations face a range of challenges when trying to implement and manage employee access, but Microsoft Azure AD entitlement management can be used to address these challenges.

It’s all about helping everyone involved in a project feel more confident in the work they’re doing.

“It’s important for us to give our employees the freedom they need to do their job while also making sure they don’t get into things that they shouldn’t,” Godolphin says. “This protects them, and it protects the company.”

Imagine you’re new at Microsoft. You’ve got your team, and not only do you have to get access to the sales systems, but you need access to all the sub-systems. They are not only disparate, but there may be different prerequisites—it is not just one provisioning. Jumping through all those hoops to get set up as a new employee is a terrible experience for anyone.

—Lionel Godolphin, senior software engineer, Microsoft Federal

The Microsoft Federal engineering team worked to build out auto-provision access to resources employees on the larger Microsoft Federal team need to do their confidential work supporting government agencies. The solution they built helps the team streamline onboarding and offboarding of employees, transforming what was a manual process into a compliant, one-click experience.

[Read about upgrading Microsoft’s core Human Resource system with SAP SuccessFactors. Explore using a Zero Trust strategy to secure Microsoft’s network during remote work. Learn more about onboarding new Microsoft employees with Microsoft Teams while working remotely.]

Getting up to speed, but without all the tickets

When a new team member joins Microsoft Federal, the organization that engineers solutions to empower governments, access must be granted to the user for each system in the environment they need to do their job.

“Imagine you’re new at Microsoft,” Godolphin says. “You’ve got your team, and not only do you have to get access to the sales systems, but you need access to all the sub-systems. They are not only disparate, but there may be different prerequisites—it is not just one provisioning. Jumping through all those hoops to get set up as a new employee is a terrible experience for anyone.”

Ensuring employees are enrolled in the right systems (and unenrolling them at the right time) can be tedious, especially if manual steps must be taken and system access is controlled by multiple teams. Each system might require its own onboarding request, which generates a lot of tickets and can introduce delays. Delays are a problem given the nature of Microsoft Federal’s sensitive tented work.

Microsoft Federal’s sales team, for example, uses a system that required multiple integration points and tools as part of the overall sales processes. From several roles in Microsoft Dynamics 365, to reporting systems, to downstream services, each employee on the sales team requires a complimentary set of permissions.

To solve this challenge, the Microsoft Federal engineering team developed a solution that leveraged Microsoft Azure AD entitlement management to streamline user access provisioning to make it a seamless, secure, and compliant experience. Additionally, with a little effort, Godolphin and his team were able to leverage Microsoft PowerApps to connect EM to the company human resources system. Thanks to auto-provisioning based on their human resources profile, an automated provision solution build on top of the Microsoft Azure AD EM service, now that same new employee shows up and has access to the entire sales ecosystem automatically.

Launched in November 2019, Microsoft Azure AD entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.

Employees in organizations need access to various groups, applications, and sites to perform their job. Managing this access is challenging. As requirements change and new applications are added, users need additional access rights. Similarly, rights need to be added or taken away when new employees join or leave the company. This scenario gets more complicated when you collaborate with outside organizations, you may not know who in the other organization needs access to your organization’s resources and they won’t know what applications, groups, or sites your organization is using.

We are the voice of the internal customers, we work with internal customers to understand their access provision pain points, scenarios and bring requirements, gap analysis to the Azure AD Identity Governance product team and co-develop with them to enable critical Microsoft internal scenarios.

—Jennifer Jiao, principal PM manager, Microsoft

Microsoft Azure AD entitlement management can help you efficiently manage access to groups, applications, and Microsoft SharePoint Online sites for internal users, and for users outside your organization who need access to those resources.

When it comes to federal services, ensuring a lifecycle policy is in place automatically removes users after a set period that has been predetermined and established. In addition, you can comply with Cybersecurity Maturity Model Certification (CMMC) federal guidelines.

“We are the voice of the internal customers, we work with internal customers to understand their access provision pain points, scenarios and bring requirements, gap analysis to the Azure AD Identity Governance product team and co-develop with them to enable critical Microsoft internal scenarios,” says Jennifer Jiao, principal PM manager working on the project.

An improved experience for everyone

The Microsoft Federal Sales team has a commitment to create an air-gapped and separate space to manage all the sales for the federal government. The impetus for the initiative is to keep and maintain secure data, which builds confidence with government entities while supporting a secure space for discussion and planning for government requirements, with Government Community Cloud (GCC) high security. GCC is a Microsoft cloud computing environment provisioned in Microsoft’s multi-tenant data centers for exclusive use by or for governments and enrolled affiliates.

• Automate the access provision process through EM to allow requesting access across multiple resources at once through an access package to reduce the effort and time for employees to get access they needed for their job. Take the time to get your people onboarded and off boarded quickly to reduce security risk.
• Leveraging EM for access governance ensures approval workflow, access expiration/renew, and auditing are in place to secure Microsoft Federal systems.

• Learn more about Microsoft Azure AD entitlement management.
• Check out how to onboard partners more easily with Microsoft Azure AD entitlement management features.
• Learn more about how Microsoft Azure AD entitlement management is now generally available.
• Read about upgrading Microsoft’s core Human Resource system with SAP SuccessFactors.
• Explore using a Zero Trust strategy to secure Microsoft’s network during remote work.
• Learn more about onboarding new Microsoft employees with Microsoft Teams while working remotely.

The post Using Microsoft Azure AD entitlement management to empower Microsoft employees and protect the company appeared first on Inside Track Blog.

Our ability to respond to the crisis was greatly enhanced by how prepared Microsoft was to have its employees work from home. Having an entire company suddenly shift to remote working comes with its own challenges—it’s a lot more complex than making sure an employee’s laptop and home Wi-Fi are secure.

Jared Spataro, corporate vice president for Microsoft 365, and Nathalie D’Hers, Corporate Vice President of Employee Experience, shared nine things that our larger IT team, Microsoft Digital, is doing to enable remote work at Microsoft. What I found most interesting about their conversation is how many of those nine things tie back to our Zero Trust initiative.

Specifically, our Zero Trust strategy calls for strong identity authentication everywhere by confirming that all our users are validated using multifactor authentication (MFA). It requires that all devices employees use for work are managed and healthy. It accomplishes this by using Microsoft Intune for device management. It also relies on pervasive telemetry to monitor the performance and health of all services, applications, and networks.

Another way to think of Zero Trust is as a requirement for constant verification. Throughout the process, Microsoft continuously monitors all access to corporate services, applications, and network connections.

Our security strategy has been focused on Zero Trust security principles for a while now. The strategy helps us navigate supporting the vast majority of our employees as they work from home. Our ability to ensure that all of our employees are using MFA and continuously verifying that all devices on our network are managed and healthy has allowed us to accelerate our adoption of our Zero Trust strategy and to move away from a perimeter based security model.

For most of our users, we’ve been able to move away from using virtual private network (VPN) to access our line of business applications. We have moved most of our line of business (LOB) applications to Microsoft Azure, where they are internet accessible. Applications that we are not able to move to Microsoft Azure are being published with an internet proxy. Finally, we use virtualization via Windows Virtual Desktop to provide our employees, vendors, and guests with the ability to access Microsoft applications in a more constrained environment that restricts movement to other Microsoft resources and network resources.

The result is that our employees can remotely access most of our LOB applications without needing to use VPN. This meant Microsoft was very well positioned when it came time to ask our employees to work from home.

We haven’t finished deploying our Zero Trust vision, but our framework is in place, and that’s helping us successfully support our remote-working employees.

If your company is transitioning its workforce to remote working and you don’t already have these same elements in place, it’s probably overwhelming to think about where to begin. We suggest you start by implementing MFA. If you don’t have the necessary hardware to leverage biometrics, you can start with an app like Microsoft Authenticator. This step is the single best thing you can do to secure your environment.

One of the benefits of our approach to Zero Trust is that it gives each company the ability to align security strategy with the cloud-first strategy that we are seeing in the industry. If you want to know more about our approach, read Using a Zero Trust strategy to secure Microsoft’s network during remote work. You’ll find more content about our Zero Trust strategy by visiting this Transitioning to modern access architecture with Zero Trust content suite and by reading this Implementing a Zero Trust security Model at Microsoft article.

The post Microsoft helps employees work securely from home using a Zero Trust strategy appeared first on Inside Track Blog.

We thought it would be useful to share our answers to the Top 10 Zero Trust questions from customers across the globe.

It’s surprising to us how many companies haven’t embraced multifactor authentication. It’s the first step we took on our Zero Trust journey.

– Mark Skorupa, principal program manager

If you had to pick, what are your top three Zero Trust best practices?

Microsoft’s approach to Zero Trust means we don’t assume any identity or device on our corporate network is secure, we continually verify it.

With that as context, our top three practices revolve around the following:

• Identities are secure using multifactor authentication (MFA): It’s surprising to us how many companies haven’t embraced multifactor authentication. It’s the first step we took on our Zero Trust journey. Regardless of what solution you decide to implement, adding a second identity check into the process makes it significantly more difficult for bad actors to leverage a compromised identity over just passwords alone.
• Device(s) are healthy: It’s been crucial that Microsoft can provide employees secure and productive ways to work no matter what device they’re using or where they’re working, especially during remote or hybrid work. However, any devices that access corporate resources must be managed by Microsoft and they must be healthy, meaning, they are running the latest software updates and antivirus software.
• Telemetry is pervasive: The health of all services and applications must be monitored to ensure proper operation and compliance and enable rapid response when those conditions are not met. Before granting access to corporate resources, identities and devices are continually verified to be secure and compliant. We monitor telemetry looking for signals to identify anomalous patterns. We use telemetry to measure risk reduction and understand the user experience.

For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=TOrbiC8DGPE, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

Does Microsoft require Microsoft Intune enrollment on all personal devices? Can employees use their personal laptops or devices to access corporate resources?For employees who want access to Microsoft corporate resources from a personal device, we require that devices be enrolled in Microsoft Intune. If they don’t want to enroll their personal device, that’s perfectly fine. They can access corporate resources through the following alternative options:

• Windows Virtual Desktop allows employees and contingent staff to use a virtual remote desktop to access corporate resources like Microsoft SharePoint or Microsoft Teams from any device.
• Employees can use Outlook on the web to access their Microsoft Outlook email account from the internet.

How does Microsoft onboard its Internet of Things (IoT) devices under the Zero Trust approach?

IoT is a challenge both for customers and for us.

Internally, Microsoft is working to automate how we secure IoT devices using Zero Trust. In June, the company announced the acquisition of CyberX, which will complement existing Microsoft Azure IoT security capabilities.

We segment our network and isolate IoT devices based on categories, including high-risk devices (such as printers); legacy devices (like digital coffee machines) that may lack the security controls required; and modern devices (such as smart personal assistant devices like an Amazon Echo) with security controls that meet our standards.

How is Microsoft moving away from VPN?

We’ve made good progress in moving away from VPN by migrating legacy, on-premises applications to cloud-based applications. That said, we still have more work to do before we can eliminate VPN for most employees. With the growing need to support remote work, we moved quickly to redesign Microsoft’s VPN infrastructure by adopting a split-tunneled configuration where traffic is directly routed to the applications available in the cloud and through VPN for any legacy applications. The more legacy applications we make available directly from the internet, the less we need VPN.

How do you manage potential data loss?

Everyone at Microsoft is responsible for protecting data, and we have specific scenarios that call for additional security when accessing sensitive data. For example, when an employee needs to make changes to customer-facing production systems like firewalls, they use privileged access workstations, a dedicated operating system for sensitive tasks.

Our employees also use features in Microsoft Information Protection, like the sensitivity button in Microsoft 365 applications to tag and classify documents. Depending on the classification level—even if a document moves out of our environment—it can only be opened by someone that was originally provided access.

How can Zero Trust be used to isolate devices on the network to further reduce an attack surface?

The origins of Zero Trust were focused on micro-segmentation of the network. While Microsoft’s focus extends beyond the physical network and controlling assets regardless of connectivity or location, there is still a strong need for implementing network segmentation within your physical network.

We currently have segmented our network into the configuration shown in the following diagram, and we’re evaluating future segments as the need arises. For more details on our Zero Trust strategy around networking, check out Microsoft’s approach to Zero Trust Networking and supporting Azure technologies.

How do you apply Zero Trust to a workstation where the user is a local admin on the device?

For us, it doesn’t matter what the device or workstation is, or the type of account used—any device that is looking for access to corporate resources needs to be enrolled and managed by Microsoft Intune, our device management service. That said, our long-term vision is to build an environment where standard user accounts have the permission levels to be just as productive as local admin accounts.

How important is it to have Microsoft Azure AD (AAD), even if we have Active Directory (AD) on-premises, for Zero Trust to work in the cloud? Can on-premises Active Directory alone work to implement Zero Trust if we install Microsoft Monitoring Agent (MMA) to it?

Because Microsoft has shifted most of our security infrastructure to the Microsoft Azure cloud, using Microsoft Azure AD Conditional Access is a necessity for us. It helps automate the process and determine which identities and devices are healthy and secure, which then enforces the health of those devices.

Using MMA would get you to some level of parity, but you wouldn’t be able to automate device enforcement. Our recommendation is to create an AAD instance as a replica of your on-premises AD. This allows you to continue using your on-premises AD as the master but still leverage AAD to implement some of the advanced Zero Trust protections.

How do you deal with Zero Trust for guest access scenarios?

When allowing guests to connect to resources or view documents, we use a least-privileged access model. Documents tagged as public are readily accessible, but items tagged as confidential or higher require the user to authenticate and receive a token to open the documents.

We also tag resources like Microsoft SharePoint or Microsoft Teams locations that block guest access capabilities. Regarding network access, we provide a guest wireless service set identifier (SSID) for the guest to connect to which are isolated with internet only access. Finally, all guest accounts are required to meet our MFA requirements prior to granting access.

We hope this guidance is helpful to you no matter what stage of the Zero Trust journey you’re on. As we look to 2021, the key lesson is to have empathy. Understanding where an employee is coming from and being transparent with them about why a policy is shifting or how it may impact them is critical.

– Mark Skorupa, principal program manager

What’s your Zero Trust priority for 2021?

We’re modernizing legacy and on-premises apps to be available directly from the internet. Making these available, even apps with legacy authentication requirements, allows our device management service to apply conditional access, which enforces verification of identities and ensures devices are healthy.

We hope this guidance is helpful to you no matter what stage of the Zero Trust journey you’re on. As we look to the rest of 2021, our team continues to come back to is the importance of empathy. Understanding where an employee is coming from and being transparent with them about why a policy is shifting or how it may impact them is critical.

Microsoft wasn’t born in the cloud either, so many of the digital security shifts we’re making by taking a Zero Trust approach aren’t familiar to our employees or can be met with hesitancy. We take ringed approaches to everything we roll out, which enables us to pilot, test, and iterate on our solutions based on feedback.

Leading with empathy keeps us focused on making sure employees are productive and efficient, and that they can be stewards of security here at Microsoft and with our customers.

• Read this article about how Microsoft is adopting a Zero Trust security model to secure corporate and customer data.

The post Microsoft’s digital security team answers your Top 10 questions on Zero Trust appeared first on Inside Track Blog.

Bret Arsenault, corporate vice president and chief information security officer at Microsoft, and security experts from his DSR team at Microsoft attended RSAC 2020 to share how they are responding to security challenges, lessons learned, and proven practices that you can use in your organization.

[Learn how Microsoft transitioned to modern access architecture with Zero Trust. Learn how Microsoft implemented a Zero Trust security model.]

Zero Trust for the real world

There are seven billion devices connected to the internet, and 60 percent of organizations have a formal bring-your-own-device (BYOD) program in place.

“The way we work has also changed,” says Nupur Goyal, a Zero Trust product marketing lead at Microsoft. “With the emergence of a mobile workforce, cloud technology, and ubiquitous access to information, it has become more and more challenging to protect corporate data.”

Coined by the security industry, Zero Trust is a modern approach to security that Microsoft and other enterprises are adopting—don’t assume trust, verify it. The Zero Trust security model treats all requests and every access attempt as though they originate from an untrusted network. However, employees should still have a seamless experience when accessing the resources they need without impeding productivity.

“We have to validate an employee’s identity and device health before giving them access to the files they need,” says Carmichael Patton, a principal program manager in DSR. “As threats evolve, we have to pivot to protect customer data.”

Goyal and Patton shared Microsoft’s implementation strategy, which is geared to ensure that data and application access is specific to an employee’s job function. Organization policy is automatically enforced at the time of access and continuously throughout the session when possible. All devices are enrolled and managed in a device management system, and the network access is routed based on the user’s role. Finally, all controls and policies are backed by rich data insights that reduce the risk of unauthorized lateral movement across the corporate network.

[Check out the slide deck from this RSA session about Zero Trust for the real world.]

Cloud-powered compromise blast analysis

Hackers don’t break in—they log in. To combat this, the security operations center (SOC) at Microsoft operates on a massive scale to support 250,000 active users with even more active devices and Azure user accounts.

“When it comes to protecting identity, our people are our biggest asset and our biggest liability based on how they act,” says Sarah Handler, a program manager at Microsoft. “Our goal is to take the systems and tools we have and use them to nudge user behavior in a way that won’t compromise our systems.”

Kristina Laidler, the senior director of Security Operations and Incident Response at Microsoft, has worked with the SOC to protect Microsoft from adversaries. One challenge is the high volume of data and signals. To address this, the SOC team filters billions of events using machine learning and behavioral analytics to approximately 100 cases a day that the SOC team can triage, investigate, and remediate.

“We have to make sure that the SOC team isn’t looking at false positives, and the things getting through are high fidelity,” Laidler says. “We want to work at the speed of attack. We know attackers are moving fast, and we have to work faster.”

Laidler and Handler have also implemented new analysis methods for identity compromise using cloud logs, security information and event management tools, and advanced telemetry. To prevent future identity threats, Laidler also discussed some technical controls for identity protection such as filters to prevent users from creating predictable passwords with seasons, years, or regional sports teams.

“Using user entity behavioral analytics, we have developed a lot of contextual knowledge about how our users and adversaries act, and we’ve built detections based on those patterns,” Laidler says.

Laidler and Handler also shared their lessons learned. A salient piece of advice is to ask for more from your cloud provider.

“We have such a huge focus on making sure we’re getting feedback and the story from the trenches,” Handler says. “That’s how we build better solutions.”

[Check out the full RSA session on how Microsoft’s Identity Security and Protection team collaborated with Microsoft Digital to implement new blast analysis methods for identity compromise.]

Breaking password dependencies: Challenges in the final mile at Microsoft

Director of Identity Security Alex Weinert and Lee Walker, a principal program manager in DSR Identity and Access, shared the lessons learned of Microsoft’s journey to eliminate passwords and practical guidance to help with yours.

Weinert’s team worked with Walker’s team to eliminate legacy authentication at Microsoft, and they’re currently blocking 1.5 million legacy authorization attempts per day. Getting to this point didn’t happen overnight. The company has been using multi-factor authentication (MFA) using smartcards, phone authorization, Windows Hello for Business, and FIDO2. In 2019, Microsoft required MFA for all employees, but some employees still used legacy authentication. Disabling legacy authentication was a process, and Walker’s team needed to talk to the owners of applications that used legacy authorization, keep 90 days of history to track where owners signed in with legacy authorization, and simulate policies to predict breaking scenarios.

Weinert advised attendees to capture logs of when users sign in, find legacy traffic, and talk to business owners in those organizations.

“You have to figure out what application is behind that sign-in, understand how and why it’s used, and work to replace it or contain it,“ Weinert says. “Recognize that your plan will evolve based on these conversations.”

Weinert also encouraged attendees to decide not if, but when to start, especially because Microsoft Exchange is removing support for basic authorization in October 2020.

“You don’t need to be faster than the bear, but you don’t want to be the slowest runner either,” Weinert says. “Learn from our painful mistakes. You can flip the switches, but the hard part is the humans.”

[Check out the slide deck from this RSA session on Microsoft’s journey to move away from passwords.]

Microsoft’s security team changes the employee training playbook

All Microsoft employees are accountable for keeping the company’s data and customers safe. Ken Sexsmith, director of Security Education and Awareness in DSR, and his team are changing the way that Microsoft approaches training by making it approachable and fun for employees through enterprise-wide training, behavioral campaigns, and phishing simulations.

“We are on the frontlines of driving digital transformation through behavior and culture change,” Sexsmith says. “We saw an opportunity to take an innovative approach to security training, and we had full support from leadership.”

The team takes a multi-pronged approach to change employee behavior by motivating, reinforcing, and applying behavior changes. Sexsmith’s team does this through awareness campaigns and security training, which strengthen security and privacy best practices.

“Within an hour, you lose 50 percent of the information that you were just told,” Sexsmith says. “Within 24 hours, 70 percent of that information has escaped. As adult learners, we have to continue to reinforce that knowledge.”

For companies or teams who are trying to change their approach to security education, Sexsmith suggests that attendees start by identifying listening systems to understand the biggest risks at the company, and finding engaging ways to communicate them to employees. The team has also been sharing the impact of their training and continue to solicit feedback that informs future versions.

• Learn how Microsoft transitioned to modern access architecture with Zero Trust.
• Learn how Microsoft implemented a Zero Trust security model.

The post How Microsoft is transforming the way it fights security threats appeared first on Inside Track Blog.

Ken Sexsmith recalls waiting quietly outside a conference room for a meeting about a new approach for promoting the annual security training at Microsoft. Earlier that day, his team, which is responsible for enterprise-wide digital security education, training, and awareness, was running a company-wide phishing simulation. While waiting for his meeting, Sexsmith overheard some employees questioning the validity of the phishing email.

One of them recalled a recent training and said, “Maybe we need to report it?”

“It was a lightbulb moment,” says Sexsmith, director of Security Education and Awareness in Microsoft Digital. “It was so encouraging to see how employees started talking about the email and knew precisely what to do. It was a highlight of our year.”

Getting to the point where employees recognize phishing emails did not occur overnight. Although Microsoft’s sophisticated anti-phishing technology helps protect customers and employees from targeted phishing campaigns, Microsoft employees still need to stay one step ahead of evolving security threats. To help them get there, Sexsmith set out to change how employees think and learn about security.

“We are on the frontlines of driving digital transformation through behavior and culture change,” says Sexsmith, who says lessons Microsoft learns internally are shared externally with the company’s customers.

[Learn how Microsoft implemented a Zero Trust security model.]

Sexsmith’s team wants to start a movement where everyone wants to be a part of the company’s security story; their goal is to make security personal and change ingrained behaviors.

“We had to win over the hearts and minds of employees,” Sexsmith says. “We had to flip traditional compliance training on its head to make security more engaging, relatable, and fun, but also emphasize the importance of employees using best practices and being responsible for security.”

Employees seeking out new security training

Sexsmith’s team created an engaging, interactive Security Foundations training that uses real-life examples of security threats that have affected Microsoft employees and teams. The training also features a local well-known actor and podcast host that employees can relate to. In its first year, nearly 63 percent of employees across the company took the training. Some employees thought the training was so great that they asked if they could share it with their family and friends.

“A lot of effort and energy was put into making training a more enjoyable experience while helping people not only build the proper skills, but retain the skills they learned,” says Erin Csonaki, an education and awareness program manager in Microsoft Digital who runs enterprise-wide training.

Coupled with phishing simulations and ongoing digital campaigns that highlight the digital security team’s strategy to keep the company and its data safe, the training helps employees learn about security risks and build skills that they can apply on a day-to-day basis.

Proof that it’s working? The once-optional Security Foundations training is now required for all Microsoft employees. The revamped training received an extremely positive response from employees and even won an external Telly Award.

“Because we had favorable feedback, we’ve gained credibility and can continue to push the envelope around the way we launch training this year,” Csonaki says.

Whether the team is running a highly technical training for engineers or an awareness campaign for Cybersecurity Awareness Month, Csonaki says that it’s important to communicate the relevance of this training in their day-to-day work. For example, the Security Foundations training emphasizes never letting your guard down when handling email, posting on social media, or connecting to a public wireless network.

“A key for us is making it personal,” Sexsmith says. “The same things you do at home to secure your family are the same things you do at Microsoft. Your technology is vulnerable, and it only takes one minute for someone to take control of your device.”

Reinforcing learning year-round

Along with trainings, the team creates employee awareness about what phishing and other security threats could look like and provides guidance on how employees should respond. For example, Sexsmith’s team creates phishing simulations that are based on real, previously reported incidents.

Blythe Price, an education and awareness program manager on Sexsmith’s team, is responsible for the Phishing Education and Awareness program, which exposes employees to the experience of being phished and provides prevention education and reporting guidance.

“If an employee falls for the simulation and enters data or opens an attachment, an education moment is served up,” Price says. “This reinforces the best practices for spotting phishing, which is discussed in the Security Foundations training.”

The phishing scenario also teaches employees how to respond to security risks using the “Report Message” button in Outlook or in Microsoft’s internal security reporting channel.

“If it’s not quick and easy to report, a user may decide it’s not worth their time and abandon ship,” Price says. “You also have to make sure that the reporting mechanisms are where they are meant to be, whether it’s on a desktop or mobile browser.”

Learning moments from simulations and trainings are reinforced through ongoing awareness campaigns that align with events like National Cybersecurity Awareness Month or certain holidays. This ensures that the conversation about security is front and center for employees.

“You don’t have to know everything,” Sexsmith says. “You just have to know when to pause before entering your credentials and ask, ‘Am I moving too fast?’ That’s the change that we’re driving.”

Understanding the culture of an organization

For other teams or organizations interested in changing the way they approach security training, Price suggests evaluating what resonates with employees and adjusting accordingly. Price also attributes her team’s success to their emphasis on the “why” behind each training or awareness campaign. This has helped employees understand the importance of their participation.

“Instead of snapping to a model, it’s important to know the culture,” Price says. “Don’t be afraid to take chances if something isn’t working.”

Regardless of how you educate employees about security, it should be a two-way dialogue.

“It can be challenging, but it’s also a good opportunity to listen to what’s resonating with employees, and balance it with what’s needed from a security perspective,” Price says.

Sexsmith knows that his team’s approach to security training and awareness can’t rest on its laurels.

“I have a vision of continued evolution,” Sexsmith says. “I often challenge people to think differently, and that’s what got us here.”

• Check out the agenda for RSA, which includes Sexsmith’s session on how Microsoft is taking a different approach to security training.
• Listen to Sexsmith’s Ignite 2019 session about how Microsoft trains employees to be data stewards.
• Learn how Microsoft implemented a Zero Trust security model.

The post How Microsoft is transforming its approach to security training appeared first on Inside Track Blog.