Archive for the ‘Zero Trust’ Category

Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work

March 2nd, 2021 No comments

We’re now a year into our new reality, and two trends stand out. First, people need even more flexibility as we work, learn, and collaborate in a world without perimeters. And second, bad actors are getting even more sophisticated. They’re adding new attack vectors and combining them in new creative ways, as we just saw with Solorigate.

In January, I shared our top five identity priorities for 2021 to help you strengthen security and accelerate your transition to the new hybrid work era. More than ever, organizations need to strengthen their defenses to give employees, partners, and customers the flexibility to work from anywhere using apps that live inside and outside the traditional corporate network perimeter. That’s why Zero Trust, a security strategy that combines maximum flexibility with maximum security, is so crucial.

For IT pros and security professionals, the implementation of Zero Trust should be simple and straightforward. For users, it should never get in the way, and it should fit into familiar workflows and habits. This week, on the virtual Microsoft Ignite stage, I’m announcing several Azure Active Directory (Azure AD) innovations that will help make life easier for you and your employees now—and help you stay prepared for whatever comes next.

Give your employees a secure and seamless user experience

As part of our commitment to making security as seamless as possible, passwordless authentication is now generally available for organizations to deploy at scale. Your IT admins, employees, and partners can benefit from increased security and simplicity. We’ve made it easy to roll out passwordless at scale with expanded policies that define which authentication methods specific users or groups can use. New reporting capabilities allow you to see the usage and adoption of passwordless authentication methods across your organization. To help you simplify and secure remote access, we’ve also released the preview of Temporary Access Pass, a time-limited code used to set up and recover a passwordless credential.

Azure AD Temporary Access Pass

Microsoft already has more than 200 million passwordless users across our consumer and enterprise services. We’re excited to see even more customers adopting passwordless each day. Axiata Group is the first company in Southeast Asia to eliminate passwords for their employees. They went passwordless using Windows Hello for Business and the Microsoft Authenticator app. Abid Adam, group chief risk and compliance officer at Axiata Group said, “Rather than make their lives miserable with long passwords that create risk for the organization, we turned to biometrics. Now with Windows Hello, security is baked into our ecosystem, and we have better access to information with greater barriers to bad actors. It’s a win-win for our security team, our employees, and the company.” Similarly, in Europe, Umeå municipality wanted to strengthen security and eliminate the use of passwords. With help from Onevinn and Yubico partners, they were able to roll out their first passwordless deployment in less than 10 days. Watch my interview on Microsoft Mechanics to see passwordless in action.

Going passwordless not only simplifies the user experience but also strengthens your security posture. And thanks to Azure AD Conditional Access, you no longer need to request multifactor authentication every time someone accesses an app that touches sensitive data. Instead, you can step up authentication based on what the user is trying to do within the app—for example, downloading a highly confidential document. With Azure AD Conditional Access authentication context, now in preview, you can move away from one-size-fits-all security and adopt more granular policies that protect resources with the right level of controls based on user actions or the data they are trying to access.

Azure AD Conditional Access authentication context


  • General availability of passwordless authentication.
  • Preview of Temporary Access Pass.
  • Preview of Azure AD Conditional Access authentication context.

Secure access to all apps

Most of you manage multi-cloud environments. Your developers are building apps that are distributed across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform. They need to sign in to each cloud with only one set of credentials. So that you can quickly configure single-sign-on (SSO) and user provisioning, we’re constantly expanding the Azure AD app gallery with as many pre-integrations as possible—even with our competitors.

AWS Single Sign-On app is now pre-integrated with Azure AD and available in the app gallery. This integration lets you connect Azure AD to AWS SSO, a cloud-based service that simplifies SSO access across multiple AWS accounts and resources. You can centralize management of user access to AWS, while your employees can gain access using their Azure AD credentials.

AWS SSO pre-integrated with Azure AD

During the past year, many organizations have relied on our Azure AD App Proxy service to help employees secure remote access to on-premises apps. Usage grew more than 100 percent last year, helping organizations move away from VPN solutions. Today, we’re adding two new features to help you get the most out of App Proxy. First, native support for header-based authentication with App Proxy is now generally available. Second, traffic optimization by region for App Proxy is now in preview. This new feature lets you designate which region your App Proxy service connector group should use and select the same region as your apps. This new feature helps reduce latency and improve performance.

Azure AD App Proxy support for header-based authentication apps

To protect your legacy, on-premises applications, we’re expanding the list of our secure hybrid access partnerships to include Datawiza, Perimeter 81, Silverfort, and Strata. In addition to connecting your on-premises apps, partners like Datawiza, Strata, and Silverfort can help you discover and prioritize apps and resources to migrate to Azure AD. “Silverfort is thrilled to be able to collaborate with Azure AD to enable unified secure access to legacy, on-premises apps, and resources,” said Ron Rasin, vice president of product and strategic alliances at Silverfort. “Identity has become the primary security control plane making it critical that organizations can discover, prioritize, and migrate the apps and resources to a central identity solution like Azure AD.”

Solorigate taught us that in many cases, cloud environments are more secure than on-premises. To strengthen your defenses, it’s critical to minimize your on-premises footprint and manage all your apps from the cloud. The process of discovering applications across different environments and prioritizing them for cloud modernization can be daunting, however. To make it easier, we’re announcing the general availability of Active Directory Federation Services (AD FS) activity and insights report. This report assesses all AD FS applications for compatibility with Azure AD, checks for any issues, and provides guidance on preparing individual applications for migration to Azure AD.

AD FS activity and insights report


  • AWS Single Sign-On now available in Azure AD app gallery.
  • General availability of AD FS activity and insights report.
  • New secure hybrid access partnerships with Datawiza, Perimeter 81, Silverfort, and Strata.
  • General availability of Azure AD App Proxy support for header-based authentication apps.
  • Preview of Azure AD App Proxy support for traffic optimization by region.

Secure your customers and partners

A strong Zero Trust approach requires that we treat access requests from customers, partners, and vendors just like requests from employees: verify every request, allow users to access the data they need only when they need it, and don’t let guests overstay their welcome. With Azure AD, you can apply consistent access policies to all types of external users.

Generally available starting this month, Azure AD External Identities is a set of capabilities for securing and managing identity and access for customers and partners. Self-service sign-up user flows in Azure AD apps make it easy to create, manage, and customize onboarding experiences for external users, with little to no application code. You can integrate support for sign-in using Google and Facebook IDs and extend the flow with powerful API connectors. Using Azure AD Identity Protection, you can protect your business-to-business (B2B) and business-to-consumer (B2C) apps and users with adaptive, machine learning–driven security.

Azure AD External Identities admin portal and user experience

With automated guest access reviews for Microsoft Teams and Microsoft 365 groups, now generally available, Azure AD will prompt you to review and update access permissions for all guests added to new or existing Teams or groups on a regular schedule. The process of cleaning up access to sensitive resources that your guest users no longer need will become less manual—and less neglected.


  • General availability of Azure AD External Identities.
  • General availability of Azure AD access reviews for all guests in Teams and Microsoft 365 groups.

The future of identity is bright

While 2020 was a challenging year, we have much to look forward to in 2021, with innovations that will deliver more security, transparency, and privacy for users. Last Microsoft Ignite, I talked about verifiable credentials and our commitment to empowering every person to own their own identity thanks to decentralized identifiers. I’m happy to share that Azure AD verifiable credentials is entering preview in just a few weeks. Developers will get an SDK, with quick-start guides, for building apps that request and verify credentials, just like they do with usernames and passwords. I’m also excited to announce that we are partnering with some of the leading ID verification partners—Acuant, Au10tix, Idemia, Jumio, Socure, Onfido, Vu Security—to improve verifiability and secure information exchange.

Verifiable credentials let organizations confirm information about someone—like their education and professional certifications—without collecting and storing their personal data. This will revolutionize the way we grant permissions to access our information. Organizations will be able to issue digital versions of a variety of credentials such as physical badges, loyalty cards, and government-issued paper documents based on open standards. Because the digital information is verified by a known party, it’s more trustworthy, and verification will only take minutes instead of days or weeks.

Azure AD verifiable credentials

Individuals get more control over what information they share with whom, and they can restrict access to that shared information at any time. They only have to verify a credential once to use it everywhere. To manage their credentials, they can use the Microsoft Authenticator app and other wallet apps that support open standards, such as the pilot application built by Keio University for their students.


  • Preview of Azure AD verifiable credentials.

And finally, I’m happy to share that we’re releasing a new Microsoft Identity and Access Administrator Certification, which you can find at the Microsoft Security Resources portal. This training helps admins design, implement, and operate Azure AD as the organization’s security control plane.


  • Release of the Microsoft Identity and Access Administrator Certification.

The new features announced at Microsoft Ignite will make it easier to provide seamless user experiences in the hybrid workplace and to strengthen your defenses against attacks that are increasingly sophisticated. As you try these new tools, please send us your feedback so we can continue to build advancements that help you keep your employees secure, connected, and productive.

Let’s make 2021 the Year of Passwordless!

To see these features in action when I take the Microsoft Ignite stage tomorrow, register for free at Microsoft Ignite and watch my session starting at 5 PM Pacific Time. Follow Microsoft Identity at @AzureAD on Twitter for more news and best practices.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security Blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work appeared first on Microsoft Security.

4 ways Microsoft is delivering security for all in a Zero Trust world

March 2nd, 2021 No comments

If there’s one thing the dawning of 2021 has shown, it’s that security isn’t getting any easier. Recent high-profile breach activity has underscored the growing sophistication of today’s threat actors and the complexity of managing business risk in an increasingly connected world. It’s a struggle for organizations of every size and for the public and private sector alike. As we move into this next phase of digital transformation, with technology increasingly woven into our most basic human activities, the questions that we as security defenders must ask ourselves are these: How do we help people to have confidence in the security of their devices, their data, and their actions online? How do we protect people, so they have peace of mind and are empowered to innovate and grow their future? How do we foster trust in a Zero Trust world?

As defenders ourselves, we are passionate proponents of a Zero Trust mindset, encompassing all types of threats—both outside in and inside out. We believe the right approach is to address security, compliance, identity, and device management as an interdependent whole and to extend protection to all data, devices, identities, platforms, and clouds—whether those things are from Microsoft or not.

You may have heard us talk about our commitment to security for all, and that’s at the heart of it. We are deeply inspired to empower people everywhere to do the important work of defending their communities and their organizations in an ever-evolving threat landscape.

With that approach in mind, today I’m excited to share several additional innovations across four key areas with you—identity, security, compliance, and skilling—to give you the holistic security protection you need to meet today’s most challenging security demands.

1. Identity: The starting point of a Zero Trust approach

Adopting a Zero Trust strategy is a journey. Every single step you take will make you more secure. In today’s world, with disappearing corporate network perimeters, identity is your first line of defense. While your Zero Trust journey will be unique, if you are wondering where to start, our recommendation is to start with a strong cloud identity foundation. The most fundamental steps like strong authentication, protecting user credentials, and protecting devices are the most essential.

Today we are announcing new ways that Azure Active Directory (Azure AD), the cloud identity solution of choice for more than 425 million users, can help you on your Zero Trust journey:

  • Passwordless authentication, which eliminates one of the weakest links in security today, is now generally available for cloud and hybrid environments. Now you can create end-to-end experiences for all employees, so they no longer need passwords to sign in to the network. Instead, Azure AD now lets them sign in with biometrics or a tap using Windows Hello for Business, the Microsoft Authenticator app, or a compatible FIDO2 security key from Microsoft Intelligent Security Association partners such as Yubico, Feitian, and AuthenTrend. With Temporary Access Pass, now in preview, you can generate a time-limited code to set up or recover a passwordless credential.
  • Azure AD Conditional Access, the policy engine at the heart of our Zero Trust solution, now uses authentication context to enforce even more granular policies based on user actions within the app they are using or sensitivity of data they are trying to access. This helps you appropriately protect important information without unduly restricting access to less sensitive content.
  • Azure AD verifiable credentials is entering preview in just a few weeks. Verifiable credentials let organizations confirm information—like their education or the professional certifications someone provides—without collecting and storing their personal data, thereby improving security and privacy. In addition, new partnerships integrating Azure AD verifiable credentials with leading identity verification providers like Onfido, Socure, and others will improve verifiability and secure information exchange. Customers such as Keio University, the government of Flanders, and the National Health Service in the UK are already piloting verifiable credentials.

Learn more about our Azure AD announcements in today’s blog post by Joy Chik.

2. Security: Simplifying the “assume breach” toolset

In today’s landscape, your security approach should start with the key Zero Trust principle of assume breach. But too often, complexity and fragmentation stand in the way. It is our commitment to helping you solve this, as we build security for all, delivered from the cloud.

This begins with integrated solutions that let you focus on what matters and deliver visibility across all your platforms and all your clouds. Some vendors deliver endpoint or email protection, while others deliver Security Information and Event Management (SIEM) tools, and integrating those pieces together can be a time-consuming challenge. Microsoft takes a holistic approach that combines best-of-breed SIEM and extended detection and response (XDR) tools built from the ground up in the cloud to improve your posture, protection, and response. This gives you the best-of-breed combined with the best-of-integration so you don’t have to compromise.

Today we are making the following announcements to simplify the experience for defenders with modern and integrated capabilities:

  • Microsoft Defender for Endpoint and Defender for Office 365 customers can now investigate and remediate threats from the Microsoft 365 Defender portal. It provides unified alerts, user and investigation pages for deep, automated analysis and simple visualization, and a new Learning Hub where customers can leverage instructional resources with best practices and how-tos.
  • Incidents, schema, and user experiences are now common between Microsoft 365 Defender and Azure Sentinel. We also continue to expand connectors for Azure Sentinel and work to simplify data ingestion and automation.
  • The new Threat Analytics provides a set of reports from expert Microsoft security researchers that help you understand, prevent, and mitigate active threats, like the Solorigate attacks, directly within Microsoft 365 Defender.
  • We are bringing Secured-core to Windows Server and edge devices to help minimize risk from firmware vulnerabilities and advanced malware in IoT and hybrid cloud environments.

Learn more about our threat protection announcements in today’s blog post by Rob Lefferts and Eric Doerr. Learn more about our Secured-core announcements in today’s blog post by David Weston. You can also learn more about new security features in Microsoft Teams in today’s blog post by Jared Spataro.

Today’s announcements continue, and strengthen, our commitment to deliver best-of-breed protection, detection, and response for all clouds and all platforms with solutions like Defender for Endpoint—a leader in the Gartner Magic Quadrant, available for Android, iOS, macOS, Linux, and Windows; and Azure Sentinel—which looks across your multi-cloud environments, including AWS, Google Cloud Platform, Salesforce service cloud, VMware, and Cisco Umbrella.

3. Compliance: Protection from the inside out

At Microsoft, we think of Zero Trust as not only the practice of protecting against outside-in threats, but also protecting from the inside out. For us, addressing the area of compliance includes managing risks related to data.

And that isn’t just the data stored in the Microsoft cloud, but across the breadth of clouds and platforms you use. We’ve invested in creating that inside-out protection by extending our capabilities to third parties to help you reduce risk across your entire digital estate.

Today we are announcing these new innovations in compliance:

  • Co-authoring of documents protected with Microsoft Information Protection. This enables multiple users to work simultaneously on protected documents while taking advantage of the intelligent, unified, and extensible protection for documents and emails across Microsoft 365 apps.
  • Microsoft 365 Insider Risk Management Analytics, which can identify potential insider risk activity within an organization and help inform policy configurations. With one click, customers can have the system run a daily scan of their tenant audit logs, including historical activity, and leverage Microsoft 365’s Insider Risk Management machine learning engine to identify potential risky activity with privacy built-in by design.
  • Microsoft 365 now offers data loss prevention (DLP) for Chrome browsers and on-premises server-based environments such as file shares and SharePoint Server.
  • Azure Purview is integrated with Microsoft Information Protection, enabling you to apply the same sensitivity labels defined in Microsoft 365 Compliance Center to data residing in other clouds or on-premises. With Azure Purview, a unified data governance solution for on-premises, multi-cloud, and software as a service (SaaS) data, you can scan and classify data residing in AWS Simple Storage Services (S3), SAP ECC, SAP S4/HANA, and Oracle Database.

Learn more about our compliance announcements in today’s blog post by Alym Rayani.

4. Skilling: Power your future through security skilling

We know that many of you continue to struggle to fill the security skills gap with an estimated shortfall of 3.5 million security professionals by 2021. That’s why we strive to ensure you have the skilling and learning resources you need to keep up in our world of complex cybersecurity attacks. We are excited to announce two different ways Microsoft is supporting skilling cybersecurity professionals.

First, Microsoft has four new security, compliance, and identity certifications tailored to your roles and needs, regardless of where you are in your skilling journey. To learn more about these new certifications, please visit our resource page for Microsoft Certifications.

  • Security, Compliance, and Identity Fundamentals certification will help individuals get familiar with the fundamentals of security, compliance, and identity across cloud-based and related Microsoft services.
  • Information Protection Administrator Associate certification focuses on planning and implementing controls that meet organizational compliance needs.
  • Security Operations Analyst Associate certification helps security operational professionals design threat protection and response systems.
  • Identity and Access Administrator Associate certification help individuals design, implement and operate an organization’s identity and access management systems by using Azure Active Directory.

We also recognize that the world we live in is complex but growing your skills shouldn’t be. The Microsoft Security Technical Content Library will help you find content relevant to your needs. Use it to access content based on your own needs today.

You can also learn more on today’s Tech Community blog post.

Security for all

We at Microsoft Security are committed to helping build a safer world for all. Every day, we are inspired by the work of our defenders and we are focused on delivering innovations, expertise, and resources that tip the scale in favor of defenders everywhere because the work you do matters. Security is a team sport, and we’re all in this together.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 4 ways Microsoft is delivering security for all in a Zero Trust world appeared first on Microsoft Security.

Categories: cybersecurity, Zero Trust Tags:

Why threat protection is critical to your Zero Trust security strategy

February 8th, 2021 No comments

The corporate network perimeter has been completely redefined. Many IT leaders are adopting a Zero Trust security model where identities play a critical role in helping act as the foundation of their modern cybersecurity strategy. As a result, cybercriminals have shifted their focus and identities are increasingly under attack.

In this infographic, we explore how this shift is affecting IT leaders and how Microsoft can help apply threat protection to proactively prevent identity compromise and reduce alert fatigue.

  1. There’s been a significant increase in identity-based attacks. As IT leaders rely more heavily on identity in their security strategies, cybercriminals have increased their efforts on this threat vector. And with the shift to remote work in response to COVID-19, we’ve seen a notable number of pandemic-related phishing attacks.
  2. IT leaders need more visibility and protection. With the increase in threats, security professionals and admins are being overwhelmed with alerts. IT leaders are looking for more effective ways to manage alerts and better tools to proactively prevent attackers from being able to compromise accounts.
  3. Preventing identity compromise is more critical than ever. As IT leaders evolve their security strategies, people increasingly working remotely, and the number of identity-based attacks are rising, it’s vital for organizations to implement real-time, AI-based protections that prevent identity compromise.

Check out the infographic for more details.

If you’re interested in how Microsoft can help, see how Azure Active Directory (Azure AD) Identity Protection and Microsoft 365 Defender use real-time, cloud-based AI to proactively prevent identity compromise. Also check out our Security Unlocked podcast with Data Scientist Lead for Microsoft’s Identity Security and Protection team, Maria Peurtas Calvo, to hear how AI is being used to protect identities inside Microsoft products and services.

Visit our Zero Trust page to stay up-to-date on how the latest Microsoft products, features, and resources that can help you implement Zero Trust principles in your organization.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why threat protection is critical to your Zero Trust security strategy appeared first on Microsoft Security.

Modernizing your network security strategy

February 4th, 2021 No comments

From the global pandemic to recent cyberattacks, our world has faced many challenges during the past 12 months. Some of these challenges we can’t change. However, I’m pleased about the ones we can, and are changing across the cybersecurity landscape. For example, to facilitate remote work and maintain business continuity, organizations are moving more of their apps to the cloud and delivering SaaS experiences.

We know, however, that cybercriminals are taking advantage of this shift. We have seen them increase DDoS attacks, ransomware, and phishing campaigns. So how do you, as a cybersecurity professional help your organization facilitate remote work while strengthening security, reliability, and performance?

The first step is to examine your organization’s security strategy and adopt a Zero Trust approach.

Join me and Sinead O’Donovan, Director of Program Management for Azure Security, in the next Azure Security Experts Series on February 18, 2021, from 10:00 AM to 11:00 AM Pacific Time, as we’re going to focus on another important aspect of Zero Trust network security.

There, we’ll step through three strategies using the cloud-native network security services like Azure Front Door and Azure Firewall to perform:

  • Segmentation: This includes apps and virtual network segmentation which aims to reduce the attack surface and prevent attackers from moving laterally.
  • Encryption: Enforcing encryption on the communication channel between user-to-app or app-to-app with industry standards like TLS/SSL.
  • Threat protection: Employing threat intelligence to help minimize risk from the most sophisticated attacks like bots and malware.

You’ll have the opportunity to take deep dives and see demos on how to use Azure network security cloud-native services for:

  • Application security and acceleration: Utilize new integrated services like Azure Web Application Firewall and CDN technology to provide app security, scalability, and resiliency.
  • Advanced cloud network threat protection: Apply advanced firewall capabilities for highly sensitive and regulated environments.

In just one hour, you’ll learn new networking strategies, improve your app security and performance, use cutting-edge network threat protection, and stay ahead of a constantly evolving threat landscape.

Register now.

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Modernizing your network security strategy appeared first on Microsoft Security.

Why operational resilience will be key in 2021, and how this impacts cybersecurity

January 28th, 2021 No comments

The lessons we have learned during the past 12 months have demonstrated that the ability to respond to and bounce back from adversity in general, can impact the short-and long-term success of any organization. It can even dictate the leaders and laggards in any industry.

When we take into consideration that as security threats also become more daunting, with many organizations remaining in a remote work environment, global organizations must reach a state where their core operations and services are not disrupted by unexpected changes.

The key to success in surviving any unforeseen circumstances in 2021, will be operational resiliency. Operational resilience is the ability to sustain business operations during any major event, including a cyberattack. It requires a strategic and holistic view of what could go wrong and how an organization will respond. Consider the risk and response for a utility company, for example, an organization that relies on IoT data, or a manufacturer of medical supplies. While their approach may differ, the impact would be equally as devastating should their operational continuity be halted. In today’s digital world, preparing for cyber threats must be a strategic part of that plan just like any other form of continuity and disaster recovery.

Speaking with customers globally, we know they are not fully prepared to withstand a major cyber event. Whilst many firms have a disaster recovery plan on paper, nearly a quarter have never tested that plan and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.

It begins with Zero Trust. Zero Trust is based on three principles, verify explicitly, use least privilege access, and assume breach.

Verify explicitly

Rather than trust users or devices implicitly because they’re on the corporate network or VPN’ed into it, it is critical to assume zero trust and verify each transaction explicitly. This means enabling strong authentication and authorization based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

This starts with strong user authentication. Multi-factor authentication (MFA) is essential, but it’s time to move away from passwords plus SMS and voice calls as authentication factors. Bad actors are getting more sophisticated all the time, and they have found a number of ways to exploit the publicly switched telephone networks (PSTN) that SMS and voice calls use as well as some social engineering methods for getting these codes from users.

For most users on their mobile devices, we believe the right answer is passwordless with app-based authentication, like Microsoft Authenticator, or a hardware key combined with biometrics.

Least privileged access

Least privileged access means that when we do grant access, we grant the minimum level of access the user needs to complete their task, and only for the amount of time they need it. Think about it this way, you can let someone into your building, but only during work hours, and you don’t let them into every lab and office.

Identity Governance allows you to balance your organization’s need for security and employee productivity with the right processes and visibility. It provides you with the capabilities to ensure that the right people have the right access to the right resources.

Assume breach

Finally, operate with the expectation of a breach, and apply techniques such as micro-segmentation and real-time analytics to detect attacks more quickly.

In a Zero Trust model, identities—whether they represent people, services, or IoT devices—define the control plane in which access decisions are made. Digital identities, such as transport layer security (TLS) and code signing certificates, SSH keys, secrets, and other cryptographic assets are critical to authentication, signing, and encryption.

That’s why having a strong identity is the critical first step to the success of a Zero Trust security approach.

Embracing Zero Trust allows organizations to harden their defenses while providing employees access to critical data, even during a cyber event. That’s because identity is the foundation of any Zero Trust security strategy because it automatically blocks attacks through adaptive security policies; across users and the accounts, devices, apps, and networks they are using. Identity is the only system that connects all security solutions together so we have end-to-end visibility to prevent, detect, and respond to distributed and sophisticated attacks thanks to cloud technology.

In a Zero Trust model, identities—whether they represent people, services, or IoT devices—define the control plane in which access decisions are made. Digital identities, such as TLS and code signing certificates, SSH keys, secrets, and other cryptographic assets are critical to authentication, signing, and encryption.

“Human identities” such as passwords, biometrics, and other MFA are critical to identifying and authenticate humans. Being a Zero Trust organization also means pervasive use of multi-factor authentication—which we know prevents 99 percent of credential theft and other intelligent authentication methods that make accessing apps easier and more secure than traditional passwords.

Identity is both the foundation for Zero Trust and acts as a catalyst for digital transformation. It automatically blocks attacks through adaptive security policies. It lets people work whenever and wherever they want, using their favorite devices and applications.

That’s because Zero Trust security relies heavily on pervasive threat signals and insights. It is essential to connect the dots and provide greater visibility to prevent, detect and respond to distributed and sophisticated attacks.

Future-proofing your security posture

As security threats become more daunting and many organizations remain in a remote work environment, global organizations must reach a state where their core operations and services will not be disrupted by unexpected global changes.

To maintain operational resilience, organizations should be regularly evaluating their risk threshold. When we talk about risk, this should include an evaluation of an organization’s ability to effectively respond to changes in the crypto landscape, such as a CA compromise, algorithm deprecation, or quantum threats on the horizon.

Bottom line: organizations must have the ability to operationally execute the processes through a combination of human efforts and technology products and services. The ability to do something as simple as restoring from recent backups will be tested in every ransomware attack, and many organizations will fail this test—not because they are not backing up their systems, but because they haven’t tested the quality of their backup procedures or practiced for a cyber event.

Operational resilience guidelines call for demonstrating that concrete measures are in place to deliver resilient services and that both incident management and contingency plans have been tested. Our new normal means that risks are no longer limited to commonly recognized sources such as cybercriminals, malware, or even targeted attacks. Operational resilience is the necessary framework we must have in place in order to maintain business continuity during any unforeseen circumstances in the year ahead.

We want to help empower every organization on the planet by continuing to share our learnings to help you reach the state where core operations and services won’t be disrupted by geopolitical or socioeconomic events, natural disasters, or even cyber events.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why operational resilience will be key in 2021, and how this impacts cybersecurity appeared first on Microsoft Security.

5 identity priorities for 2021—strengthening security for the hybrid work era and beyond

January 28th, 2021 No comments

When I outlined the five identity priorities for 2020, the world was a very different place. Since then, the COVID-19 pandemic has forever changed how organizations run their businesses. It’s also changed the way we work, learn, and collaborate. What hasn’t changed is the critical role identity plays in helping organizations to be secure and productive.

Yesterday, we shared the progress we’ve made with our integrated security, compliance, identity, and management solutions. Identity alone has grown at an unprecedented pace—from 300 million monthly active users (MAU) in March 2020 to 425 million today. Organizations around the world have accelerated the adoption of security and collaboration apps. But behind these numbers are stories of customers like you, working tirelessly to help your organizations stay ahead.

As I prepare for our traditional customer co-innovation week and reflect on our customers’ challenges and business goals, I want to share our five identity priorities for this year. Many of the recommendations I outlined last year still apply. In fact, they’re even more relevant as organizations accept the new normal of flexible work while bad actors continue to master sophisticated cyber attack techniques. Our 2021 recommendations will help you strengthen your identity and security foundations for the long term, so you can be ready for whatever comes next.

1. Trust in Zero Trust

Zero Trust is back this year, but this time it’s at the top of the list. The “assume breach” mentality of Zero Trust has become a business imperative. Organizations need to harden their defenses to give employees the flexibility to work from anywhere, using applications that live outside of traditional corporate network protections. When the pandemic hit last year, we worked side by side with many of you. We noticed that organizations already on their Zero Trust journey had an easier time transitioning to remote work and strengthening their ability to fend off sophisticated attacks.

The good news is that 94 percent of the security leaders we polled last July told us they had already embarked on a Zero Trust journey. Wherever you are on your journey, we recommend making identity the foundation of your approach. You can protect against credentials compromise with essential tools like multifactor authentication (MFA) and benefit from innovations like risk assessment in Identity Protection, continuous access evaluation, Intune app-protection policies, as well as Microsoft Azure Active Directory (Azure AD) Application Proxy and Microsoft Tunnel.

Looking ahead, as more services act like people by running applications (via API calls or automation) and accessing or changing data, secure them using the same principles: make sure they only get access to the data they need, when they need it, and protect their credentials from misuse.

Where to start: Take the Zero Trust assessment and visit our Deployment Center for deployment guidelines.

2. Secure access to all apps

This was our top recommendation last year, and it couldn’t be more critical today. The growth in app usage with Azure AD shows that organizations are connecting more apps to single sign-on. While this provides seamless and secure access to more apps, the best experience will come from connecting all apps to Azure AD so people can complete all work-related tasks from home and stay safer during the pandemic. Connecting all apps to Azure AD also simplifies the identity lifecycle, tightens controls, and minimizes the use of weak passwords. The result is stronger security at a lower cost: Forrester estimates that such a move can save an average enterprise almost USD 2 million over three years.

Azure AD app gallery includes thousands of pre-integrated apps that simplify deployment of single sign-on and user provisioning. If you want to extend MFA and Conditional Access to legacy on-premises apps, including header-based apps, use Azure AD Application Proxy or an integrated solution from one of our secure hybrid access partners. With our migration tools, you can modernize authentication of all apps and retire your ADFS implementation. This will help prevent attacks that are particularly difficult to detect in on-premises identity systems.

It’s also important to limit the number of admins who can manage apps across your organization, to protect privileged accounts with MFA and Conditional Access, and to require just-in-time (JIT) elevation into admin roles with Privileged Identity Management.

Where to start: Learn how to use Azure AD to connect your workforce to all the apps they need.

3. Go passwordless

We’ll keep repeating the mantra “Go passwordless” as long as passwords remain difficult for people to remember and easy for hackers to guess or steal. Since last year we’ve seen great progress: in May, we shared that over 150 million users across Azure AD and Microsoft consumer accounts were using passwordless authentication. By November, passwordless usage in Azure AD alone had grown by more than 50 percent year-over-year across Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys from partners like AuthenTrend, Feitian, or Yubico.

Passwordless authentication can minimize or eliminate many identity attack vectors, including those exploited in the most sophisticated cyberattacks. At a minimum, going passwordless should be non-negotiable for admin-level accounts. Moreover, providing employees with a fast, easy sign-in experience saves time and reduces frustration. Forrester estimates that consolidating to a single identity solution and providing one set of credentials saves each employee 10 minutes a week on average, or more than 40 hours a year. Imagine additional savings from not having to reset passwords or mitigate phishing attacks.

Where to start: Read the Forrester Report, “The Total Economic Impact™ Of Securing Apps With Microsoft Azure Active Directory.”

4. Choose and build secure-by-design apps

Because attacks on applications are growing, it’s important to go a step beyond integrating apps with Azure AD to deploying apps that are secure by design. Build secure authentication into the apps you write yourself using the Microsoft Authentication Library (MSAL). Ideally, apps should go passwordless too, so ensure they’re using strong credentials like certificates. If your apps interact with other Microsoft services, take advantage of the identity APIs in Microsoft Graph. Whenever possible, choose third-party apps from verified publishers. Since publisher verification badges make it easier to determine whether an app comes from an authentic source, encourage your ISV partners to become verified publishers if they haven’t already.

Since most apps ask to access company data, administrators may choose to review consent requests before granting permissions. While neglecting to review requests is a security risk, doing it for every single app used by every single employee takes too much time and costs too much. Fortunately, new features like app consent policies and admin consent workflow help avoid the extreme choices of reviewing all requests or delegating full responsibility to employees. Regularly review your apps portfolio and take action on overprivileged, suspicious, or inactive apps.

Where to start: Update your applications to use Microsoft Authentication Library and Microsoft Graph API, adopt app consent policies and publisher verification practices, and follow identity platform best practices.

5. Break collaboration boundaries

We know that partners, customers, and frontline workers are essential to your business. They, too, need simple and secure access to apps and resources, so they can collaborate and be productive, while administrators need visibility and controls to protect sensitive data.

Simplify collaboration for external users with intuitive self-service sign-up flows and the convenience of using their existing email or social account. For frontline workers, Azure AD offers simple access, through sign-in with a one-time SMS passcode, which eliminates the need to remember new credentials. For frontline managers, the My Staff portal makes it easy to set up SMS sign-in, to reset passwords, and to grant access to resources and shared devices without relying on help desk or IT.

Visibility and control are easier to achieve when managing all identities using a common toolset. You can apply the same Conditional Access policies for fine-grained access control to services, resources, and apps. By setting up access review campaigns, or using automated access reviews for all guest users in Microsoft Teams and Microsoft 365 groups, you can ensure that external guests don’t overstay their welcome and only access resources they need.

Where to start: Learn more about Azure AD External Identities and using Azure AD to empower frontline workers.

Get started on the future now: Explore verifiable credentials

During the pandemic, you’ve had to support not only remote work but also remote recruiting. People usually show up to an interview with documentation in hand that confirms their identity and qualifications. It’s more complicated to vet candidates remotely, especially when hiring needs to happen quickly—for example, in the case of essential workers.

Microsoft and industry-leading ID verification partners are pushing the frontier of identity by transforming existing ID verification practices with open standards for verifiable credentials and decentralized identifiers. Verifiable credentials are the digital equivalent of documents like driver’s licenses, passports, and diplomas. In this paradigm, individuals can verify a credential with an ID verification partner once, then add it to Microsoft Authenticator (and other compatible wallets) and use it everywhere in a trustworthy manner. For example, a gig worker can verify their driver’s license and picture digitally, and then use it to get hired by a ride-sharing service and a food delivery company.

Such an approach can improve verification while protecting privacy across the identity lifecycle: onboarding, activating credentials, securing access to apps and services, and recovering lost or forgotten credentials. We’re piloting this technology with customers like the National Health Service in the UK and MilGears, a program of the United States Department of Defense that helps service members and veterans enroll in higher education and jumpstart their civilian careers.

Where to start: Watch our Microsoft Ignite session on Decentralized Identity and join the Decentralized Identity Foundation.

Whether your top priority is modernizing your infrastructure and apps or implementing a Zero Trust security strategy, we are committed to helping you every step of the way. Please send us your feedback so we know what identity innovations you need to keep moving forward on your digital transformation journey.

The post 5 identity priorities for 2021—strengthening security for the hybrid work era and beyond appeared first on Microsoft Security.

Microsoft surpasses $10 billion in security business revenue, more than 40 percent year-over-year growth

January 27th, 2021 No comments

I joined Microsoft a little more than six months ago—amid a global pandemic and a new norm of remote work, as well as one of the most rapidly evolving threat landscapes in history. We’ve witnessed more sophisticated attacks, like the recent SolarWinds incident, as well as an increase in attack surfaces as devices and online experiences have become more central to the way we work, learn, and live.

In solving these complex challenges alongside our customers and partners, Microsoft takes cybersecurity out of a place of fear and makes it about innovation and empowerment. Every single day, I am inspired by the team here, by their great wisdom, resilience, expertise, and by their commitment to living the mission we espouse.

Yesterday, Satya shared an important milestone for our security business: $10 billion in revenue in the past 12 months representing more than 40 percent year-over-year growth. A number inclusive of our security, compliance, identity and management businesses, and a testament to the trust our customers have placed in us.

What drives us now is creating a true Zero Trust mindset, which we believe is the cornerstone of effective protection, the foundation for organizational resilience, and the future of security. As part of that, I want to explain more about the work we do to help keep our customers secure, what makes us unique and a look at some of our latest innovations.

What makes us different

Our approach to security is unique in the industry. Microsoft has two security superpowers—an integrated approach and our incredible AI and automation. We tackle security from all angles—inside-out and outside-in. It’s why we combine security, compliance, identity, and management as an interdependent whole. In security, a silo is an opportunity for an exploit. No one else brings these critical parts of risk management together, not as a suite but as an approach that solves problems for customers on their terms across clouds and platforms.

Given Microsoft’s footprint across so many technologies, we’ve been in a unique position to think holistically about the core aspects of security: stretching from identity and access management; through endpoint, email, and application security; to data loss prevention and into cloud security and SIEM. We have an approach that is truly end-to-end, and it is notable in how deeply this is embedded in our culture. Microsoft’s security organization is an intense, massive collaboration that drives services, intelligence, technologies, and people—all coming together as one humming machine with a singular mission.

Next, consider the tremendous number of signals we take in across our platforms and services, over eight trillion security signals every 24 hours. Using the latest in machine learning and artificial intelligence techniques—plus the power of smart humans—we put these signals to work on behalf of our customers. In 2020 alone, almost six billion malware threats were blocked on endpoints protected by Microsoft Defender.

Infographic that describes how Microsoft protects devices, secures identities, ensures compliance, and detects threats.

Today we help secure more than 400,000 customers across 120 countries. These range from small businesses to large enterprises, with 90 of the Fortune 100 using four or more of our security, compliance, identity, and management solutions.

Protecting our customers

Today’s world of security is really a cat and mouse game. You have to know what the adversaries and threat actors are up to every single day. However, a cyber-attack is ultimately about safety, a fundamental human need. We’ve seen what happens to people as they’re going through attacks, and it’s not pleasant. So, when we’re talking to customers around the world, our mission is really to give them peace of mind.

We can secure our customers best when we invest in these areas:

  • All clouds, all platforms: We believe that anything less than comprehensive security is no security at all. That’s why our security, compliance, identity, and management solutions work seamlessly across platforms and we strive to extend to all clouds and all apps, whether or not Microsoft is being used throughout the computing environment. A great example of this is Azure Sentinel, our cloud-based SIEM, which in less than a year, is now helping over 9,000 customers protect their cloud workloads. Our commitment to comprehensive security is so absolute that we are empowering our customers to protect their cloud workloads wherever they are hosted, including Amazon Web Services and Google Cloud Platform. And likewise, Microsoft Defender now protects iOS, Android, macOS, and Linux.
  • Simplicity in the face of complexity: In my first customer meeting at Microsoft, on which Satya joined me, a customer told me she just wanted a simple button that would make everything work—could Microsoft help? That really stuck with me. Our customers want to be enablers of innovation in their organizations, and they know that effective security is critical to that work. We must make it easier for them. We hear from our global user community that they want best-in-breed combined with best-in-integration. When faced with complexity, they want greater simplicity. It’s our mission to deliver that and help our customers adapt quickly to a changing world.
  • A vibrant ecosystem: Microsoft welcomes and encourages an industry of strong competition that makes us all better. The Microsoft Intelligent Security Association is a community of more than 175 partner companies who have created over 250 integrations with Microsoft products and services, helping organizations close the gaps between fragmented security solutions and minimize risk. In addition, we delivered an industry record of $13.7 million in bug bounty awards to 327 researchers from more than 55 countries in fiscal year 2020, to help find and address potential vulnerabilities in our products and services before they can be weaponized by malicious actors.

Some new multi-cloud, multi-platform solutions and a look ahead

In addition to our financial news, today we are pleased to share a bit of product news.

Azure Security Center multi-cloud support is now available, including a unified view of security alerts from Amazon Web Services and Google Cloud, as well as enhancements to Azure Defender to protect multi-cloud virtual machines. Today, we are also announcing the availability of Azure Defender for IoT, which adds a critical layer of agentless security for Operational Technology (OT) networks in industrial and critical infrastructure organizations; as well as Application Guard for Office, which opens documents in a container to protect users from malicious content. These new solutions help protect users and businesses across devices, platforms, and clouds.

According to the Microsoft identity 2020 app trends report, out today, providing secure remote access to resources, apps and data became the top challenge for business leaders in the past year. With Azure Active Directory (Azure AD), our cloud identity solution that provides secure and seamless access to 425 million users, organizations can choose from thousands of pre-integrated apps within the Azure AD app gallery, or bring their own apps. Microsoft Cloud App Security helps protect users, ensuring apps like Salesforce, Workday, and ServiceNow can be quickly adopted and safely managed. The enthusiasm we are seeing for both Azure AD and MCAS truly show the importance our customers are placing on secured third party applications.

Our work to make the world more secure for all really does extend to all—from the largest Fortune 100 companies and world governments to individuals. Last week we began rolling out new security features for Microsoft Edge including password generator and Password Monitor, as well as easier to understand options for managing data collection and privacy. We continue to invest in building solutions to help consumers stay more secure and look forward to sharing more in the future.

The milestones and announcements we have today give us an opportunity to celebrate the work of defenders around the world.

As we look to meet the challenges of the future, we’ll continue to invest in a vibrant ecosystem of partners and in building a competitive and cooperative industry that makes us all better. And we are laser-focused on delivering simplicity in face of complexity, so everything works, and our defender community is empowered to do more.

Ultimately security is about people, protecting people, bringing people together, sharing knowledge and tools to collectively strengthen our defenses. We look forward to sharing more in the coming months about new areas of focus and investment as we continue our commitment is to serve this community. We are for defenders, with defenders, and we are defenders ourselves. The fundamental ethos of our efforts is to make the world a safer place for all.

To learn more about Microsoft Security solutions visit our website and watch our webcast to learn how to streamline and strengthen your security.

Bookmark the Security blog to keep up with expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft surpasses $10 billion in security business revenue, more than 40 percent year-over-year growth appeared first on Microsoft Security.

How companies are securing devices with Zero Trust practices

January 25th, 2021 No comments

Organizations are seeing a substantial increase in the diversity of devices accessing their networks. With employees using personal devices and accessing corporate resources from new locations in record numbers, IT leaders are seeing an increase in their attack surface area. They’re turning to Zero Trust security models to ensure they have the visibility they need, and their data is protected as its accessed from outside the corporate network using a wider variety of devices.

We surveyed IT leaders around the world to determine how they’re using Zero Trust practices to protect their devices and enable access to the corporate network from unsecured devices.

A clickable link to the full PDF infographic to the Zero Trust whitepaper

  1. More personal devices are accessing corporate resources than ever. In response to the substantial shift to remote work, IT leaders report seeing more of their employees using personal devices to access their networks. As a result, they’re prioritizing device management solutions to improve security and control on personal devices.
  2. Devices accessing the network are monitored but often left out of access decisions. While most IT leaders report that they’re monitoring device health and compliance, the majority aren’t currently using that status in their access decision making. Preventing unauthorized and risky devices is critical to protecting corporate data in a modern environment.
  3. Personal devices are widely agreed to increase risk exposure. Over 92 percent of IT leaders agree that a proliferation of personal devices is increasing their attack surface area. However, much less say they’re prepared for managing access from unsecured devices.

Check out the infographic for more details.

If you’re looking at how to help prevent devices from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for endpoints.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How companies are securing devices with Zero Trust practices appeared first on Microsoft Security.

Using Zero Trust principles to protect against sophisticated attacks like Solorigate

January 19th, 2021 No comments

The Solorigate supply chain attack has captured the focus of the world over the last month. This attack was simultaneously sophisticated and ordinary. The actor demonstrated sophistication in the breadth of tactics used to penetrate, expand across, and persist in affected infrastructure, but many of the tactics, techniques, and procedures (TTPs) were individually ordinary.

Companies operating with a Zero Trust mentality across their entire environment are more resilient, consistent, and responsive to new attacks—Solorigate is no different. As threats increase in sophistication, Zero Trust matters more than ever, but gaps in the application of the principles—such as unprotected devices, weak passwords, and gaps in multi-factor authentication (MFA) coverage can be exploited by actors.

Zero Trust Principles

Applying Zero Trust

Zero Trust in practical terms is a transition from implicit trust—assuming that everything inside a corporate network is safe—to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data. It relies on contextual real-time policy enforcement to achieve least privileged access and minimize risks. Automation and Machine Learning are used to enable rapid detection, prevention, and remediation of attacks using behavior analytics and large datasets.

Zero Trust Policy

Verify explicitly

To verify explicitly means we should examine all pertinent aspects of access requests instead of assuming trust based on a weak assurance like network location. Examine the identity, endpoint, network, and resource then apply threat intelligence and analytics to assess the context of each access request.

When we look at how attackers compromised identity environments with Solorigate, there were three major vectors: compromised user accounts, compromised vendor accounts, and compromised vendor software. In each of these cases, we can clearly see where the attacker exploited gaps in explicit verification.

  • Where user accounts were compromised, known techniques like password spray, phishing, or malware were used to compromise user credentials and gave the attacker critical access to the customer network. On-premises identity systems are more vulnerable to these common attacks because they lack cloud-powered protections like password protection, recent advances in password spray detection, or enhanced AI for account compromise prevention.
  • Again, in cases where the actor succeeded, highly privileged vendor accounts lacked protections such as MFA, IP range restrictions, device compliance, or access reviews. In other cases, user accounts designated for use with vendor software were configured without MFA or policy restrictions. Vendor accounts should be configured and managed with the same rigor as used for the accounts which belong to the organization.
  • Even in the worst case of SAML token forgery, excessive user permissions and missing device and network policy restrictions allowed the attacks to progress. The first principle of Zero Trust is to verify explicitly—be sure you extend this verification to all access requests, even those from vendors and especially those from on-premises environments.

Cloud identity, like Azure Active Directory (Azure AD), is simpler and safer than federating with on-premises identity. Not only is it easier to maintain (fewer moving parts for attackers to exploit), your Zero Trust policy should be informed by cloud intelligence. Our ability to reason over more than eight trillion signals a day across the Microsoft estate coupled with advanced analytics allows for the detection of anomalies that are very subtle and only detectable in very large data sets. User history, organization history, threat intelligence, and real-time observations are an essential mechanism in a modern defense strategy. Enhance this signal with endpoint health and compliance, device compliance policies, app protection policies, session monitoring, and control, and resource sensitivity to get to a Zero Trust verification posture.

For customers that use federation services today, we continue to develop tools to simplify migration to Azure AD. Start by discovering the apps that you have and analyzing migration work using Azure AD Connect health and activity reports.

Least privileged access

Zero Trust: Microsoft Step by Step

Least privileged access helps ensure that permissions are only granted to meet specific business goals from the appropriate environment and on appropriate devices. This minimizes the attacker’s opportunities for lateral movement by granting access in the appropriate security context and after applying the correct controls—including strong authentication, session limitations, or human approvals and processes. The goal is to compartmentalize attacks by limiting how much any compromised resource (user, device, or network) can access others in the environment.

With Solorigate, the attackers took advantage of broad role assignments, permissions that exceeded role requirements, and in some cases abandoned accounts and applications which should have had no permissions at all. Conversely, customers with good least-privileged access policies such as using Privileged Access Workstations (PAW) devices were able to protect key resources even in the face of initial network access by the attackers.

Assume breach

Our final principle is to Assume Breach, building our processes and systems assuming that a breach has already happened or soon will. This means using redundant security mechanisms, collecting system telemetry, using it to detect anomalies, and wherever possible, connecting that insight to automation to allow you to prevent, respond and remediate in near-real-time.

Sophisticated analysis of anomalies in customer environments was key to detecting this complex attack. Customers that used rich cloud analytics and automation capabilities, such as those provided in Microsoft 365 Defender, were able to rapidly assess attacker behavior and begin their eviction and remediation procedures.

Importantly, organizations such as Microsoft who do not model “security through obscurity” but instead model as though the attacker is already observing them are able to have more confidence that mitigations are already in place because threat models assume attacker intrusions.

Summary and recommendations

It bears repeating that Solorigate is a truly significant and advanced attack. However ultimately, the attacker techniques observed in this incident can be significantly reduced in risk or mitigated by the application of known security best practices. For organizations—including Microsoft—thorough application of a Zero Trust security model provided meaningful protection against even this advanced attacker.

To apply the lessons from the Solorigate attack and the principles of Zero Trust that can help protect and defend, get started with these recommendations:

  1. More than any other single step, enable MFA to reduce account compromise probability by more than 99.9 percent. This is so important, we made Azure AD MFA free for any Microsoft customer using a subscription of a commercial online service.
  2. Configure for Zero Trust using our Zero Trust Deployment Guides.
  3. Look at our Identity workbook for Solorigate.

Stay safe out there.

Alex Weinert

For more information about Microsoft Zero Trust please visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Using Zero Trust principles to protect against sophisticated attacks like Solorigate appeared first on Microsoft Security.

How IT leaders are securing identities with Zero Trust

January 19th, 2021 No comments

The past twelve months have been a remarkable time of digital transformation as organizations, and especially digital security teams, adapt to working remotely and shifting business operations. IT leaders everywhere turned to Zero Trust approaches to alleviate the challenges of enabling and securing remote work. Using Zero Trust to secure users, data, and devices (wherever they may be) has changed from optional to a business imperative overnight.

In this short report, we surveyed IT leaders around the world to determine how they’re implementing Zero Trust practices to protect their identities and ensure their employees have secure access to resources.A clickable link to the full PDF infographic to the Zero Trust whitepaper

  1. Most IT leaders are already using Zero Trust practices with their identity management solutions. While the majority of IT leaders have already implemented Zero Trust practices into their identity and access solution, only a monitory have moved on to more advanced controls that utilize automation and AI-based threat analysis.
  2. Multi-factor authentication (MFA) and Single Sign-On (SSO) are the most common. Additionally, a majority are analyzing risk before granting access—a critical proactive step to preventing unauthorized access to corporate resources.
  3. Identities and devices are the top priority for most organizations. With employees working outside the corporate network and increasingly using personal devices, this is no surprise. However, surprisingly, the majority of IT leaders do not rate identities as the most mature component in their Zero Trust strategy.
  4. Zero Trust is still in infancy. Despite substantial growth in Zero Trust efforts over the past twelve months, only one in ten IT leaders report feeling very confident in their Zero Trust identity management roadmap.

Read the full report for more details.

If you’re looking for how to help prevent endpoints from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for identities.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How IT leaders are securing identities with Zero Trust appeared first on Microsoft Security.

Building a Zero Trust business plan

December 9th, 2020 No comments

These past six months have been a remarkable time of transformation for many IT organizations. With the forced shift to remote work, IT professionals have had to act quickly to ensure people continue working productively from home—in some cases bringing entire organizations online over a weekend. While most started by scaling existing approaches, many organizations are now turning to Zero Trust approaches to rapidly enable and secure their remote workforce.

We are committed to helping customers plan and deploy Zero Trust. Last month, we announced our Zero Trust Deployment Center, a repository of resources to help accelerate the deployment of Zero Trust across data, applications, network, identity, infrastructure, and devices.

This month, we’re excited to share the release of our Zero Trust Business Plan. This document captures lessons learned from leaders who sponsored, guided, and oversaw the adoption of Zero Trust within customers’ organizations. This document will provide guidance across the full lifecycle of your Zero Trust initiative:

  • Plan: Build a business case focused on the outcomes that are most closely aligned with your organization’s risks and strategic goals.
  • Implement: Create a multi-year strategy for your Zero Trust deployment and prioritize early actions based on business needs.
  • Measure: Track the success of your Zero Trust deployment to provide confidence that the implementation of Zero Trust provides measurable improvements.


Other resources

Check out our growing repository of resources ready to help you with Zero Trust—regardless of where you are in your journey. Our Zero Trust assessment tool is a great way to measure your overall maturity and progress to Zero Trust (including your existing capabilities). This new business plan provides a practical guide to implementing a Zero Trust framework. Our Zero Trust deployment guidance provides clear technical implementation guidance. Visit our Zero Trust page to stay up-to-date on how the latest Microsoft products, features, and resources that can help you implement Zero Trust principles in your organization.

Bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Building a Zero Trust business plan appeared first on Microsoft Security.

Categories: cybersecurity, Zero Trust Tags:

Deliver productive and seamless users experiences with Azure Active Directory

December 7th, 2020 No comments

Several months into the COVID-19 pandemic, many of us are still working remotely, and our organizations are still adjusting. Top of mind for every IT leader in this current landscape is meeting users’ needs for seamless access to resources while safeguarding the business from cyber threats. The highest priority for identity decision-makers, according to a recent study commissioned by Microsoft, is enabling highly productive user experiences.

I recently participated in a webcast on this topic with Rob O’Regan, global content director of IDG, and Bob Bragdon, senior vice president and managing director at CSO. We discussed the security perimeter of remote work and how a security strategy with identity at its foundation both reduces risk and improves productivity. You can watch the full webcast here. I’ve summarized my takeaways from the discussion below.

Identity is the foundation for your Zero Trust security strategy

Even before so many people started working from home earlier this year, the traditional corporate network perimeter had disappeared. People were already getting their work done using a variety of devices and software as a solution (SaaS) applications. Boundaries hindering digital collaboration were falling away. During this shift, identity became the control plane for security, because it provides effective access control to all digital resources for all users, including users who may be partners, customers, or even devices or bots. Identity solutions also give IT managers visibility into their entire digital estate.

In our interconnected world, relying on the old paradigm of corporate firewalls and VPNs isn’t an effective approach to enabling and securing remote work. That’s why many organizations accelerated their digital transformation plans once COVID hit. For organizations like these, Zero Trust—with identity as the foundation—represents a stronger security strategy, as well as a worldview more in line with current times. It replaces the assumption that everything behind the corporate firewall is safe and trustworthy with three simple principles: verify explicitly, use least-privileged access, and assume breach. A Zero Trust approach validates all touchpoints in a system—identities, devices, and services—before considering them trustworthy.

Seamless access to applications improves employee productivity

A good first step away from traditional perimeter-based defenses and toward an identity-based security framework is connecting all your apps to a single cloud identity solution like Azure Active Directory (Azure AD). This allows your employees to sign in to all their work apps with one set of credentials using single sign-on (SSO). Through centralized experiences like the My Apps portal, they can easily discover and access all the applications they need, including Office 365 apps; SaaS apps, including Adobe, Service Now, Workday; on-premises apps; and even custom-built lines of business apps.

Getting secure access to apps doesn’t have to be a cumbersome experience that sacrifices workforce productivity. Take passwords, one of the biggest roadblocks to secure and productive access. For years, the security community has told users to create a unique and complex password for each account—and to change their passwords frequently. But, to make their lives easier, people often reuse passwords or choose ones that are easy to remember, which makes them easy for attackers to guess. Passwordless technology is more user friendly and secure than traditional account access models.

Unifying access management with a single cloud identity solution reduces costs

Companies dealing with pandemic-induced budget constraints are seeking efficiencies. A survey we ran earlier this year found that customers have, on average, up to nine identity solutions, all from separate vendors. As you can imagine, running multiple disparate solutions is not only complicated but also expensive.

Earlier this year, we commissioned a study with Forrester to analyze the economic benefits of securing all users, devices, and apps using a single identity solution. The results: customers who secure all their apps with Azure AD can achieve an ROI of 123 percent by retiring on-premises infrastructure, preventing data breaches, and reducing helpdesk costs.

Users also benefit since they no longer have to navigate different identity systems or sign-in separately to every application. In fact, Forrester estimated that using a single identity solution saves each employee 10 minutes a week on average, which amounts to almost nine hours a year per employee.

A cloud-based identity solution offers unique security benefits

When you use a cloud-based identity solution, cloud-based intelligence helps protect your users against account compromise. Every day, Microsoft machine learning algorithms work behind the scenes to identify risky activities and compromised users by combing through over 170 terabytes of data, including signals from billions of monthly authentications across Azure AD and Microsoft accounts.

Our Azure AD Identity Protection solution, with real-time continuous detection, can alert you to suspicious sign-in behavior and automatically respond to prevent the abuse of compromised identities. For example, it detects “impossible travel,” which happens when the same user account attempts to sign-in from different physical locations in a time period too short to accommodate physical travel from one location to the other. Depending on the policy you set, the system can invoke a password reset or require multifactor authentication, and revoke all existing access tokens. But you can only strengthen your security posture with these detections and automated remediations—especially as the threat landscape evolves—if your identities are in the cloud.

Watch the full webcast with IDG

To learn more about how an identity-based framework reduces risk and improves productivity, be sure to watch the full webcast, then visit our secure access webpage to get started.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Deliver productive and seamless users experiences with Azure Active Directory appeared first on Microsoft Security.

Modernize secure access for your on-premises resources with Zero Trust

November 19th, 2020 No comments

Change came quickly in 2020. More likely than not, a big chunk of your workforce has been forced into remote access. And with remote work came an explosion of bring-your-own-device (BYOD) scenarios, requiring your organization to extend the bounds of your network to include the entire internet (and the added security risks that come with it).

At this year’s Microsoft Ignite, we demonstrated how to bring your legacy on-premises resources into a Zero Trust security model that provides seamless access to all—SaaS, IaaS, PaaS, and on-premises—with a global presence and no extra steps to remember. You’re invited to watch our full presentation and review the highlights below.

The new decentralized workplace

Organizations that steadfastly relied on the “flat network” approach of firewalls and VPNs to regulate access now find themselves lacking the visibility, solution integration, and agility needed to deliver end-to-end security. A new model needed to adapt to a remote workforce, protecting people, devices, applications, and data—from anywhere.

Legacy access model

Figure 1: Legacy access model

In a Zero Trust security model, every access request is strongly inspected for anomalies before granting access. Everything from the user’s identity to the application’s hosting environment is authenticated and authorized using micro-segmentation and least privileged-access principles to minimize lateral movement.

Zero Trust means adhering to three cohesive principles:

  • Verify explicitly: Always authenticate and authorize based on all available data points, including—user identity, location, device health, service or workload, data classification, and anomalies.
  • Use least privileged access: Limit user access with just-in-time (JIT) and just-enough-access (JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.
  • Assume breach: Minimize the blast radius and prevent lateral movement by segmenting access by network, user, devices, and app awareness. Verify all sessions are encrypted and use analytics to gain visibility, drive threat detection, and improve defenses.

Microsoft Zero Trust model

Figure 2: Microsoft Zero Trust model

In the diagram above, you can see how access is unified across users, devices, and networks; all the various conditions that feed into the risk of a session. Acting as a gateway, the access policy is unified across your resources—SaaS, IaaS, PaaS, on-premises, or in the cloud. This is true whether it’s Azure, Amazon Web services (AWS), Google Cloud Platform (GCP) or some other cloud. In the event of a breach, rich intelligence, and analytics help us identify what happened and how to prevent it from happening again.

Cybersecurity for our time

The right security solution for our new perimeterless workplace employs the principles of Zero Trust, allowing users access only to the specific applications they need rather than the entire network. Because Zero Trust access is tied to the user’s identity, it allows IT departments to quickly onboard new and remote users, often on non-corporate devices, scoping permissions appropriately.

A cybersecurity model for today’s digital estate should include:

For the end-user:

  • Access to all resources: SaaS, IaaS, PaaS, on-premises.
  • Seamless experience: No extra steps or unique URLs to remember.
  • Great performance: Proxy services should have a global presence and use geo-location.

For the security/IT admin:

  • Segmentation by app, not network.
  • Adaptive access based on the principles of Zero Trust.
  • Reduce infrastructure complexity and maintenance.

Connect apps to an identity based, secure access solution

With Microsoft Azure Active Directory (Azure AD), it’s easy to connect all your applications through a single identity-based control plane. When it comes to cloud apps, Azure AD supports standard authentication modes such as Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). To accommodate new apps your organization may be developing, Azure AD also provides tools and software development kits (SDK) to help you integrate these as well.

Figure 3: Microsoft Azure Active Directory

When it comes to classic or on-premises applications, Azure AD Application Proxy enables your security team to easily apply the same policies and security controls used for cloud apps to your on-premises apps. All that’s needed is to install a lightweight agent called a connector onto your Windows server, allowing a connection point to your on-premises network. In this way, one connector group can be configured to serve multiple back-end applications, giving you the freedom to architect a truly micro-segmented solution.

Azure Active Directory Application Proxy

Figure 4: Azure Active Directory Application Proxy

Azure AD Application Proxy Connectors use outbound connections as well; meaning, no additional inbound firewall rules need to be opened. Also, it doesn’t require placement in a demilitarized zone (DMZ), as was the case with the legacy Purdue Model. Your apps won’t need to change, and Azure AD Application Proxy also supports multiple authentication modes; so your users can still get a single sign-on (SSO) experience. Users can then access the app from an external URL using any device—no VPN required.

Azure AD pre-authenticates every request, ensuring that only verified traffic ever gets to your app; thus giving you another layer of protection. In addition, any conditional access policies you’ve set up can be enforced at that point.

Protecting you in real-time

Microsoft Cloud App Security integrates natively with Azure AD conditional access to extend real-time security into the session for both your cloud and on-premises applications. This native Microsoft solution stack ensures that your on-premises applications will still boot up quickly and look the same. The difference is you’re now able to control granular actions, such as uploads, downloads, and cut, copy, and paste, based on the sensitivity of the data. For example, users accessing an on-premises instance of Team Foundation Server (TFS) through the App Proxy can use Cloud App Security to enable developers to make code changes but block their ability to download files onto an unmanaged device. Many other scenarios are supported like, blocking malware in file upload attempts to ensure that your on-premises infrastructure remains secure.

Malware detection screen

Figure 5: Malware detection screen

See what else Azure AD and Microsoft Cloud App Security can do

At Microsoft, we believe that tight integration between identity and security is pivotal to your Zero Trust strategy, and we are constantly innovating in this area. To see some of the existing capabilities described in this blog come to life, watch the archived presentation for demonstrations of the powerful capabilities that Microsoft identity and security tools enable for your on-premises applications. Learn how you can easily set controls to allow or block access, require a password reset, block legacy authorization, require multifactor authentication, control sessions in real-time, and more.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Modernize secure access for your on-premises resources with Zero Trust appeared first on Microsoft Security.

Categories: cybersecurity, Zero Trust Tags:

Empowering employees to securely work from anywhere with an internet-first model and Zero Trust

November 11th, 2020 No comments

Like many this year, our Microsoft workforce had to quickly transition to a work from the home model in response to COVID-19. While nobody could have predicted the world’s current state, it has provided a very real-world test of the investments we have made implementing a Zero Trust security model internally. We had about 97 percent of our workforce at the peak successfully working from home, either on a Microsoft issued or personal device. 

Much of the credit for this success goes to the Zero Trust journey we started over three years ago. Zero Trust has been critical in making this transition to a work-from-home model relatively friction-free. One of the major components to our Zero Trust implementation is ensuring our employees have access to applications and resources regardless of their location. We enable employees to be productive from anywhere, whether they’re at home, a coffee shop, or at the office.  

To make this happen, we needed to make sure most of our resources were accessible over any internet connection. The preferred method to achieve this is through modernizing applications and services using the cloud and modern authentication systems. For legacy applications or services unable to migrate to the cloud, we use an application proxy service which serves as a broker to connect to the on-premise environment while still enforcing strong authentication principles.  

Strong authentication and adaptive access policies are critical components in the validation process. A big part of this validation process included enrolling devices in our device management system to ensure only known and healthy devices are directly accessing our resources. For users on devices that are not enrolled in our management system, we have developed virtualization options that allow them to access resources on an unmanaged device. One of the early impacts of COVID-19 was device shortages and the inability to procure new hardware. Our virtualization implementation also helped provide secure access for new employees while they waited for their device’s arrival. 

The output of these efforts, combined with a VPN configuration that enables split tunneling for access to the few remaining on-premises applications, has made it possible for Microsoft employees to work anywhere in a time when it is most critical. 

Implementing an internet-first model for your applications

In this blog, I will share some recommendations on implementing an internet-first approach plus a few of the things we learned in our efforts here at Microsoft. Because every company has its own unique culture, environments, infrastructure, and threshold for change, there is no one-size-fits-all approach. Hopefully, you will find some of this information useful, even if only to validate you are already on the right path. 

Before I jump in, I just want to mention that this blog will assume you’ve completed some of the foundational elements needed for a Zero Trust security model. These include modernizing your identity system, verifying sign-ins with multi-factor authentication (MFA), registering devices, and ensuring compliance with IT security policies, etc. Without these protections in place, moving to an internet-first posture is not possible. 

As previously mentioned, your apps will need to be modernized by migrating them to the cloud and implementing modern authentication services. This is the optimal path to internet accessibility. For apps that can’t be modernized or moved to the cloud (think legacy on-premises apps), you can leverage an app proxy to allow the connection over the internet and still maintain the strong authentication principles. 

Secure access via adaptive access policies

 Once your apps are accessible via the public internet, you will want to control access based on conditions you select to enforce. At Microsoft, we use Conditional Access policies to enforce granular access control, such as requiring multi-factor authentication, based upon user context, device, location, and session risk information. We also enforce device management and health policies to ensure the employee comes from a known and healthy device once they have successfully achieved strong authentication. 

 Depending on your organization’s size, you might want to start slow by implementing multi-factor authentication and device enrollment first, then ramping up to biometric authentication and full device health enforcement. Check out our Zero Trust guidance for identities and devices that we follow internally for some additional recommendations. 

 When we rolled out our device enrollment policy, we learned that using data to measure the policy’s impact allowed us to tailor our messaging and deployment schedule. We enabled “logging mode”, which let us enable the policies and collect data on who would be impacted when we moved to enforcement. Using this data, we first targeted users who were already using compliant devices. For users that we knew were going to be impacted, we crafted targeted messaging alerting them of the upcoming changes and how they would be impacted. This slower, more measured deployment approach allowed us to monitor and respond to issues more quickly. Using this data to shape our rollout helped us minimize the impact of significant policy implementation. 

Start with a hero application

Picking your first application to move out to the public internet can be done in a few different waysDo you want to start with something small and non-critical? Or perhaps you want to “flip the switch” to cover everything at once? We decided to start with a hero application that proved it works at scale. Office 365 was the obvious choice because it provided the broadest coverage since most employees use it daily, regardless of what role they are in. We were confident if we could implement Office 365 successfully, we could be successful with most of our portfolio. 

Ultimately, it will boil down to your environment, threshold for support engagements, and company culture. Choose the path that works best for you and push forward. All paths will help provide valuable data and experience that will help later 

Prioritize your remaining apps and services

Prioritizing the apps and services you modernize next can be challenging, especially without granular visibility into what employees are accessing in your environment. When we began our journey, we had theories about what people were accessing but no data to back it up. We built a dashboard that reported actual traffic volumes to applications and services still routing to on-premises applications and services to provide the visibility we lacked. This gave us much-needed information to help prioritize apps and services based on impact, complexity, risk, and more.  

We also used this dashboard to identify which application or service owners we needed to coordinate with to modernize their resources. To coordinate with these owners, we created work items in our task tracking system and assigned the owner a deadline to provide a plan to either modernize or implement a proxy front end solution. We also created a tracking dashboard for all these tasks and their status to make reporting easier.  

We then worked closely with owners to provide guidance and best practices to drive their success. We conduct weekly office hours where application and service owners can ask questions. The partnership between these application and service owners and the teams working on Zero Trust helps us all drive towards the same common goals—frictionless access for our employees. 

A quick note on what we learned through the dashboard—the on-premises applications and services people were still accessing were not what we were expecting. The dashboard surfaced several items we were unaware people were still using. Fortunately, the dashboard helped remove a layer of fog we were unaware even existed and has been invaluable in driving our prioritization efforts. 

As I mentioned at the beginning of this blog, every company is unique. As such, how you think about Zero Trust and your investments might be different than the company across the street. I hope some of the insight provided above was helpful, even if it is just to get you thinking about how you would approach solving some of these challenges inside your own organization 

 To learn more about how Microsoft IT (Information Technology), check out IT ShowcaseTo learn more about Microsoft Security Solutionsvisit our websiteBookmark theSecurity blogto keep up with our expert coverage on security matters. Also, follow us at@MSFTSecurityfor the latest news on cybersecurity.  

The post Empowering employees to securely work from anywhere with an internet-first model and Zero Trust appeared first on Microsoft Security.

Categories: Zero Trust Tags:

Back to the future: What the Jericho Forum taught us about modern security

October 28th, 2020 No comments

Some of the earliest formal work on what we now call Zero Trust started around in a security consortium known as the Jericho Forum (which later merged into The Open Group Security Forum). This started as a group of like-minded CISOs wrestling with the limitations of the dominant and unquestioned philosophy of securing all resources by putting them on a ‘secure’ network behind a security perimeter.

The Jericho Forum promoted a new concept of security called de-perimeterisation that focused on how to protect enterprise data flowing in and out of your enterprise network boundary instead of striving to convince users and the business to keep it on the corporate network. This shift to “secure assets where they are” proved quite prophetic, especially when you consider that the original iPhone didn’t release until 2007 (which triggered the sea change of user preferences shaping enterprise technology decisions that is now just normal).

One CISO: Our network has become a mini-internet

A lot has changed since the days when we knew exactly what is on our network. A CISO of a multinational organization once remarked that its corporate network has become a miniature internet. With hundreds of thousands of devices connected at all hours including many unmanaged devices, the network has lost its ability to create trust for the devices on it. While network controls still have a place in a security strategy, they are no longer the foundation upon which we can build the assurances we need to protect business assets.

In this blog, we will examine how these concepts (captured succinctly in the Jericho® Forum Commandments) have helped shape what has become Zero Trust today, including Microsoft’s Zero Trust vision and technology.

Accepting de-perimeterisation frees security architects and defenders to re-think their approach to securing data. Securing data where it is (vs. artificially confining it to a network) also naturally more aligned to the business and enables the business to securely operate.

Blocking is a blunt instrument

While security folks love the idea of keeping an organization safe by blocking every risk, the real world needs flexible solutions to gracefully handle the grey areas and nuances.

The classic approach of applying security exclusively at the network level limits what context security sees (e.g. what the user/application trying to do at this moment) and usually limits the response options to only blocking or allowing.

This is comparable to a parent filtering content for their children by blocking specific TV channels or entire sites like YouTube. Just like blocking sites in security, the rough grain blocking causes issues when kids need YouTube to do their online classes or find websites and other TV channels with inappropriate content.

We have found that it’s better to offer users a safe path to be productive rather than just blocking a connection or issuing an “access denied.” Microsoft has invested heavily in zero trust to address both the usability and security needs in this grey area

  • Providing easy ways to prove trustworthiness using multi-factor authentication (MFA) and Passwordless authentication that do not repeatedly prompt for validation if risk has not changed as well as hardware security assurances that silently protect their devices.
  • Enabling users to be productive in the grey areas – Users must be productive for their jobs even if they are working from unmanaged networks or unusual locations. Microsoft allows users to increase their trust with MFA prompts and enables organizations to limit or monitor sessions to mitigate risk without blocking productivity.

While it’s tempting to think “but it’s just safer if we block it entirely”, beware of this dangerous fallacy. Users today control how they work and they will find a way to work in a modern way, even if they must use devices and cloud services completely outside the control of IT and security departments. Additionally, attackers are adept at infiltrating approved communication channels that are supposed to be safe (legitimate websites, DNS (Domain Name Servers) traffic, email, etc.).

The Jericho Forum recognized emerging trends that are now simply part of normal daily life. As we make security investments in the future, we must embrace new ways of working, stop confining assets unnaturally to a network they do not belong on, and secure those assets and users where they are and wherever they go.

Learn more about Why Zero Trust. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Back to the future: What the Jericho Forum taught us about modern security appeared first on Microsoft Security.

Categories: cybersecurity, Zero Trust Tags:

Announcing the Zero Trust Deployment Center

October 15th, 2020 No comments

Organizations have been digitally transforming at warp speed in response to the way businesses operate and how people work. As a result, digital security teams have been under immense pressure to ensure their environments are resilient and secure. Many have turned to a Zero Trust security model to simplify the security challenges from this transformation and the shift to remote work.

Over the past year, we have been hard at work helping customers navigate these challenges by listening to their difficulties, sharing our own learnings, and building controls, tools, and practices that enable the implementation of Zero Trust. However, one of the things we hear most consistently is the need for additional deployment support.

We are excited to announce the launch of the Zero Trust Deployment Center—a repository of information to improve their Zero Trust readiness as well as specific guidance on implementing Zero Trust principles across their identities, endpoints, data, applications, networks, and infrastructure. The Zero Trust Deployment Center breaks down deployment guidance into plain-language objectives across each of the technology pillars, providing an actionable list of steps needed to implement Zero Trust principles in your environment.

This repository is the perfect place to start planning and deploying your Zero Trust strategy.

A screenshot of the Zero Trust Deployment Center web page

Figure 1:  Zero Trust Deployment Center web page.

If you are already well underway in your journey, these objectives will provide a great framework to help measure your progress and ensure you are meeting critical milestones. If you’re interested in measuring your Zero Trust maturity, we’ve also created a Zero Trust assessment tool to help measure your current maturity and identify possible next milestones and priorities along with technologies.

Learn more about Zero Trust and Microsoft Security. Also, bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

The post Announcing the Zero Trust Deployment Center appeared first on Microsoft Security.

Categories: cybersecurity, security, Zero Trust Tags:

Microsoft Advanced Compliance Solutions in Zero Trust Architecture

September 29th, 2020 No comments

Zero Trust revolves around three key principles:  verify explicitly, use least privileged access, and assume breach.  Microsoft’s Advanced Compliance Solutions are an important part of Zero Trust.

This post applies a Zero Trust lens to protecting an organization’s sensitive data and maintaining compliance with relevant standards. Ultimately, Zero Trust architecture is a modern approach to security that focuses on security and compliance for assets regardless of their physical or network location, which contrasts with classic approaches that attempt to force all assets on a ‘secure’ and compliant network.

A Zero Trust strategy should start with Identity and Access Management.  Microsoft built Azure Active Directory (AAD) to enable rapid Zero Trust adoption:

An image of the workflows and visualizations to manage cases.

Architects focus on applying the Zero Trust principles to protect and monitor six technical pillars of the enterprise including:

  • Identity
  • Devices
  • Applications and APIs
  • Data
  • Infrastructure
  • Networks

In an integrated Microsoft Zero Trust solution, AAD and Microsoft Defender for Identity provide protection, monitoring, and trust insights in the User/Identity Pillar. Microsoft Defender for Endpoints and Intune protect and manage the Device.  Azure Security Center and Azure Sentinel monitor, report and provide automated playbooks to deal with events.

Microsoft’s Advanced Compliance solutions are foundational to Zero Trust as well, particularly when implemented to support Microsoft 365.

Microsoft’s Advanced Compliance solutions are foundational to Zero Trust as well, particularly when implemented to support Microsoft 365.

Microsoft Information Protection, Insider Risk Management and Microsoft Cloud App Security are all part of a complete Zero Trust architecture.

Advanced Auditing can increase the visibility around insider or bad actor’s activities with sensitive data like documents and emails as well as increasing the period over which audit data is available for review.

Let’s look closer at these solutions:

  • Microsoft Information Protection: Allows policy enforcement at the document level based on AAD identity.  This protection is resident with the document throughout its lifecycle.  It controls the identities, groups or organizations that can access the document, expires access to the document and controls what authorized users can do with the document e.g. view, print, cut and paste as well as other controls like enforced watermarking.  These controls can be mandatory or can support users with suggested protection.  The policy can be informed by machine learning, standard sensitivity data types (like social security numbers), regular expressions, keywords or exact data match.  When users elect to apply different protection than recommended, their actions are tracked for later review.  Documents can thus be protected throughout their lifecycle, wherever they may travel and to whomever they may be transmitted.

Microsoft Information Protection sensitivity labels are fully integrated with our data loss prevention solution, preventing movement of sensitive information at the boundary of the cloud, between Microsoft and third-party clouds, and at the device endpoint (e.g. laptop).

  • Insider Risk Management: Applies machine learning to the signals available from Microsoft O365 tenant logs, integration with Microsoft Defender Advanced Threat Protection and an increasing number of Microsoft and third party relevant signals to alert on insiders such as employees or contractors who are misusing their access. Default policies are provided, and enterprises can customize policies to meet their needs including for specific projects or scoped to users deemed to be at high risk.   These policies allow you to identify risky activities and mitigate these risks.  Current areas of focus for the solution are:
    • Leaks of sensitive data and data spillage
    • Confidentiality violations
    • Intellectual property (IP) theft
    • Fraud
    • Insider trading
    • Regulatory compliance violations

These signals are visualized and actioned by other Microsoft solutions.  Insider Risk Management uses its specialized algorithms and machine learning to correlate signal and expose Insider Risks in context.  It also provides workflows and visualizations to manage cases.

Insider Risk Management is integrated with AAD and acts on signals from Microsoft Information Protection.

Insider Risk Management is integrated with AAD and acts on signals from Microsoft Information Protection as well as others in the tenant, providing additional security value from the systems already in place.  The alerts generated by the system can be managed with the native case management features or surfaced to Azure Sentinel or third-party systems through the API.

  • Microsoft Cloud App Security: Is a Cloud Access Security Broker that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, granular control over data travel, and sophisticated analytics to identify and combat cyber threats across all Microsoft and third-party cloud services. It controls shadow IT.  It can be used to govern the use of Microsoft and third-party clouds and the sensitive information placed there.

An image of advanced Auditing for M365.

  • Advanced Auditing for M365: Advanced Audit retains all Exchange, SharePoint, and Azure Active Directory audit records for a default of one year.  You can retain audit logs for up to ten years.  Crucial events for investigations, such as whether an attacker has accessed a mail message, whether a sensitive document is re-labelled and many other new log data types are part of this solution.  Investigation playbooks will also shortly be part of this solution.

These Advanced Compliance solutions have native visibility into AAD, the Microsoft Tenant, and into each other.  For example, Insider Risk Management has visibility into Microsoft Information Protection sensitivity labels.  Microsoft Cloud App Security has visibility into and can act on sensitivity labels.

This visibility and machine learning run through the Microsoft Security and Advanced Compliance solutions, making them particularly well suited to a holistic Zero Trust architecture.

The post Microsoft Advanced Compliance Solutions in Zero Trust Architecture appeared first on Microsoft Security.

Identity at Microsoft Ignite: Rising to the challenges of secure remote access and employee productivity

September 22nd, 2020 No comments

These past months have changed the way we work in so many ways. When businesses and schools went remote overnight, many of you had to adapt quickly to ensure your users could stay productive while working from home. Bad actors are trying to exploit these seismic shifts, making it more important than ever to secure access to your digital estate.

Those of us working in the Identity Division at Microsoft have learned from your resilience as we have tackled these challenges together. In July, I shared the four principles guiding our identity investments. Today on the virtual Microsoft Ignite stage, I’m pleased to announce several Azure Active Directory innovations shaped by what we have learned from working alongside you.

Empower your workforce without sacrificing control

Zero Trust principles are at the core of how we build and invest in identity. We never trust, and we always verify. Zero Trust starts with cloud identity, using real-time risk assessment powering fine-grained access controls. Many of you use Azure AD Conditional Access as your Zero Trust policy engine. Now, with Conditional Access insights in public preview, recommendations that identify gaps in your policies help you stay more protected. For example, a common recommendation is to block legacy authentication by default to protect your accounts from malicious authentication requests.

See the breakdown of sign-ins for each Conditional Access condition.

See the breakdown of sign-ins for each Conditional Access condition.

To help simplify configuration, the Azure AD Conditional Access API is now generally available in Microsoft Graph. You can use PowerShell or another custom scripting to automate and scale policy management.

Since organizations are engaging with an unprecedented number of external users, we’ve also made sure that Conditional Access works for all of your identities. Conditional Access and Identity Protection for Azure AD B2C, now available in public preview, is included in our unified Azure AD External Identities offer, so you can protect your customers’ accounts from compromise and make it easier for them to engage with your business. We’ve also enhanced our Identity Protection capabilities for all identity types, with updates such as an enhanced real-time risk engine and password spray risk detection.

Enable single sign-on for all employee apps, from any device

A seamless user experience is essential to productivity, especially when employees are collaborating from multiple locations and devices. One of the best ways to keep your users both protected and seamlessly connected to all their applications is by enabling single sign-on (SSO).

Azure AD is making it easier to provide secure and seamless access to applications of all types: to SaaS apps, to custom apps built decades ago, and to new cloud apps that you build. We enhanced Azure AD Application Proxy so that in addition to configuring SSO to legacy on-premises apps, you can connect apps that use header-based authentication, the most popular legacy authentication protocol. This update will be available in October 2020, when it reaches public preview.

 Deliver consistent single sign-on experiences to legacy apps.

Deliver consistent single sign-on experiences to legacy apps

We’ve continued to expand our ecosystem of secure hybrid access partnerships, adding Kemp, Palo Alto Networks, Cisco AnyConnect, Fortinet, and Strata. Any applications connected to existing networking and app delivery controllers from these partners can now benefit from cloud security powered by Azure AD.

And we’re continually working to make it effortless to manage your favorite SaaS apps. For example, we’ve built deeper integrations with popular applications like Adobe and ServiceNow to ensure efficient lifecycle management. With ServiceNow, IT and hiring managers can automatically provision application access with the Azure AD integration for new hires. And Adobe customers will soon be able to provision accounts using the SCIM standard for the core Adobe Identity Management platform across Adobe Creative Cloud, Adobe Document Cloud, and Adobe Experience Cloud. We’ve also worked with Apple to ensure that client apps connected to Azure AD have a seamless SSO experience on all iOS devices.

As application usage rises in the era of remote work—and with it, application-based compromises—it’s critical to empower end-users to access applications that are secure and trustworthy. At Build, we announced the preview of application consent policies that allow end-users to give applications you trust—such as applications from your organization or from verified publishers—permissions to access data. You can set up the admin consent workflow to give end-users a streamlined way to request admin approval for other applications. And with publisher verification now generally available, app developers can signal to admins and end-users that they have verified their identity using a Microsoft Partner Network account associated with the app registration.

Eliminate friction through future-proofed identity

The pandemic has accelerated digital transformation, bringing additional focus to our investments in the future of identity. At Microsoft, we believe that decentralized identifiers are core to the future of identity systems. We all want to trust that our information will be secure and only shared with our consent, so decentralized identity systems will empower users to own their own identity and the information attached to it. This is a community effort, built on new open standards. The model will easily integrate with your existing identity systems, and it uses an open-source blockchain solution designed so that no single organization owns or controls it—including Microsoft.

This vision is already becoming real. For example, we are partnering with the United States Department Defense (DOD) to pilot decentralized identity for their MilGears educational program. The MilGears program helps US military veterans and retiring service members enroll in higher education as they transition to civilian careers. Microsoft and the DOD are piloting verifiable credentials, a digital information validation feature so that MilGears participants can reduce the time it takes to confirm their skills and education from months to days. From the Microsoft Software and Systems Academy and Microsoft global skills initiative to our DOD pilot with MilGears, Microsoft is deeply invested in realizing the potential of this technology to eliminate career barriers for every individual.

Looking forward

2020 is a year we’ll all remember for its intensity and accelerated pace of change. Keeping your users secure, wherever they are, has been our collective priority. No matter how the “new normal” unfolds after this pandemic, identity will remain the heartbeat of all the services your users rely on. As you try out the new features we have announced at Microsoft Ignite, please send us your feedback so we can continue to build advancements that help you keep your employees secure and connected.

See these features in action when I take the Microsoft Ignite stage today by registering for free at Microsoft Ignite and watching my session here starting at 11:30 am PT, with future airings for other regions. Follow Microsoft identity at @AzureAD on Twitter for more news and best practices.

The post Identity at Microsoft Ignite: Rising to the challenges of secure remote access and employee productivity appeared first on Microsoft Security.

Zero Trust deployment guide for Microsoft applications

August 27th, 2020 No comments


More likely than not, your organization is in the middle of a digital transformation characterized by increased adoption of cloud apps and increased demand for mobility. In the age of remote work, users expect to be able to connect to any resource, on any device, from anywhere in the world. IT admins, in turn, are expected to securely enable their users’ productivity, often without changing the infrastructure of their existing solutions. For many organizations, with resources spread across multiple clouds, as well as on-prem, this means supporting complex hybrid deployments.

In this guide, we will focus on how to deploy and configure Microsoft Cloud App Security to apply Zero Trust principles across the app ecosystem, regardless of where those apps reside. Deploying Cloud App Security can save customers significant time, resources, and of course, improve their security posture. We will simplify this deployment, focusing on a few simple steps to get started, and then stepping through more advanced monitoring and controls. Specifically, we’ll walk through the discovery of Shadow IT, ensuring appropriate in-app permissions are enforced, gating access based on real-time analytics, monitoring for abnormal behavior based on real-time UEBA, controlling user interactions with data, and assessing the cloud security posture of an organization.

Getting started

Your Zero Trust journey for apps starts with understanding the app ecosystem your employees are using, locking down shadow IT, and managing user activities, data, and threats in the business-critical applications that your workforce leverages to be productive.

Discover and control the use of Shadow IT

The total number of apps accessed by employees in the average enterprise exceeds 1,500. That equates to more than 80 GB of data uploaded monthly to various apps, less than 15% of which are managed by their IT department. And as remote work becomes a reality for most, it’s no longer enough to apply access policies to only your network appliance.

To get started discovering and assessing cloud apps, set up Cloud Discovery in Microsoft Cloud App Security, and analyze your traffic logs against a rich cloud app catalog of over 16,000 cloud apps. Apps are ranked and scored based on more than 90 risk factors to help assess the risk Shadow IT poses to your organization.

Once this risk is understood, each individual application can be evaluated, manually or via policy, to determine what action to take. The following decision tree shows potential actions that can be taken, based on whether the applications’ risk is deemed acceptable. Sanctioned applications can then be onboarded with your identity provider to enable centralized management and more granular control, while unsanctioned applications can be blocked by your network appliance or at the machine-level with one-click by leveraging Microsoft Defender ATP.

An image of the management of the lifecycle of a discovered app.

Monitor user activities and data

Once applications are discovered, one of the next steps for sanctioned apps is to connect them via API to gain deep visibility into those applications – after all, these are the apps where your most sensitive data resides. Microsoft Cloud App Security uses enterprise-grade cloud app APIs to provide instant visibility and governance for each cloud app being used.

Connect your business critical cloud applications, ranging from Office 365 to Salesforce, Box, AWS, GCP, and more, to Microsoft Cloud App Security to gain deep visibility into the actions, files, and accounts that your users touch day-in and day-out. Leverage these enterprise-grade API connections to enable the admin to perform governance actions, such as quarantining files or suspending users, as well as mitigate against any flagged risk.

Automate data protection and governance

For an organization that is constantly growing and evolving, the power of automation cannot be overstated. Once your apps are connected to Microsoft Cloud App Security, you can leverage versatile policies to detect risky behavior and violations, and automate actions to remediate those violations.

Microsoft Cloud App Security provides built-in policies for both risky activities and sensitive files, as well as the ability to create custom policies as needed, based on your own environment. For example, if a user forgets to label sensitive data appropriately before uploading it to the cloud, you can automate the application of the correct label by leveraging Microsoft Cloud App Security to scan the file, whether that app is hosted in a Microsoft or non-Microsoft cloud. In addition, more likely than not, guests or partner users are collaborating with you in your sensitive applications. You can set automatic actions to expire a shared link or removing external users while informing the file owner.

Protect against cyber threats and rogue apps

Connecting your apps enables you to automate data and access governance, but it also enables detecting and remediating against cyberthreats and rogue apps. Attackers closely monitor where sensitive information is most likely to end up and develop dedicated and unique attack tools, techniques, and procedures, such as illicit OAuth consent grants and cloud ransomware.

Microsoft Cloud App Security provides rich behavioral analytics and anomaly detections to help organizations securely adopt the cloud by providing malware protection, OAuth app protection, and comprehensive incident investigation and remediation. Because these are already enabled, you do not need to configure them. However, we recommend logging into your Cloud App Security portal to fine-tune them based on your environment (Click on Control, then Policies and select Anomaly detection policy).

Cloud App Security’s user and entity behavioral analytics (UEBA) and machine learning (ML) capabilities are enabled out-of-the-box so that you can immediately detect threats and run advanced threat detection across your cloud environment. Because they’re automatically enabled, new anomaly detection policies provide immediate results by providing immediate detections, targeting numerous security use cases such as impossible travel, suspicious inbox rules and ransomware across your users and the machines and devices connected to your network. In addition, the policies expose more data from the Cloud App Security detection engine and can be refined to help you speed up the investigation process and contain ongoing threats.

Configuring Advanced Controls

You’ve now assessed your cloud environment, unsanctioned dangerous and risky applications, and added automation to protect your sensitive corporate resources in your business-critical applications. Getting advanced means extending those security controls by deploying adaptive access controls that match the risk of each individual session and assessing and patching the security posture of your multi-cloud environments.

Deploy adaptive access and session controls for all apps

In today’s modern and dynamic workplace, it’s not enough to know what’s happening in your cloud environment after the fact. Stopping breaches and leaks in real-time before employees intentionally or inadvertently put data and organizations at risk is key. Simultaneously, it’s business-critical to enable users to securely use their own devices productively.

Enable real-time monitoring and control over access to any of your apps with Microsoft Cloud App Security access and session policies, including cloud and on-prem apps and resources hosted by the Azure AD App Proxy. For example, you can create policies to protect the download of sensitive content when using any unmanaged device. Alternatively, files can be scanned on upload to detect potential malware and block them from entering sensitive cloud environments.

An image displaying how to extend policy enforcement into the session.

Assess the security posture of your cloud environments

Beyond SaaS applications, organizations are heavily investing in IaaS and PaaS services. Microsoft Cloud App Security goes beyond SaaS security to enable organizations to assess and strengthen their security posture and Zero Trust capabilities for major clouds, such as Azure, Amazon Web Services, and Google Cloud Platform. These assessments focus on detailing the security configuration and compliance status across each cloud platform. In turn, you can limit the risk of a security breach, by keeping the cloud platforms compliant with your organizational configuration policy and regulatory compliance, following the CIS benchmark, or the vendor’s best practices for a secure configuration.

Microsoft Cloud App Security’s cloud platform security provides tenant-level visibility into all your Azure subscriptions, AWS accounts, and GCP projects. Getting an overview of the security configuration posture of your multi-cloud platform from a single location enables a comprehensive risk-based investigation across all your resources. The security configuration dashboard can then be used to drive remediation actions and minimize risk across all your cloud environments. View the security configuration assessments for AzureAWS, and GCP recommendations in Cloud App Security to investigate and remediate against any gaps.

More Zero Trust deployment guides to come

We hope this blog helps you deploy and successfully incorporate apps into your Zero Trust strategy. Make sure to check out the other deployment guides in the series by following the Microsoft Security blog to keep up with our expert coverage on security matters. For more information on Microsoft Security Solutions  visit our website. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust deployment guide for Microsoft applications appeared first on Microsoft Security.

How do I implement a Zero Trust security model for my Microsoft remote workforce?

August 24th, 2020 No comments

Digital empathy should guide your Zero Trust implementation

Zero Trust has always been key to maintaining business continuity. And now, it’s become even more important during the COVID-19 pandemic to helping enable the largest remote workforce in history. While organizations are empowering people to work securely when, where, and how they want, we have found the most successful are the ones who are also empathetic to the end-user experience. At Microsoft, we refer to this approach as digital empathy. As you take steps to protect a mobile workforce, a Zero Trust strategy grounded in digital empathy will help enhance cybersecurity, along with productivity and collaboration too.

This was one of a few important topics that I recently discussed during a cybersecurity fireside chat with industry thought leader, Kelly Bissell, Global Managing Director of Security Accenture. Accenture, one of Microsoft’s most strategic partners, helps clients use Microsoft 365 to implement a Zero Trust strategy that is inclusive of everyone. “How do we make working from home both convenient and secure for employees during this time of constant change and disruption,” has become a common question both Kelly and I hear from organizations as we discuss the challenges of maintaining business continuity while adapting to this new world—and beyond. I encourage everyone to explore these points more deeply by watching my entire conversation with Kelly.

Our long-term Microsoft-Accenture security relationship helps customers navigate the current environment and emerge even stronger as we look past the pandemic. The following are some of the key steps shared during our conversation that you can take to begin applying digital empathy and Zero Trust to your organization.

Protect your identities with Azure Active Directory

Zero Trust is an “assume breach” security posture that treats each request for access as a unique risk to be evaluated and verified. This starts with strong identity authentication. Azure Active Directory (Azure AD) is an identity and secure access management (IAM) solution that you can connect to all your apps including Microsoft apps, non-Microsoft cloud apps, and on-premises apps. Employees sign in once using a single set of credentials, simplifying access. To make it even easier for users, deploy Azure AD solutions like passwordless authentication, which eliminates the need for users to memorize passwords. Multi-factor authentication (MFA) is one of the most important things you can do to help secure employee accounts, so implement MFA for 100 percent of your users, 100 percent of the time.

According to a new Forrester report, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, customers who secure apps with Microsoft Azure Active Directory can improve user productivity, reduce costs, and gain IT efficiencies to generate a 123 % return on investment.

Secure employee devices

Devices present another opportunity for bad actors to infiltrate your organization. Employees may run old operating systems or download vulnerable apps on their personal devices. With Microsoft Endpoint Manager, you can guide employees to keep their devices updated. Conditional Access policies allow you to limit or block access to devices that are unknown or don’t comply with your security policies.

An endpoint detection and response (EDR) solution like Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can help you detect attacks and automatically block sophisticated malware. Each Microsoft Defender ATP license covers up to five devices per user.

Discover and manage cloud apps

Cloud apps have proliferated in today’s workplace. They are so easy to use that IT departments are often not aware of which cloud apps their employees access. Microsoft Cloud App Security is a cloud app security broker (CASB) that allows you to discover all the apps used in your network. Cloud App Security’s risk catalog includes over 16,000 apps that are assessed using over 80 risk factors. Once you understand the risk profile of the apps in your network, you can decide whether to allow access, block access, or onboard it on to Azure AD.

Employees are busy in the best of times. Today, with many working from home for the first time—often in a full house—their stress may be compounded. By simplifying the sign-in process and protecting data on apps and devices, Microsoft 356 security solutions like Azure AD, Microsoft Defender ATP, and Cloud App Security, make it easier for employees to work remotely while improving security for the organization.

Digital empathy and Zero Trust are also two of the five security paradigm shifts that will lead to more inclusive user experiences. Next month, I will provide more details about two additional paradigm shifts, the diversity of data, and integrated security solutions.

CTA: To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Follow Ann Johnson @ajohnsocyber for Microsoft’s latest cybersecurity investments and @MSFTSecurity for the latest news and updates on cybersecurity.

The post How do I implement a Zero Trust security model for my Microsoft remote workforce? appeared first on Microsoft Security.