We thought it would be useful to share our answers to the Top 10 Zero Trust questions from customers across the globe.

It’s surprising to us how many companies haven’t embraced multifactor authentication. It’s the first step we took on our Zero Trust journey.

– Mark Skorupa, principal program manager

If you had to pick, what are your top three Zero Trust best practices?

Microsoft’s approach to Zero Trust means we don’t assume any identity or device on our corporate network is secure, we continually verify it.

With that as context, our top three practices revolve around the following:

• Identities are secure using multifactor authentication (MFA): It’s surprising to us how many companies haven’t embraced multifactor authentication. It’s the first step we took on our Zero Trust journey. Regardless of what solution you decide to implement, adding a second identity check into the process makes it significantly more difficult for bad actors to leverage a compromised identity over just passwords alone.
• Device(s) are healthy: It’s been crucial that Microsoft can provide employees secure and productive ways to work no matter what device they’re using or where they’re working, especially during remote or hybrid work. However, any devices that access corporate resources must be managed by Microsoft and they must be healthy, meaning, they are running the latest software updates and antivirus software.
• Telemetry is pervasive: The health of all services and applications must be monitored to ensure proper operation and compliance and enable rapid response when those conditions are not met. Before granting access to corporate resources, identities and devices are continually verified to be secure and compliant. We monitor telemetry looking for signals to identify anomalous patterns. We use telemetry to measure risk reduction and understand the user experience.

For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=TOrbiC8DGPE, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

Does Microsoft require Microsoft Intune enrollment on all personal devices? Can employees use their personal laptops or devices to access corporate resources?For employees who want access to Microsoft corporate resources from a personal device, we require that devices be enrolled in Microsoft Intune. If they don’t want to enroll their personal device, that’s perfectly fine. They can access corporate resources through the following alternative options:

• Windows Virtual Desktop allows employees and contingent staff to use a virtual remote desktop to access corporate resources like Microsoft SharePoint or Microsoft Teams from any device.
• Employees can use Outlook on the web to access their Microsoft Outlook email account from the internet.

How does Microsoft onboard its Internet of Things (IoT) devices under the Zero Trust approach?

IoT is a challenge both for customers and for us.

Internally, Microsoft is working to automate how we secure IoT devices using Zero Trust. In June, the company announced the acquisition of CyberX, which will complement existing Microsoft Azure IoT security capabilities.

We segment our network and isolate IoT devices based on categories, including high-risk devices (such as printers); legacy devices (like digital coffee machines) that may lack the security controls required; and modern devices (such as smart personal assistant devices like an Amazon Echo) with security controls that meet our standards.

How is Microsoft moving away from VPN?

We’ve made good progress in moving away from VPN by migrating legacy, on-premises applications to cloud-based applications. That said, we still have more work to do before we can eliminate VPN for most employees. With the growing need to support remote work, we moved quickly to redesign Microsoft’s VPN infrastructure by adopting a split-tunneled configuration where traffic is directly routed to the applications available in the cloud and through VPN for any legacy applications. The more legacy applications we make available directly from the internet, the less we need VPN.

How do you manage potential data loss?

Everyone at Microsoft is responsible for protecting data, and we have specific scenarios that call for additional security when accessing sensitive data. For example, when an employee needs to make changes to customer-facing production systems like firewalls, they use privileged access workstations, a dedicated operating system for sensitive tasks.

Our employees also use features in Microsoft Information Protection, like the sensitivity button in Microsoft 365 applications to tag and classify documents. Depending on the classification level—even if a document moves out of our environment—it can only be opened by someone that was originally provided access.

How can Zero Trust be used to isolate devices on the network to further reduce an attack surface?

The origins of Zero Trust were focused on micro-segmentation of the network. While Microsoft’s focus extends beyond the physical network and controlling assets regardless of connectivity or location, there is still a strong need for implementing network segmentation within your physical network.

We currently have segmented our network into the configuration shown in the following diagram, and we’re evaluating future segments as the need arises. For more details on our Zero Trust strategy around networking, check out Microsoft’s approach to Zero Trust Networking and supporting Azure technologies.

How do you apply Zero Trust to a workstation where the user is a local admin on the device?

For us, it doesn’t matter what the device or workstation is, or the type of account used—any device that is looking for access to corporate resources needs to be enrolled and managed by Microsoft Intune, our device management service. That said, our long-term vision is to build an environment where standard user accounts have the permission levels to be just as productive as local admin accounts.

How important is it to have Microsoft Azure AD (AAD), even if we have Active Directory (AD) on-premises, for Zero Trust to work in the cloud? Can on-premises Active Directory alone work to implement Zero Trust if we install Microsoft Monitoring Agent (MMA) to it?

Because Microsoft has shifted most of our security infrastructure to the Microsoft Azure cloud, using Microsoft Azure AD Conditional Access is a necessity for us. It helps automate the process and determine which identities and devices are healthy and secure, which then enforces the health of those devices.

Using MMA would get you to some level of parity, but you wouldn’t be able to automate device enforcement. Our recommendation is to create an AAD instance as a replica of your on-premises AD. This allows you to continue using your on-premises AD as the master but still leverage AAD to implement some of the advanced Zero Trust protections.

How do you deal with Zero Trust for guest access scenarios?

When allowing guests to connect to resources or view documents, we use a least-privileged access model. Documents tagged as public are readily accessible, but items tagged as confidential or higher require the user to authenticate and receive a token to open the documents.

We also tag resources like Microsoft SharePoint or Microsoft Teams locations that block guest access capabilities. Regarding network access, we provide a guest wireless service set identifier (SSID) for the guest to connect to which are isolated with internet only access. Finally, all guest accounts are required to meet our MFA requirements prior to granting access.

We hope this guidance is helpful to you no matter what stage of the Zero Trust journey you’re on. As we look to 2021, the key lesson is to have empathy. Understanding where an employee is coming from and being transparent with them about why a policy is shifting or how it may impact them is critical.

– Mark Skorupa, principal program manager

What’s your Zero Trust priority for 2021?

We’re modernizing legacy and on-premises apps to be available directly from the internet. Making these available, even apps with legacy authentication requirements, allows our device management service to apply conditional access, which enforces verification of identities and ensures devices are healthy.

We hope this guidance is helpful to you no matter what stage of the Zero Trust journey you’re on. As we look to the rest of 2021, our team continues to come back to is the importance of empathy. Understanding where an employee is coming from and being transparent with them about why a policy is shifting or how it may impact them is critical.

Microsoft wasn’t born in the cloud either, so many of the digital security shifts we’re making by taking a Zero Trust approach aren’t familiar to our employees or can be met with hesitancy. We take ringed approaches to everything we roll out, which enables us to pilot, test, and iterate on our solutions based on feedback.

Leading with empathy keeps us focused on making sure employees are productive and efficient, and that they can be stewards of security here at Microsoft and with our customers.

• Read this article about how Microsoft is adopting a Zero Trust security model to secure corporate and customer data.

The post Microsoft’s digital security team answers your Top 10 questions on Zero Trust appeared first on Inside Track Blog.

Bret Arsenault, corporate vice president and chief information security officer at Microsoft, and security experts from his DSR team at Microsoft attended RSAC 2020 to share how they are responding to security challenges, lessons learned, and proven practices that you can use in your organization.

[Learn how Microsoft transitioned to modern access architecture with Zero Trust. Learn how Microsoft implemented a Zero Trust security model.]

Zero Trust for the real world

There are seven billion devices connected to the internet, and 60 percent of organizations have a formal bring-your-own-device (BYOD) program in place.

“The way we work has also changed,” says Nupur Goyal, a Zero Trust product marketing lead at Microsoft. “With the emergence of a mobile workforce, cloud technology, and ubiquitous access to information, it has become more and more challenging to protect corporate data.”

Coined by the security industry, Zero Trust is a modern approach to security that Microsoft and other enterprises are adopting—don’t assume trust, verify it. The Zero Trust security model treats all requests and every access attempt as though they originate from an untrusted network. However, employees should still have a seamless experience when accessing the resources they need without impeding productivity.

“We have to validate an employee’s identity and device health before giving them access to the files they need,” says Carmichael Patton, a principal program manager in DSR. “As threats evolve, we have to pivot to protect customer data.”

Goyal and Patton shared Microsoft’s implementation strategy, which is geared to ensure that data and application access is specific to an employee’s job function. Organization policy is automatically enforced at the time of access and continuously throughout the session when possible. All devices are enrolled and managed in a device management system, and the network access is routed based on the user’s role. Finally, all controls and policies are backed by rich data insights that reduce the risk of unauthorized lateral movement across the corporate network.

[Check out the slide deck from this RSA session about Zero Trust for the real world.]

Cloud-powered compromise blast analysis

Hackers don’t break in—they log in. To combat this, the security operations center (SOC) at Microsoft operates on a massive scale to support 250,000 active users with even more active devices and Azure user accounts.

“When it comes to protecting identity, our people are our biggest asset and our biggest liability based on how they act,” says Sarah Handler, a program manager at Microsoft. “Our goal is to take the systems and tools we have and use them to nudge user behavior in a way that won’t compromise our systems.”

Kristina Laidler, the senior director of Security Operations and Incident Response at Microsoft, has worked with the SOC to protect Microsoft from adversaries. One challenge is the high volume of data and signals. To address this, the SOC team filters billions of events using machine learning and behavioral analytics to approximately 100 cases a day that the SOC team can triage, investigate, and remediate.

“We have to make sure that the SOC team isn’t looking at false positives, and the things getting through are high fidelity,” Laidler says. “We want to work at the speed of attack. We know attackers are moving fast, and we have to work faster.”

Laidler and Handler have also implemented new analysis methods for identity compromise using cloud logs, security information and event management tools, and advanced telemetry. To prevent future identity threats, Laidler also discussed some technical controls for identity protection such as filters to prevent users from creating predictable passwords with seasons, years, or regional sports teams.

“Using user entity behavioral analytics, we have developed a lot of contextual knowledge about how our users and adversaries act, and we’ve built detections based on those patterns,” Laidler says.

Laidler and Handler also shared their lessons learned. A salient piece of advice is to ask for more from your cloud provider.

“We have such a huge focus on making sure we’re getting feedback and the story from the trenches,” Handler says. “That’s how we build better solutions.”

[Check out the full RSA session on how Microsoft’s Identity Security and Protection team collaborated with Microsoft Digital to implement new blast analysis methods for identity compromise.]

Breaking password dependencies: Challenges in the final mile at Microsoft

Director of Identity Security Alex Weinert and Lee Walker, a principal program manager in DSR Identity and Access, shared the lessons learned of Microsoft’s journey to eliminate passwords and practical guidance to help with yours.

Weinert’s team worked with Walker’s team to eliminate legacy authentication at Microsoft, and they’re currently blocking 1.5 million legacy authorization attempts per day. Getting to this point didn’t happen overnight. The company has been using multi-factor authentication (MFA) using smartcards, phone authorization, Windows Hello for Business, and FIDO2. In 2019, Microsoft required MFA for all employees, but some employees still used legacy authentication. Disabling legacy authentication was a process, and Walker’s team needed to talk to the owners of applications that used legacy authorization, keep 90 days of history to track where owners signed in with legacy authorization, and simulate policies to predict breaking scenarios.

Weinert advised attendees to capture logs of when users sign in, find legacy traffic, and talk to business owners in those organizations.

“You have to figure out what application is behind that sign-in, understand how and why it’s used, and work to replace it or contain it,“ Weinert says. “Recognize that your plan will evolve based on these conversations.”

Weinert also encouraged attendees to decide not if, but when to start, especially because Microsoft Exchange is removing support for basic authorization in October 2020.

“You don’t need to be faster than the bear, but you don’t want to be the slowest runner either,” Weinert says. “Learn from our painful mistakes. You can flip the switches, but the hard part is the humans.”

[Check out the slide deck from this RSA session on Microsoft’s journey to move away from passwords.]

Microsoft’s security team changes the employee training playbook

All Microsoft employees are accountable for keeping the company’s data and customers safe. Ken Sexsmith, director of Security Education and Awareness in DSR, and his team are changing the way that Microsoft approaches training by making it approachable and fun for employees through enterprise-wide training, behavioral campaigns, and phishing simulations.

“We are on the frontlines of driving digital transformation through behavior and culture change,” Sexsmith says. “We saw an opportunity to take an innovative approach to security training, and we had full support from leadership.”

The team takes a multi-pronged approach to change employee behavior by motivating, reinforcing, and applying behavior changes. Sexsmith’s team does this through awareness campaigns and security training, which strengthen security and privacy best practices.

“Within an hour, you lose 50 percent of the information that you were just told,” Sexsmith says. “Within 24 hours, 70 percent of that information has escaped. As adult learners, we have to continue to reinforce that knowledge.”

For companies or teams who are trying to change their approach to security education, Sexsmith suggests that attendees start by identifying listening systems to understand the biggest risks at the company, and finding engaging ways to communicate them to employees. The team has also been sharing the impact of their training and continue to solicit feedback that informs future versions.

• Learn how Microsoft transitioned to modern access architecture with Zero Trust.
• Learn how Microsoft implemented a Zero Trust security model.

The post How Microsoft is transforming the way it fights security threats appeared first on Inside Track Blog.