What we learned when putting in Zero Trust at Microsoft

Zero Trust is a timely approach to address the cyber security challenges originating from the rise in remote working, the proliferation of personal devices, and obsolete physical security perimeters.

The Zero Trust cyber security model is based on the principle of “never trust, always verify”. In a cyber security architecture based on Zero Trust, no user (person, device, or application) is trusted by default, whether the user is on the corporate network or remote. Every user request for access to resources is treated as a potential cyber security breach. Any access privileges are minimised to “just enough access” to satisfy the user’s request. In addition, in the Zero Trust model, there is continual adjustment of security to changes in the digital landscape.

In this series of digital events we show you how the principles of Zero Trust with a risk-based, step-by-step approach and associated cyber security tools can help you effectively protect your entire digital estate (on-premises and in the cloud) in today’s hybrid work environment.

Want to find out how we’ve been implementing Zero Trust internally at Microsoft? Our experts are ready to share approaches, lessons learnt, and best practices. Some of them may surprise you, but like you, our actions are destined to optimise cybersecurity for our company and our people. And while Microsoft has a comprehensive range of solutions, we recognise that a site isn’t always greenfield, and a user still needs to be productive as well as secure. Find out how we fit in with both, to make Zero Trust work the way it was intended.

Eat your own dogfood!

Or if you prefer, practice what you preach. At Microsoft, we design and implement Zero Trust strategies for our customers. We have also been applying the Zero Trust model for ourselves. It’s a great way to discover and share tips and best practices, as well improve Microsoft solutions.

Many of our own employees are working remotely and using the cloud, making a change to identity-based security mandatory. Rather than simply specify a product or a technology, we look first for the most effective cybersecurity solutions available. Of course, it doesn’t hurt that independent experts consistently cite Microsoft in that category!

Zero Trust must have user acceptance

Technical excellence is only one part of a successful Zero Trust strategy. We’re also attentive to our users. By focusing on the “who, why, what, where, when, and how” from their perspective, we’re building a robust Zero Trust architecture that they appreciate.

Who

We started with a persona of an information worker in mind. This person handles information, using tools like Microsoft Office apps and perhaps business intelligence tools, but isn’t an IT administrator or a developer. After, we expanded our target audience to bring in administrators with privileged access workstations and are now working to include developers.

Why

It’s important that our employees accept the move to Zero Trust working. When they understand why they need to use multifactor authentication to connect each day, appreciation and acceptance grow. A key message is the need to protect data in an uncertain world. Not just Microsoft internal data, but also customer data from our marketing, accounting, billing, and other systems.

What

Microsoft employees use Windows machines, but also iOS, Android, MacOS, and Linux. We deploy the Zero Trust model accordingly. The three basic rules of “Never trust, always verify”, “assume there’s a breach”, and limiting access to JIT and JEA (just-in-time and just-enough-access) apply equally to all.

Where

We aim to offer our users a choice of destinations that depend on their identity, their device, and service they want to access. Company devices with maximum security and digital health get the most options. People can also enrol their personal devices in our Mobile Device management system. But for unenrolled personal devices, we still offer a limited web-based experience.

When

How fast you go depends on your needs, goals, and users. We learned to be more parsimonious with policies and stop hitting the max policies number in the system (it happened). When rolling out iOS and Android conditional access policies, we even called a halt to figure out what our goals really were. Address bigger vulnerabilities faster, but also phase your implementation as appropriate.

How

For users who aren’t achieving compliance, we don’t want to just show them a big stop sign. Our aim is to guide them to compliance, inform them about getting their device enrolled, and bringing its digital health up to the levels that satisfy access controls. We’re always looking for a good balance between security and productivity.