![\"Microsoft](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories-300x112.png\")
Today we want to share the lessons we\u2019re learning from deploying Zero Trust networking across Microsoft.<\/p>\nToday we want to share the lessons we\u2019re learning from deploying Zero Trust networking across Microsoft.<\/p>\n
In many enterprises, network security has traditionally focused on strictly secured and monitored corporate network perimeters. Today, in a mobile-first and cloud-first world, business network traffic exists outside the corporate network as much as it does within. The rate and the sophistication level of security attacks are increasing. Organizations can no longer rely on the traditional model of simply protecting their remaining internal environments behind a firewall. Adopting a Zero Trust strategy can help to ensure optimal security without compromising end users\u2019 experiences.<\/p>\n
Our team in Microsoft Digital (MSD) is deploying Zero Trust networking across the enterprise to support the Zero Trust model that our internal security team is implementing across Microsoft.<\/p>\n
The Zero Trust model centers on strong identity, least-privilege access, device health verification, and service level control and telemetry across the entire IT infrastructure. The network perimeter is no longer the primary method of defense for an enterprise.<\/p>\n
At Microsoft\u2019s scale, with more than 600 sites in 120 countries and regions, evolving our network strategy to embrace Zero Trust networking has required alignment across the entire organization.<\/p>\n [Gain insight from Microsoft\u2019s digital security team on Top 10 questions for Zero Trust.<\/a> |\u00a0Read more about sharing how Microsoft protects against ransomware.<\/a><\/em> | <\/em>Unpack the lessons learned in engineering Zero Trust networking.<\/a>]<\/em><\/p>\n Throughout our journey toward Zero Trust networking, we\u2019ve learned valuable lessons. We\u2019ve experienced challenges in the various stages of implementation that forced us to reassess and adjust our tactics and methods. We hope that by sharing our experiences we can help other enterprises better prepare to adopt and implement a Zero Trust networking strategy and overcome similar obstacles.<\/p>\n To read more about the lessons that our engineers have learned from our Zero Trust networking deployment, visit Lessons learned in engineering Zero Trust networking<\/a>.<\/p>\n The impact of implementing Zero Trust networking is significant because of its size and scope. At Microsoft, early and big-picture planning involved all relevant stakeholders, including network teams, security teams, user experience teams, team managers, infrastructure service providers, and compliance auditors. We started with a comprehensive plan and worked toward more specific plans and goals.<\/p>\n We established several primary goals that we used as targets for the implementation process. While each of these considerations involved a finite subset of goals and discrete features that informed the specifics of Zero Trust networking implementation, they also served as high-level signposts to provide the direction that best supported our business. Our primary goals included:<\/p>\n Across any large organization, individual lines of business and departments have varying requirements. We involved leadership at all levels in Microsoft to create transparency, collect information, and gain allies and sponsors for implementing a Zero Trust network. Because we\u2018re also asking our customers to trust us with their critical data and workloads, our cloud offerings and services also must reflect\u2014and support\u2014Zero Trust principles.<\/p>\n We engaged executive leadership and obtained sponsorship as early in the process as possible. Visible leadership support helped drive the project forward. Effective sponsorship helped our teams overcome priority conflicts and other cultural and operational obstacles.<\/p>\n In partnership with our security team, we established governance to bring our leadership together. We addressed roles and responsibilities across teams, ensuring that we documented them. We established intake prioritization standards to ensure that our implementation teams worked on the most important tasks from a business perspective. To set these standards, we examined the business impact and implementation effort for new tasks as they arose by using an agile framework.<\/p>\n We required a broad range of business and technical knowledge across planning and implementation teams. We needed security experts that could reevaluate our network policies and standards across the implementation. We included network experts from various areas, including wired and wireless networks, virtualization and network segmentation, traffic management, quality of service (QoS), and device configuration. Understanding the potential impact on existing network team members was also important. Fortunately, we had already added software engineering expertise to our network engineering teams to drive automation, and Zero Trust accelerated that. We ensured that we placed our experts in planning and decision-making roles, thereby making the best use of our internal intellectual property. Finally, we directed as much of our high-effort, low-impact tasks, including physical infrastructure installation and maintenance, to outsourced providers.<\/p>\n We based our meetings and communications strategy on agile methodology, a collaborative effort of self-organizing and cross-functional teams that could plan and iterate rapidly. Our core teams met briefly and often, while meetings including stakeholders and executive leadership occurred less frequently. We applied governance for how our teams worked together: how often we met, roles and responsibilities, and how we prioritized incoming work and changes to our plans. The following list reflects our meeting structure and frequency:<\/p>\n We created and relied on process-monitoring systems and reporting dashboards to keep all team members informed on project status. We used Microsoft Power BI to build dashboards for teams at all levels, ensuring that each team, leader, stakeholder, or sponsor had an active overview of their relevant area. A partial list of useful dashboards included:<\/p>\n User experience is one of our primary measures for organizational effectiveness across all Microsoft systems. Our users work in diverse locations, regions, and cultures, and a potentially different experience characterizes each location. Reaching out to our users and measuring experience and impact throughout the Zero Trust networking implementation helped us understand and avoid potential issues.<\/p>\n Situational dependencies, such as data-residency laws or telecom-systems capabilities, required us to change implementation plans. It was important to identify these dependencies and anomalies as early as possible in our deployment processes so that we could plan and adapt accordingly.<\/p>\n At Microsoft, a significant portion of our network workloads come from engineering teams with unique user experiences. Software and hardware engineers who build and test software and hardware systems have very different network usage profiles than typical information workers. We reached out early and often to this community to understand their current and future needs and account for them in our deployment flight planning.<\/p>\n Local IT and leadership teams were also instrumental in implementing Zero Trust networking across Microsoft. We relied heavily on local IT staff to supply information about their environment and ensure that our solutions accounted for local functionality limitations and technical considerations. These included network resources inventory, applications, and services required for productivity, and the impact of network traffic and topology changes.<\/p>\n Staff members\u2019 input reduced the engineering workload and increased the overall knowledge base that our engineers had when designing each regional implementation. We used our local and regional teams\u2019 capabilities to collect and supply information. Local staff\u2014including technical, support, and leadership teams in each location\u2014who were informed about and included in the planning and design process helped prevent surprise obstacles. These individuals also served as valuable advocates and advisors when we deployed Zero Trust networking; when our deployment reached their building or region, we had local support to ensure a smooth transition.<\/p>\n Zero Trust networking supports a model that effectively adapts to the complexity of the modern corporate environment. It supports the mobile workforce and protects people, devices, apps, and data regardless of location. In sharing the lessons that we\u2019ve learned so far, we hope to help other enterprises adopt Zero Trust networking effectively and efficiently. As we continue to deploy the Zero Trust model across the Microsoft enterprise, we\u2019re learning from our experience and adapting our approach to achieve our goals.<\/p>\n Today we want to share the lessons we\u2019re learning from deploying Zero Trust networking across Microsoft. In many enterprises, network security has traditionally focused on strictly secured and monitored corporate network perimeters. Today, in a mobile-first and cloud-first world, business network traffic exists outside the corporate network as much as it does within. The rate […]<\/p>\n","protected":false},"author":133,"featured_media":8924,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":true,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[407,95,430],"coauthors":[646],"class_list":["post-8921","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-enterprise-mobility-and-security","tag-security","tag-vpn","program-microsoft-digital-technical-stories","m-blog-post"],"jetpack_publicize_connections":[],"yoast_head":"\n![\"The](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10097_image001.jpg\")
Sharing leadership lessons<\/h2>\n
Planning and design<\/h3>\n
Plan using a broad scope<\/h4>\n
Establish goals<\/h4>\n
\n
Teams and organization<\/h3>\n
Leadership engagement<\/h4>\n
Governance and responsibilities<\/h4>\n
Planning and implementation teams<\/h4>\n
Meetings and communication<\/h3>\n
Meeting cadence and scope<\/h4>\n
\n
\n
\n
\n
\n
Measurement and assessment<\/h4>\n
\n
Deployment and execution<\/h3>\n
User experience assessment<\/h4>\n
Involvement of local support and users<\/h4>\n
![\"Key](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways-300x74.png\")
<\/p>\n![\"Related](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links-300x81.png\")
<\/p>\n\n