Archive

Archive for the ‘Identity and access management’ Category

Defending the power grid against supply chain attacks—Part 2: Securing hardware and software

March 23rd, 2020 No comments

Artificial intelligence (AI) and connected devices have fueled digital transformation in the utilities industry. These technological advances promise to reduce costs and increase the efficiency of energy generation, transmission, and distribution. They’ve also created new vulnerabilities. Cybercriminals, nation state actors, and hackers have demonstrated that they are capable of attacking a nation’s power grid through internet-connected devices. As utilities and their suppliers race to modernize our infrastructure, it’s critical that cybersecurity measures are prioritized.

In the first blog in the “Defending the power grid against cyberattacks” series, I walked through how the accelerated adoption of the Internet of Things (IoT) puts utilities and citizens at risk of attack from nation state actors. In this post, I’ll provide guidance for how utilities manufacturers can better protect the connected devices that are deployed in the energy industry.

Protect identities

If your organization supplies the energy industry, you may be targeted by adversaries who want to disrupt the power supply. One way they will try to access your company resources is by stealing or guessing user credentials with tactics like password spray or phishing. According to Verizon’s 2019 Data Breach Investigations Report, 80 percent of breaches are the result of weak or compromised passwords. Attackers target multiple people at a time, but they only need to succeed once to gain access.

Securing your company starts with safeguarding your identities. At the bare minimum, you should apply multi-factor authentication (MFA) to your administrative accounts. A better option is to require all users to authenticate using MFA. MFA requires that users sign in with more than just a password. The second form of authentication can be a one-time code from a mobile device, biometrics, or a secure FIDO2 key, among other options. MFA reduces your risk significantly because it’s much harder for an attacker to compromise two or more authentication factors.

Figure 1: You can use Conditional Access policies to define when someone is promoted to sign in with MFA.

Secure privileged access

In a supply chain attack, adversaries attack your organization to gain access to data and applications that will allow them to tamper with your product or service before it reaches its intended destination. Bad actors want to infiltrate your build environment or the servers that you use to push software updates. To accomplish this, they often target administrator accounts. Securing your administrative accounts is critical to protect your company resources. Here are a few steps you can take to safeguard these accounts:

  • Separate administrative accounts from the accounts that IT professionals use to conduct routine business. While administrators are answering emails or conducting other productivity tasks, they may be targeted by a phishing campaign. You don’t want them signed into a privileged account when this happens.
  • Apply just-in-time privileges to you administrator accounts. Just-in-time privileges require that administrators only sign into a privileged account when they need to perform a specific administrative task. These sign-ins go through an approval process and have a time limit. This will reduce the possibility that someone is unnecessarily signed into an administrative account.

Figure 2: A “blue” path depicts how a standard user account is used for non-privileged access to resources like email and web browsing and day-to-day work. A “red” path shows how privileged access occurs on a hardened device to reduce the risk of phishing and other web and email attacks.

  • Set up privileged access workstations for administrative work. A privileged access workstation provides a dedicated operating system with the strongest security controls for sensitive tasks. This protects these activities and accounts from the internet. To encourage administrators to follow security practices, make sure they have easy access to a standard workstation for other more routine tasks.

Safeguard your build and update environment

Bad actors don’t just target user accounts. They also exploit vulnerabilities in software. Many attacks take advantage of known vulnerabilities for which there are available patches. Keep software and operating systems up-to-date and patched to reduce your risk. Retire any technology that is no longer supported by the publisher and implement mandatory integrity controls to ensure only trusted tools run.

You also need to protect the software that your team writes. A proven and robust Secure Development Lifecycle (SDL) will guide your developers to build software that includes fewer vulnerabilities. Microsoft’s SDL includes 12 practices. For example, Microsoft SDL recommends that security and privacy requirements be defined at the beginning of every project. The guidelines also provide tips for managing the security risk of third-party software, performing threat modeling, and penetration testing, among other recommendations. By building security into the entire software process, the software you release will be more secure and less vulnerable to attack.

Assume breach

My recommendations will reduce your risk, but they won’t eliminate it entirely. To protect your company and customers, you’ll need to adopt an assume breach mindset. It’s not a matter of if you’ll be breached but when. Once you’ve accepted that you can’t prevent all attacks, put processes and tools in place that enable you to detect and respond to an incident as quickly as possible.

Endpoint detection and response solutions, like Microsoft Threat Protection, leverage AI to automate detection and response and correlate threats across domains. When incidents are detected, you will need an appropriate response. The National Institute of Standards and Technology (NIST) provides an incident response guide. You can also learn from Microsoft’s Security Response Center (MSRC), which shared how it developed an incident response plan.

Figure 3: An overview of an incident in Microsoft Threat Protection.

A good communication plan is an important component of a response plan. You will need to let customers know there was an incident and how you plan to address it. As the MSRC notes, “Clear, accurate communication builds confidence in the incident response process, maintains trust with customers, protects your brand, and is essential for fast effective response.”

Centralized IoT device management

In addition to operating a number of generation plants, utilities operate a network of thousands of substations and hundreds of thousands of miles of transmission and distribution lines. This requires them to deploy a large number of IoT devices to safely and efficiently deliver electricity to their customers. To effectively manage this network of IoT devices, suppliers should provide their customers with centralized IoT device management to update firmware, install security updates, and manage accounts and passwords.

Build trust

Protecting critical infrastructure from a destabilizing attack will require collaboration among utilities and suppliers in the industry. Device manufacturers and software publishers have a vital role to play in protecting critical infrastructure. By instituting and maintaining the security practices that I’ve recommended, you can dramatically reduce the risk to your organization and to the power grid.

Stay tuned for the final post in this series, “Part 3: Risk management strategies for the utilities industry,” where I’ll provide recommendations specifically for utilities.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defending the power grid against supply chain attacks—Part 2: Securing hardware and software appeared first on Microsoft Security.

Empower Firstline Workers with Azure AD and YubiKey passwordless authentication

March 12th, 2020 No comments

At the end of February, Microsoft announced the FIDO2 passwordless support for hybrid environments. The integration of FIDO2-based YubiKeys and Azure Active Directory (Azure AD) is a game changer. It combines the ubiquity of Azure AD, the usability of YubiKey, and the security of both solutions to put us on the path to eliminate passwords in the enterprise. Think about that for a moment. Imagine never being asked to change your password again, no more password spreadsheets or vault apps. No more phishing and password spray! Would it be too much to compare it to the moon landing? Probably. But it’s at least as monumental to security as the introduction of passwords themselves. Now think about how much passwordless authentication will improve everyday work for Firstline Workers. Today I’ll share why usability and user experience are so important and how you can modernize work (and security) while reducing costs for Firstline Workers. I’ll also provide advice on transitioning your hybrid environment to passwordless.

User experience matters

Do you want to know why attackers have been so successful? Because they’ve paid attention to user experience. The tools they use to trick users to hand over passwords have been carefully updated to feel legitimate to users. One tool even has a Help Desk, if you can believe that! And it’s working. Many users don’t even realize they’ve given up their password. Bad actors can focus on usability because the economics of hacking are cheap. They don’t have to be present to interrupt a sign-in, and they only need one password to gain access and move laterally to increase privileges. They don’t need a high success rate to achieve a good payoff, which allows them to take the time to get it right. They use that time to research companies for good targets and improving the user experience of their phishing attempts.

Yubico understands the importance of usability and makes security tools accessible and easy to use. Our flagship product, YubiKey, was designed with these principles in mind. The YubiKey is a hardware token with a cryptographic element that supports FIDO2 standards. It is not a password storage device, nor does it contain any personal information. With traditional passwords, the server requests a password, and if the user hands over the password, the server has no way to validate if that user should have that password. With a YubiKey, the server sends a challenge to the user. The user plugs the key in and touches it to sign the challenge. It requires the user to be physically present, so it eliminates remote takeovers of accounts. The ability to work from anywhere in the world is what enables cybercrime.

 

Equally important is its simplicity. Users don’t need to find a code on a separate device or remember complicated passwords or a PIN. The same key can be used across all their devices and accounts, and you can attach it to a keychain. (Take a look at this video to see it in action.)

Transform the Firstline Worker experience, securely

The biggest opportunity for the Azure AD and YubiKey integration to make a real difference is with Firstline Workers. Firstline Workers are more than 2 billion people worldwide who work in service- or task-oriented roles across industries such as retail, hospitality, travel, and manufacturing. They are often mobile, and many serve as the first touchpoint with your customers. Incredibly important to your business, they have been underserved by the cloud revolution. Firstline Workers typically aren’t issued a computer, and the computers they do use may not have a lot of connectivity. This makes it difficult to stay connected to corporate communications or interact digitally with coworkers. It can also prevent them from efficiently doing their jobs. For example, it can be challenging to serve customers if an employee needs to sign into an available computer to answer a question.

One call center reduced the steps to sign in from 13 steps to six—that’s a 60 percent reduction.

There are a lot of hidden costs to password resets. To reduce this time, Firstline Worker passwords often never change. They have developed the same familiar bad habits as office workers: they write down passwords or reuse the same one across multiple sites. Lurking in the wings are the bad actors who just need one password to infiltrate your organization.

YubiKey reduces that risk and empowers your Firstline Workers. With a YubiKey users can easily move from device to device. This can dramatically improve the work experience. It also drives better business outcomes. One call center that implemented YubiKey authentication cut its sign-in process from 13 steps to six—that’s a 60 percent reduction. Reducing time spent signing in can drive huge costs reductions.

The Azure AD and YubiKey integration can support your digital transformation goals in the field. Firstline Workers will easily access the information they need whether that is for customer service or building new products—with significantly less risk of an account takeover.

Transition your hybrid environment to passwordless

YubiKey is a good fit for companies who are invested in Microsoft technology because the device includes several generations of solutions. It works with legacy applications (we can protect anything from Windows XP on up) and cloud solutions like Azure and Office 365. It can support one-time passwords (OTP) with Active Directory or smart card capabilities. If you use Active Directory Federation Services to authenticate, there is a plugin that integrates with on-premises. It’s also compatible with cloud-based authentication, and we are working with Microsoft on integration with Azure Active Directory. Our latest YubiKey 5 Series supports the following authentication technologies:

  • FIDO2
  • U2F
  • PIV
  • Yubico OTP
  • OATH HOTP

As a first step towards passwordless, no matter your environment, start by implementing multi-factor authentication (MFA) everywhere, using the YubiKey as a hardware-based backup to a username and password.

Learn more

Yubico is committed to developing new technology to help users trust what they are doing online. We are working with Microsoft to build the latest and greatest into Azure AD. Join us at one of our co-hosted workshops with Microsoft where we will walk you through how you can plan your journey towards eliminating passwords.

Read Alex Simons’ blog announcement about Azure Active Directory support for FIDO2 security keys.   For more information on Microsoft Security solutions, visit https://www.microsoft.com/en-us/security/business.

The post Empower Firstline Workers with Azure AD and YubiKey passwordless authentication appeared first on Microsoft Security.

Microsoft identity acronyms—what do they mean and how do they relate to each other?

March 2nd, 2020 No comments

As a security advisor working with one to three Chief Information Security Officers (CISOs) each week, the topic of identity comes up often. These are smart people who have often been in industry for decades. They have their own vocabulary of acronyms that only security professionals know such as DDoS, CEH, CERT, RAT, and 0-Day (if you don’t know one or several of these terms, I encourage you to look them up to build your vocabulary), but they often find themselves confused by Microsoft’s own set of acronyms.

This is the first in a blog series that aims to lessen some confusion around identity by sharing with you some of the terms used at Microsoft. Terms like MFA, PIM, PAM, MIM, MAM, MDM, and a few others. What do they mean and how do they relate to each other?

Multi-Factor Authentication or MFA

Let’s start with what identity means to Microsoft. Identity is the ability to clearly and without doubt ensure the identification of a person, device, location, or application. This is done by establishing trust verification and identity verification using what Microsoft calls Multi-Factor Authentication or MFA. This is a combination of capabilities that allow the entity to establish trust and verify who or what they are.

MFA is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: something the user and only the user knows (such as a password or PIN), something the user and only the user has (such as a mobile device or FIDO key), and something the user and only the user is (a biometric such as a fingerprint or iris scan).

Microsoft does this with technologies such as Azure Active Directory (Azure AD) in the cloud combined with Windows Hello. Azure AD is Microsoft’s identity and access management solution. Windows Hello is a Windows capability that allows a user to verify who they are with an image, a pin, or other biometric. The person’s identity is stored via an encrypted hash in the cloud, so it’s never shared in the clear (unencrypted). A cryptographic hash is a checksum that allows someone to proof that they know the original input (e.g., a password) and that the input (e.g., a document) has not been modified.

Privileged Identity Management or PIM

What is Privileged Identity Management or PIM? Organizations use PIM to assign, activate, and approve privileged identities in Azure AD. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to sensitive resources.

Key features of PIM include:

  • Just-in-time privileged access to Azure AD and Azure resources.
  • Time-bound access to resources.
  • An approval process to activate privileged roles.
  • MFA enforcement.
  • Justification to understand why users activate.
  • Notifications when roles are activated.
  • Access reviews and internal and external audit history.

Privileged Access Management or PAM

What is Privileged Access Management or PAM? Often confused with PIM, PAM is a capability to help organizations manage identities for existing on-premises Active Directory environments. PAM is an instance of PIM that is accessed using Microsoft Identity Manager or MIM. Confused? Let me explain.

PAM helps organizations solve a few problems including:

  • Making it harder for attackers to penetrate a network and obtain privileged account access.
  • Adding protection to privileged groups that control access to domain-joined computers and the applications on those computers.
  • Providing monitoring, visibility, and fine-grained controls so organizations can see who their privileged admins are and what they are doing.

PAM gives organizations more insight into how admin accounts are being used in the environment.

Microsoft Identity Manager or MIM

But I also mentioned MIM… What is this? Microsoft Identity Manager or MIM helps organizations manage the users, credentials, policies, and access within their organizations and hybrid environments. With MIM, organizations can simplify identity lifecycle management with automated workflows, business rules, and easy integration with heterogenous platforms across the datacenter. MIM enables Active Directory to have the right users and access rights for on-premises apps. Azure AD Connect can then make those users and permissions available in Azure AD for Office 365 and cloud-hosted apps.

OK, so now we know that:

  • PIM is a capability to help companies manage identities in Azure AD.
  • PAM is an on-premises capability to manage identities in Active Directory.
  • MIM helps organizations manage users, credentials, policies, and on-premises access.

Mobile Application Management or MAM

What’s left… Oh yes: Mobile Application Management or MAM. MAM is important because if organizations can only manage identities—but not the apps then they miss a key aspect of protecting data. MAM is connected to a Microsoft capability called Microsoft Intune and is a suite of management features to publish, push, configure, secure, monitor, and update mobile apps for users.

MAM works with or without enrollment of the device, which means organizations can protect sensitive data on almost any device using MAM-WE (without enrollment). If organizations enable MFA, they can verify the user on the device. MAM also helps manage that apps the trusted user or entity can access. If you add in the Mobile Device Management or MDM feature of Intune, you can force enrollment of devices and then use MAM to manage the apps.

It’s well known that Microsoft has a lot of acronyms. This is the first in a series of blog posts aimed to assist you in navigating the acronym forest created by companies and industry. The Microsoft Platform includes a powerful set of capabilities to help encourage users to make the right decisions and gives security leadership, like you, the ability to manage and monitor identities and control access to critical files and network assets.

The post Microsoft identity acronyms—what do they mean and how do they relate to each other? appeared first on Microsoft Security.

Changing the Monolith—Part 4: Quick tech wins for a cloud-first world

February 13th, 2020 No comments

You may have heard that identity is the “new” perimeter. Indeed, with the proliferation of phishing attacks over the past few years, one of the best ways to secure data is to ensure that identity—the primary way we access data—can be trusted.

How do we secure identity?

Start by evaluating how users are authenticating to all applications inside and outside the organization. I say all applications, because it doesn’t take much effort for a hacker to pivot from a low-value, non-sensitive application to a high-value and highly-sensitive application, quickly gaining access to confidential or restricted data.

Similarly, Multi-Factor Authentication (MFA) must be enforced for all users as well, not just highly privileged users. Remember that it is simple for bad actors to pass-the-hash, run a Golden Ticket Attack, or use other techniques to elevate their privileges and gain access to sensitive data.

Modern authentication encourages us to reduce vulnerable legacy authentication methods, including Kerberos and NTLM. Additionally, modern authentication requires that we rely on more than one factor of authentication for all users. These factors range from something you know (password or one-time password), something you have (hardware token or soft token), or something you are (biometrics like 3D facial recognition or fingerprint matching).

Image of a worker approving a sign-in from his phone.

Start with MFA.

Requiring MFA for all applications, whether on-premises or in the cloud, is a great start. When using MFA, consider enforcing an authenticator app or a one-time password mechanism as they are typically not as susceptible to man-in-the-middle attacks, compared to text-back codes or phone calls that may be intercepted with spoofing.

The least vulnerable MFA mechanisms include FIDO2, which utilizes a biometric device or USB hardware token like YubiKey, and machine learning systems that can provide conditional access based on Zero Trust and time-of-authentication context.

Here is the context commonly evaluated by machine learning authentication systems:

  • Can an authentication token be obtained?
  • Does the user have a valid username, password, and a second form of authentication (MFA), like a biometric validation (fingerprint or 3D facial recognition) through an authenticator app?
  • What is the risk score of the user?
  • Is the user authenticating from two places at nearly the same time (Impossible Traveler)?
  • Has the user’s password been discovered on the Dark Web because of an account and password database breach?
  • Is this a reasonable time for the user to be signed in based upon past behavior?
  • Is the user signing-in from an anonymous source like a Tor exit node?
  • What is the risk score of the device?
  • Has the device experienced unresolved risk in the last several days?
  • Has the machine been exposed to malware?
  • Is the machine running a high-risk application?
  • Are the antimalware signatures up to date?
  • Are all the critical and high software patches applied?
  • Are there sensitive documents on the device?

With the enforcement of MFA, a single, unified MFA reduces the success of phishing attacks due to password reuse or social engineering. With web-based Authentication-as-a-Service (AaaS) applications, MFA is easy to implement across the enterprise. Modern operating systems now enforce multifactor authentication by default, including Windows 10 Hello, macOS, iOS, and Android. Most modern on-premises and cloud applications should be able to consume SSO authentication standards like SAML or OpenID and OAth2 authorization.

Moving toward a secure SSO posture

Implementing a single identity source for all applications leads the organization to a better and less time-consuming and complicated user experience, and an arguably more secure SSO posture by:

  • Reducing the number of passwords that users need to remember or save—quite often insecurely—to access their applications.
  • Introducing pass-through authentication and authorization, so that once a user authenticates to an operating system, they have unprompted access to both on-premises and cloud apps, using the same security token created when they signed in to the operating system using MFA.
  • Reducing the threat of untimely termination/missed identity decommissioning by decreasing “identity sprawl,” which is what you encounter when your organization has multiple identities in multiple applications per user. That is sometimes the result of non-integrated entities or not yet integrated entities and affiliates. B2B approaches to SSO can be explored to solve the problems associated with not integrating a business unit or operating group into the organization’s core directory.

Image of a hand hovering over a keyboard.

Considering user satisfaction is critical.

MFA and SSO together increases user satisfaction, making the CISO a business enabler rather than a productivity and collaboration roadblock. Cloud-based MFA and SSOP directory systems have been shown to be more available than on-premises directory or federation services with many cloud providers providing 99.9 percent uptime. A three-nines Service Level Agreement (SLA) is challenging to achieve on-premises with limited IT staff and budget!

Stay tuned

Stay tuned for the next installment of my Changing the Monolith series. In the meantime, check out the first three posts in the series:

Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing the Monolith—Part 4: Quick tech wins for a cloud-first world appeared first on Microsoft Security.

Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other

February 13th, 2020 No comments

Today, we have another interesting story for the Voice of the Customer blog series. Tony Miller and Jon Sider of Mattress Firm deployed Azure Active Directory (Azure AD) to create a secure authentication experience for employees, including their Firstline Workforce. Much like sleep and a good mattress provide the foundation for a productive and enjoyable life, Tony and Jon show how Azure AD provides the secure foundation for a connected omnichannel experience. They were able to cut internal costs, quickly onboard their Firstline Workers, connect their employees to each other, and deliver a better authentication experience.

Read more from Tony and Jon to learn how you can use Azure AD to improve your customer experience.

Azure AD simplifies user provisioning and protects Firstline Workers’ identities

As America’s largest specialty mattress retailer, Mattress Firm aims to deliver a personalized experience to all our customers no matter how they interact with us. An exceptional customer experience requires a connected workplace. When a customer makes a purchase online and then visits a store for a second purchase, our sales associates, or “Firstline Workers,” should understand their full story and total lifetime value. If a customer needs to change the delivery time of a mattress, it should be easy for a customer services rep to contact the driver and reschedule the delivery. These connection points are invisible to the customer but can turn an ordinary interaction into a great one. To help us realize this aspiration, we deployed several Microsoft 365 products—one of which was Azure AD—to securely and simply unite communication across corporate and all the stores.

The foundation of strong cross-company collaboration is secure and simple user authentication. Our sales associates access several different software-as-a-service (SaaS) and on-premises apps to communicate and complete tasks. Many of these apps require a separate account, which meant users signed into multiple accounts throughout the day. We were concerned that some were reusing passwords, opening us up to risk. Our identity team was also overburdened. They were responsible for setting up accounts for each user, updating permissions as needed, and revoking accounts when users left the company. To resolve these challenges, we deployed Azure AD, which allowed us to decrease the size of the identity team, deliver a simpler user access experience to our employees, and gain more visibility into security threats.

Migrated identity and access management from Okta to Azure AD

Before we selected Azure AD, we investigated various identity and access management (IAM) options. We had previously deployed Okta, which fulfilled many of our requirements. However, we were simultaneously increasing our investment in Microsoft 365. We reviewed both Okta and Azure AD and discovered that Azure AD delivers better controls and security for Office 365 and its data than Okta at a much lower cost in addition to single sign-on (SSO) to other applications. At that point it was an easy sell, and we migrated all our users to Azure AD.

Decreased the size of the identity team

We are a large company with over 8,500 employees, stores in 49 states across the country, and 73 distribution centers across the biggest markets. Our physical footprint allows us to deliver a mattress within an hour to 89 percent of the population. Like many retailers we have a lot of employment churn. Each day, we process between 10-100 user identity status changes. Before Azure AD, a team of 12 people were responsible for provisioning the right accounts and access to each user. Twelve people is a large team, but it was required because for each change—whether that was a new hire, a promotion, or someone leaving the company—an identity team member needed to manually grant access or change privileges to them one at a time. This took a lot of time, and it was error prone.

Once we deployed Azure AD and set up automated provisioning, the onboarding process sped up significantly. Today, someone in human resources sets up a new employee in our HR system and within four hours the employee is onboarded to all their accounts. Our Identity Manager was able to redeploy most of the people on the provisioning team to higher priority work. Now there are just two people who manage the environment. We’ve realized a huge costs savings from this transition—about $500,000 per year in hard dollars, but tons of soft costs saved!

Infographic explaining Azure AD automated provisioning, with Azure AD in the middle; Active Directory, Cloud HR, and SCIM surrounding it.

Azure AD automated provisioning simplifies the process of provisioning the right access and applications to each user.

Delivered a simpler and more secure user access experience

Our users have also benefited from the rollout of Azure AD and automated provisioning. We enabled SSO so users can sign in once and access all the apps they need for work. We integrated Azure AD with about 40 apps, including Workday, Back Office, Salesforce, our VOIP administrator, Citrix, Tools video, Microsoft Dynamics 365, Concur, Tableau, WebEx, our benefits portal, our 401K provider, and all the Office 365 apps. Our employees love the new process. It is now rare that they must use another account to access work apps.

Infographic showing apps connected to Azure Active Directory.

With Azure AD SSO, users sign in once and have access to all their apps.

Azure AD has also given us peace of mind. Our customers provide a full set of information when they purchase a mattress from us. They trust us to protect their first-party data. Azure AD offers tools to better safeguard our identities. We control access to the first-party data based on employment status. We also enabled Multi-Factor Authentication (MFA) to Workday and off-premises sign-ins. That means whenever a user attempts to sign in to Workday or if they attempt to access any other system from off-site, we force a second form of authentication. Users get a secure code from the Microsoft Authenticator app, which validates their identity with Azure AD. This significantly reduces our security risk, and employees find it easy to use—a win for everybody.

We also enabled conditional access policies to reduce or block access when sign-in circumstances are risky. For example, Azure AD can evaluate the riskiness of a client app or the location of a user trying to gain access. If the risk is high enough, we can block access or force a password reset to confirm identity. Another good example of our conditional access approach is the leave of absence policy. While users are on a leave, we limit the apps they can access to the ones they really need: Workday and our benefits portal. These flexible, customizable policy strike the right balance between enabling productivity while minimizing our exposure.

Infographic showing signals (user, location, device, app, real-time risk) being verified (allowed, requiring MFA, or blocked).

Azure AD can evaluate user and location, application, device, and real-time risk before allowing access.

Improved threat visibility

Security doesn’t end with our access policies. Azure AD also provides tools that Security Operations (SecOps) use to better understand security incidents. The Azure AD authentication logs and the Office 365 application access information provides useful insights. We now better understand when users try to access applications with VPNs or from unauthorized networks. This intelligence informs our security strategy and policies.

Azure AD has provided the foundation for a secure and connected employee experience. As we operationalize communication tools like Microsoft Teams, we are confident that the information that employees share is less likely to get compromised. Employees are empowered to work together to meet and exceed customer expectations. We rest easy because our customer data is more secure.

Azure Active Directory

Protect your business with a universal identity platform.

Get started

Learn more

I hope you’re able to apply Mattress Firm’s learnings to your own organization. For more tips from our customers, take a look at the other stories in the Voice of the Customer blog series. Also, check out the Mattress Firm case study to see how other Microsoft 365 solutions have helped them improve the customer experience.

Here are several additional resources:

Finally, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other appeared first on Microsoft Security.

Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other

February 13th, 2020 No comments

Today, we have another interesting story for the Voice of the Customer blog series. Tony Miller and Jon Sider of Mattress Firm deployed Azure Active Directory (Azure AD) to create a secure authentication experience for employees, including their Firstline Workforce. Much like sleep and a good mattress provide the foundation for a productive and enjoyable life, Tony and Jon show how Azure AD provides the secure foundation for a connected omnichannel experience. They were able to cut internal costs, quickly onboard their Firstline Workers, connect their employees to each other, and deliver a better authentication experience.

Read more from Tony and Jon to learn how you can use Azure AD to improve your customer experience.

Azure AD simplifies user provisioning and protects Firstline Workers’ identities

As America’s largest specialty mattress retailer, Mattress Firm aims to deliver a personalized experience to all our customers no matter how they interact with us. An exceptional customer experience requires a connected workplace. When a customer makes a purchase online and then visits a store for a second purchase, our sales associates, or “Firstline Workers,” should understand their full story and total lifetime value. If a customer needs to change the delivery time of a mattress, it should be easy for a customer services rep to contact the driver and reschedule the delivery. These connection points are invisible to the customer but can turn an ordinary interaction into a great one. To help us realize this aspiration, we deployed several Microsoft 365 products—one of which was Azure AD—to securely and simply unite communication across corporate and all the stores.

The foundation of strong cross-company collaboration is secure and simple user authentication. Our sales associates access several different software-as-a-service (SaaS) and on-premises apps to communicate and complete tasks. Many of these apps require a separate account, which meant users signed into multiple accounts throughout the day. We were concerned that some were reusing passwords, opening us up to risk. Our identity team was also overburdened. They were responsible for setting up accounts for each user, updating permissions as needed, and revoking accounts when users left the company. To resolve these challenges, we deployed Azure AD, which allowed us to decrease the size of the identity team, deliver a simpler user access experience to our employees, and gain more visibility into security threats.

Migrated identity and access management from Okta to Azure AD

Before we selected Azure AD, we investigated various identity and access management (IAM) options. We had previously deployed Okta, which fulfilled many of our requirements. However, we were simultaneously increasing our investment in Microsoft 365. We reviewed both Okta and Azure AD and discovered that Azure AD delivers better controls and security for Office 365 and its data than Okta at a much lower cost in addition to single sign-on (SSO) to other applications. At that point it was an easy sell, and we migrated all our users to Azure AD.

Decreased the size of the identity team

We are a large company with over 8,500 employees, stores in 49 states across the country, and 73 distribution centers across the biggest markets. Our physical footprint allows us to deliver a mattress within an hour to 89 percent of the population. Like many retailers we have a lot of employment churn. Each day, we process between 10-100 user identity status changes. Before Azure AD, a team of 12 people were responsible for provisioning the right accounts and access to each user. Twelve people is a large team, but it was required because for each change—whether that was a new hire, a promotion, or someone leaving the company—an identity team member needed to manually grant access or change privileges to them one at a time. This took a lot of time, and it was error prone.

Once we deployed Azure AD and set up automated provisioning, the onboarding process sped up significantly. Today, someone in human resources sets up a new employee in our HR system and within four hours the employee is onboarded to all their accounts. Our Identity Manager was able to redeploy most of the people on the provisioning team to higher priority work. Now there are just two people who manage the environment. We’ve realized a huge costs savings from this transition—about $500,000 per year in hard dollars, but tons of soft costs saved!

Infographic explaining Azure AD automated provisioning, with Azure AD in the middle; Active Directory, Cloud HR, and SCIM surrounding it.

Azure AD automated provisioning simplifies the process of provisioning the right access and applications to each user.

Delivered a simpler and more secure user access experience

Our users have also benefited from the rollout of Azure AD and automated provisioning. We enabled SSO so users can sign in once and access all the apps they need for work. We integrated Azure AD with about 40 apps, including Workday, Back Office, Salesforce, our VOIP administrator, Citrix, Tools video, Microsoft Dynamics 365, Concur, Tableau, WebEx, our benefits portal, our 401K provider, and all the Office 365 apps. Our employees love the new process. It is now rare that they must use another account to access work apps.

Infographic showing apps connected to Azure Active Directory.

With Azure AD SSO, users sign in once and have access to all their apps.

Azure AD has also given us peace of mind. Our customers provide a full set of information when they purchase a mattress from us. They trust us to protect their first-party data. Azure AD offers tools to better safeguard our identities. We control access to the first-party data based on employment status. We also enabled Multi-Factor Authentication (MFA) to Workday and off-premises sign-ins. That means whenever a user attempts to sign in to Workday or if they attempt to access any other system from off-site, we force a second form of authentication. Users get a secure code from the Microsoft Authenticator app, which validates their identity with Azure AD. This significantly reduces our security risk, and employees find it easy to use—a win for everybody.

We also enabled conditional access policies to reduce or block access when sign-in circumstances are risky. For example, Azure AD can evaluate the riskiness of a client app or the location of a user trying to gain access. If the risk is high enough, we can block access or force a password reset to confirm identity. Another good example of our conditional access approach is the leave of absence policy. While users are on a leave, we limit the apps they can access to the ones they really need: Workday and our benefits portal. These flexible, customizable policy strike the right balance between enabling productivity while minimizing our exposure.

Infographic showing signals (user, location, device, app, real-time risk) being verified (allowed, requiring MFA, or blocked).

Azure AD can evaluate user and location, application, device, and real-time risk before allowing access.

Improved threat visibility

Security doesn’t end with our access policies. Azure AD also provides tools that Security Operations (SecOps) use to better understand security incidents. The Azure AD authentication logs and the Office 365 application access information provides useful insights. We now better understand when users try to access applications with VPNs or from unauthorized networks. This intelligence informs our security strategy and policies.

Azure AD has provided the foundation for a secure and connected employee experience. As we operationalize communication tools like Microsoft Teams, we are confident that the information that employees share is less likely to get compromised. Employees are empowered to work together to meet and exceed customer expectations. We rest easy because our customer data is more secure.

Azure Active Directory

Protect your business with a universal identity platform.

Get started

Learn more

I hope you’re able to apply Mattress Firm’s learnings to your own organization. For more tips from our customers, take a look at the other stories in the Voice of the Customer blog series. Also, check out the Mattress Firm case study to see how other Microsoft 365 solutions have helped them improve the customer experience.

Here are several additional resources:

Finally, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other appeared first on Microsoft Security.

5 identity priorities for 2020

January 28th, 2020 No comments

Today, Joy Chick, Corporate Vice President of Identity, shared five priorities central to security that organizations should prioritize in 2020 as they digitally transform. These priorities are based on many conversations with our customers, including:

  1. Connect all applications and cloud resources to improve access controls and the user experience.
  2. Empower developers to integrate identity into their apps and improve security.
  3. Go passwordless to make security effortless for users.
  4. Enable boundary-less collaboration and automated access lifecycle for all users.
  5. Start your Zero Trust journey to protect your organization as you digitally transform.

To learn more about these priorities, and how decentralized identity is poised to offer greater verifiability and privacy, read Joy’s post, 5 identity priorities for 2020—preparing for what’s next.

Also bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 5 identity priorities for 2020 appeared first on Microsoft Security.

Go passwordless to strengthen security and reduce costs

December 12th, 2019 No comments

We all know passwords are inherently unsecure. They’re also expensive to manage. Users struggle to remember them. It’s why we’re so passionate about eliminating passwords entirely. Passwordless solutions, such as Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app, provide more secure and convenient sign-in methods. But transitioning your organization to passwordless authentication takes time and careful planning. You may wonder where to start and how long it will take to realize benefits. Today, we examine:

  • How biometrics improve security while safeguarding user privacy.
  • The cost reductions Microsoft realized from passwordless migration.
  • Steps you can take to better secure your organization and prepare for passwordless.

Image of three devices, one showing Windows Hello, another Microsoft Authenticator, and finally FIDO2 Security Keys.

Microsoft passwordless solutions include Windows Hello, the Microsoft Authenticator app, and FIDO2 security keys.

Biometric technology improves security and safeguards user privacy

The goal of user authentication protocols, including passwords, is to verify user identity. But just because a user knows a password doesn’t mean they are the person they claim to be. In fact, 81 percent of breaches leverage stolen or compromised passwords.1 Passwords are not unique identifiers.

To improve security, we need a better way to uniquely identify users. This is where biometrics come in. Your iris, fingerprint, and face are unique to you—nobody else has the same fingerprint, for example. Passwordless solutions, like Windows Hello, rely on biometrics instead of passwords because biometrics are better at accurately identifying a user.

Biometrics, like other personal identifying information (PII), may raise privacy concerns. Some people worry that technology companies will collect PII and make it available to other entities. Or that their biometric image might get stolen. That’s why Microsoft and other security companies in the Fast IDentity Online (FIDO) Alliance developed the FIDO2 standard to raise the bar for securing credentials. Rest assured, Microsoft uses FIDO2-compliant technology that does NOT view, store, or transfer ANY biometric images.

Here’s how it works:

  • When a user creates a biometric sign-in, Windows Hello uses an algorithm to create a unique identifier that is stored locally on the device, encrypted and secured, and never shared with Microsoft.
  • Each time a user signs in, the biometric is compared against the unique identifier.
  • If there is a match, the user is authenticated to the device.

Technologies like Windows Hello are secure, convenient, and safeguard user privacy.

Image of a PC screen showing Windows Hello.

Users can sign in to Windows Hello with a fingerprint scan. The fingerprint image is turned into a unique identifier stored on the device. It does not get stored by Microsoft.

Improve security, reduce costs, and increase productivity

To help you think about the costs associated with passwords, we’ll share some numbers from Microsoft’s own experience rolling out passwordless to its users. After about a year since Microsoft began this journey, most users don’t use a password to authenticate to corporate systems, resources, and applications. The company is better protected, but it has also reduced costs.

Passwords are expensive because users frequently forget them. For every password reset Microsoft incurs, soft costs are associated with the productivity lost while a user can’t sign in. The company also incurs hard costs for every hour a Helpdesk administrator spends helping a Microsoft user reset their password.

Microsoft estimated the following costs before rolling out passwordless to its employees:

  • $3 million a year in hard costs.
  • $6 million a year in lost productivity.

As of today, Microsoft has achieved the following benefits from its passwordless rollout:

  • Reduced hard and soft costs by 87 percent.
  • As Microsoft costs go down, attackers’ costs go up, so the company is less of a target.

Going passwordless starts with Multi-Factor Authentication

Whether you’re ready to roll out a passwordless authentication strategy today or in a few years, these steps will help get your organization ready.

  • Step 1: Define your passwordless and biometrics strategy—At Microsoft, we allow more than one biometric factor to choose from for authentication, which gives people options and helps us meet accessibility needs.
  • Step 2: Move your identities to the cloud—Leverage Azure Active Directory (Azure AD) user behavior analytics and security intelligence to help protect your identities, uncover breach patterns, and recover if there is a breach.
  • Step 3: Enable Multi-Factor Authentication (MFA)—MFA increases security by requiring more than one factor of verification, usually in addition to a password. By enabling MFA, you can reduce the odds of account compromise by 99.9 percent.2 But passwords don’t have to be a factor. With passwordless authentication, the biometric identifier is one factor of verification and the device possession is another, removing the risk of passwords from the equation.
  • Step 4: Pilot passwordless—Start a pilot test with your riskiest users or groups.

Image of the Microsoft Authenticator app being used.

The Microsoft Authenticator app can be used to augment a password as a second factor or to replace a password with biometrics or a device PIN for authentication.

If you aren’t ready to go passwordless, enable MFA to reduce your odds of a breach. We also recommend that you ban the most easily guessable passwords. Azure AD processes 60 billion authentications in a month and uses the telemetry to automatically block commonly used, weak, or compromised passwords for all Azure AD accounts, but you can add your own custom banned passwords, too.

Learn more

Microsoft passwordless solutions include Windows Hello, the Microsoft Authenticator app, and FIDO2 security keys from select partners. Each can help you accomplish the following:

  • Stronger security.
  • Reduced costs over time.
  • Increased attacker costs.
  • More productive users.

Read more about Microsoft passwordless solutions.

Watch the CISO Spotlight Series: Passwordless: What’s it worth?

 

12018 Verizon Data Breach Investigations report
22018 Microsoft Security Research

The post Go passwordless to strengthen security and reduce costs appeared first on Microsoft Security.

Microsoft Security—a Leader in 5 Gartner Magic Quadrants

December 3rd, 2019 No comments

Gartner has named Microsoft Security a Leader in five Magic Quadrants. This is exciting news that we believe speaks to the breadth and depth of our security offerings. Gartner places vendors as Leaders who demonstrate balanced progress and effort in all execution and vision categories. This means that Leaders not only have the people and capabilities to deliver strong solutions today, they also understand the market and have a strategy for meeting customer needs in the future. Microsoft was identified as a Leader in the following five security areas:

  • Cloud Access Security Broker (CASB) solutions1
  • Access Management2
  • Enterprise Information Archiving3
  • Unified Endpoint Management (UEM) tools4
  • Endpoint Protection Platforms5

Given this, Microsoft Security doesn’t just deliver strong security products in five crucial security areas only. We provide a comprehensive set of security solutions that are built to work together, from identity and access management to threat protection to information protection and cloud security.

Our products integrate easily and share intelligence from the trillions of signals generated daily on the Microsoft Intelligent Security Graph. And they work with non-Microsoft solutions too. You can monitor and safeguard your assets across clouds—whether you use Microsoft Azure, Amazon Web Services, Slack, Salesforce, or all the above.

By unifying security tools, you get visibility into your entire environment across on-premises and the cloud, to better protect all your users, data, devices, and applications. Today, we’ll review the five areas where Microsoft is recognized as a Leader in security.

A Leader in CASB

Our cloud security solutions provide cross-cloud protection, whether you use Amazon Web Services, Azure, Google Cloud Platform—or all three. We also help you safeguard your data in third-party apps like Salesforce and Slack.

Gartner named Microsoft a Leader in CASB based on the ability to execute and completeness of vision. Cloud App Security provides rich visibility into your shadow IT, enables you to identify and remediate cloud native attacks, and allows you to control how your data travels across all your cloud apps—whether they’re from Microsoft or third-party applications.

As Gartner says in the CASB Magic Quadrant, “platforms from leading CASB vendors were born in the cloud and designed for the cloud. They have a deeper understanding of users, devices, applications, transactions, and sensitive data than CASB functions designed to be extensions of traditional network security and SWG security technologies.”

We work closely with customer to improve our products, which is one of the reasons our customer base for Cloud App Security continues to grow.

Gartner graph showing Microsoft as a Leader in Cloud App Security.

A Leader in Access Management

Azure Active Directory (Azure AD) is a universal identity and access management platform that provides the right people the right access to the right resources. It safeguards identities and simplifies access for users. Users sign in once with a single identity to access all the apps they need—whether they’re on-premises apps, Microsoft apps, or third-party cloud apps. Microsoft was recognized for high scores in market understanding and customer experience.

Gartner says, “Vendors that have developed Access Management as a service have risen in popularity. Gartner estimates that 90 percent or more of clients based in North America and approximately 65 percent in Europe and the Asia/Pacific region countries are also seeking SaaS-delivered models for new Access Management purchases. This demonstrates a preference for agility, quicker time to new features, elimination of continual software upgrades, reduction of supported infrastructure and other SaaS versus software benefits demonstrated in the market.”

Gartner graph showing Microsoft as a Leader in Access Management.

A Leader in Enterprise Information Archiving

Enterprise information archiving solutions help organizations archive emails, instant messages, SMS, and social media content. Gartner recognized us as a Leader in this Magic Quadrant based on ability to execute and completeness of vision.

Gartner estimates, “By 2023, 45 percent of enterprise customers will adopt an enterprise information archiving (EIA) solution to meet new requirements driven by data privacy regulations; this is a major increase from five percent in 2019.”

Gartner graph showing Microsoft as a Leader in Enterprise Information Archiving.

A Leader in Unified Endpoint Management (UEM)

Unified Endpoint Management (UEM) solutions provide a comprehensive solution to manage mobile devices and traditional endpoints, like PCs and Macs. Microsoft’s solution, Microsoft Intune, lets you securely support company-provided devices and bring your own device policies. You can even protect company apps and data on unmanaged devices. We have seen rapid growth in Intune deployments and expect that growth to continue.

Gartner noted that, “Leaders are identified as those vendors with strong execution and vision scores with products that exemplify the suite of functions that assist organizations in managing a diverse field of mobile and traditional endpoints. Leaders provide tools that catalyze the migration of PCs from legacy CMT management tools to modern, UEM-based management.”

Intune is built to work with other Microsoft 365 security solutions, such as Cloud App Security and Azure AD to unify your security approach across all your clouds and devices. As Gartner writes, “Achieving a truly simplified, single-console approach to endpoint management promises many operational benefits.”

Gartner graph showing Microsoft as a Leader in Unified Endpoint Management.

A Leader in Endpoint Protection Platforms

Our threat protection solutions provide tools to identify, investigate, and respond to threats across all your endpoints. Gartner named Microsoft a Leader for Endpoint Protection Platforms, recognizing our products and our strengths and ability to execute and completeness of vision. Azure Advanced Threat Protection (ATP) detects and investigates advanced attacks on-premises and in the cloud. Windows Defender Antivirus protects PCs against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.

Gartner says, “A Leader in this category will have broad capabilities in advanced malware protection, and proven management capabilities for large-enterprise accounts.”

Gartner graph showing Microsoft as a Leader in Endpoint Protection Platforms.

Learn more

Microsoft is committed to helping our customers digitally transform while providing the security solutions that enable them to focus on what they do best. Learn more about our comprehensive security solutions across identity and access management, cloud security, information protection, threat protection, and universal endpoint management by visiting our website.

1Gartner “Magic Quadrant for Cloud Access Security Brokers,” by Steve Riley, Craig Lawson, October 2019

2Gartner “Magic Quadrant for Access Management,” by Michael Kelley, Abhyuday Data, Henrique, Teixeira, August 2019

3Gartner “Magic Quadrant for Enterprise Information Archiving,” by Julian Tirsu, Michael Hoech, November 2019

4Gartner “Magic Quadrant for Unified Endpoint Management Tools,” by Chris Silva, Manjunath Bhat, Rich Doheny, Rob Smith, August 2019

5Gartner “Magic Quadrant for Endpoint Protection Platforms,” by Peter Firstbrook, Dionisio Zumerle, Prateek Bhajanka, Lawrence Pingree, Paul Webber, August 2019

These graphics were published by Gartner, Inc. as part of larger research documents and should be evaluated in the context of the entire document. The Gartner documents are available upon request from Microsoft. Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

The post Microsoft Security—a Leader in 5 Gartner Magic Quadrants appeared first on Microsoft Security.

Zero Trust strategy—what good looks like

November 11th, 2019 No comments

Zero Trust has managed to both inspire and confuse the cybersecurity industry at the same time. A significant reason for the confusion is that Zero Trust isn’t a specific technology, but a security strategy (and arguably the first formal strategy, as I recently heard Dr. Chase Cunningham, Principal Analyst at Forrester, aptly point out).

Microsoft believes that the Zero Trust strategy should be woven throughout your organization’s architectures, technology selections, operational processes, as well as the throughout the culture of your organization and mindset of your people.

Zero Trust will build on many of your existing security investments, so you may already have made progress on this journey. Microsoft is publishing learnings and guidance from many perspectives to help organizations understand, anticipate, and manage the implications of this new strategy. This guidance will continue to grow as we learn more. A few highlights include:

In previous posts of this series, we described Microsoft’s vision for an optimal Zero Trust model and the journey of our own IT organization from a classic enterprise security to Zero Trust. Today, we focus on what a good strategy looks like and recommended prioritization (with a bit of history for context).

Zero Trust security continuously validates trustworthiness of each entity in your enterprise (identities, applications and services, devices) starting each with a trust level of zero.

Evolution of security strategy

The central challenge of cybersecurity is that the IT environment we defend is highly complex, leading security departments (often with limited budgets/resources) to find efficient ways to mitigate risk of advanced, intelligent, and continuously evolving attackers.

Most enterprises started with the use of a “trusted enterprise network,” but have since found fundamental limitations of that broad trust approach. This creates a natural pressure to remove the “shortcut” of a trusted enterprise network and do the hard work of measuring and acting on the trustworthiness of each entity.

Network or identity? Both (and more)!

The earliest coherent descriptions of the Zero Trust idea can be traced to proposals in the wake of the major wave of cybersecurity attacks. Beginning in the early 2000s, businesses and IT organizations were rocked by worms like ILOVEYOU, Nimda, and SQL Slammer. While painful, these experiences were a catalyst for positive security initiatives like Microsoft’s Security Development Lifecycle (SDL) and began serious discussions on improving computer security. The strategy discussions during this timeframe formed into two main schools of thought—network and identity:

  • Network—This school of thought doubled down on using network controls for security by creating smaller network segments and measuring trust of devices before network controls allow access to resources. While promising, this approach was highly complex and saw limited uptake outside a few bright spots like Google’s BeyondCorp.
  • Identity—Another approach, advocated by the Jericho Forum, pushed to move away from network security controls entirely with a “de-perimeterisation” approach. This approach was largely beyond the reach of technology available at the time but planted important seeds for the Zero Trust of today.

Microsoft ultimately recommends an approach that includes both schools of thought that leverage the transformation of the cloud to mitigate risk spanning the modern assets and (multiple generations of) legacy technology in most enterprises.

Prioritizing and planning Zero Trust

Microsoft recommends rigorous prioritization of Zero Trust efforts to maximize security return on investment (ROI). This default prioritization is based on learnings from our experience, our customers, and others in the industry.

  1. Align strategies and teams—Your first priority should be to get all the technical teams on the same page and establish a single enterprise segmentation strategy aligned to business needs. We often find that network, identity, and application teams each have different approaches of logically dividing up the enterprise that are incompatible with each other, creating confusion and conflict. See the CISO workshop video, Module 3 Part 3: Strategy and Priorities, for more discussion of this topic.
  2. Build identity-based perimeter—Starting immediately (in parallel to priority #1), your organization should adopt identity controls like Multi-Factor Authentication (MFA) and passwordless to better protect your identities. You should quickly grow this into a phased plan that measures (and enforces) trustworthiness of users and devices accessing resources, and eventually validating trust of each resource being accessed. See the CISO workshop video, Module 3 Part 6: Build an Identity Perimeter, for more information on identity perimeters.
  3. Refine network perimeter—The next priority is to refine your network security strategy. Depending on your current segmentation and security posture, this could include:
    • Basic segmentation/alignment—Adopt a clear enterprise segmentation model (built in #1) from a “flat network” or fragmented/non-aligned segmentation strategy. Implementing this is often a significant undertaking that requires extensive discovery of assets and communication patterns to limit operational downtime. It’s often easier to do this as you migrate to the cloud (which naturally includes this discovery) than it is to retrofit to an existing on-premises environment.
    • Micro-segmenting datacenter—Implement increasingly granular controls on your datacenter network to increase attacker cost. This requires detailed knowledge of applications in the datacenter to avoid operational downtime. Like basic segmentation, this can be added during a cloud migration or a net new cloud deployment easier than retrofitting to an on-premises datacenter.
    • Internet first clients—A simple but significant shift is when you move client endpoints from being on the internet part-time to full-time (versus sometimes on corporate network and sometimes remote). This is a straightforward concept, but it requires having already established a strong identity perimeter, strong endpoint security and management over the internet, publishing legacy applications to your internet clients, dedicated administrative workstations, and potentially other initiatives before “rolling back” the firewalls from clients.

What good looks like

Zero Trust is a model that will ultimately be infused throughout your enterprise and should inform virtually all access decisions and interactions between systems.

Expanding on the three principles of Zero Trust from the Zero Trust vision paper—Verify Explicitly, Least Privilege Access, and Assume Breach—the hallmarks of a good enterprise Zero Trust strategy include:

  • Continuously measure trust and risk—Ensure all users and devices attempting to access resources are validated as trustworthy enough to access the target resource (based on sensitivity of target resource). As technology becomes available to do it, you should also validate the trustworthiness of the target resources.
  • Enterprise-wide consistency—Ensure that you have a single Zero Trust policy engine to consistently apply your organizations policy to all of your resources (versus multiple engines whose configuration could diverge). Most organizations shouldn’t expect to cover all resources immediately but should invest in technology that can apply policy to all modern and legacy assets.
  • Enable productivity—For successful adoption and usage, ensure that the both security and business productivity goals are appropriately represented in the policy. Make sure to include all relevant business, IT, and security stakeholders in policy design and refine the policy as the needs of the organization and threat landscape evolve. For more information, see Meet Productivity and Security Goals.
  • Maximize signal to increase cost of attack—The more measurements you include in a trust decision—which reflect good/normal behavior—the more difficult/expensive it is for attackers to mimic legitimate sign-ins and activities, deterring or degrading an attacker’s ability to damage your organization.
  • Fail safe—The system operation should always stay in a safe state, even after a failed/incorrect decision (for example, preserve life/safety and business value via confidentiality, integrity, and availability assurances). Consider the possible and likely failures (for example, mobile device unavailable or biometrics unsuccessful) and design fallbacks to safely handle failures for both:
    • Security (for example, detection and response processes).
    • Productivity (remediation mechanisms via helpdesk/support systems).
  • Contain risk of attacker movement into smaller zones—This is particularly important when you’re reliant on legacy/static controls that cannot dynamically measure and enforce trustworthiness of inbound access attempts (for example, static network controls for legacy applications/servers/devices).

Into the future

Over time, we expect Zero Trust will become accepted and commonplace where people simply learn it in “Security 101” (much like the least privilege principle today). Zero Trust is expected to evolve as we all become more comfortable with what this new normal entails and have ideas on how to optimize efficiency and address the attackers’ ongoing attempts to find a chink in the new armor.

Zero Trust

Reach the optimal state in your Zero Trust journey.


Learn more

Our next blog will discuss how to make Zero Trust real in your enterprise starting with technology available today, which you may already have deployed or have access to! In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust strategy—what good looks like appeared first on Microsoft Security.