Federal government IT leaders are coming to terms with the need to apply zero-trust cybersecurity principles not just to their network operations, but to their entire IT operations — from the applications and the devices operating on their networks to the data users ultimately need to access.
The challenge for most agency IT departments, however, has been how to map out and deploy a zero-trust approach across an entire digital estate, given the scale and scope of the task.
A new report produced by FedScoop and sponsored by Microsoft aims to help agency executives tackle the questions of where and how to start deploying zero-trust principles.
The report features a collection of articles and illustrations that help make the case for senior agency leaders why agencies need to take a multidimensional view of zero trust and how to assess your agency’s zero-trust readiness and maturity. The report also previews a series of six blogs offering practical approaches to implementing zero trust on Azure, Microsoft’s cloud platform.
Cybersecurity “has traditionally meant focusing on three things: the need to protect, detect and respond. In this new world, the security paradigm has changed: Identities are the new firewall, devices are the new perimeter and ‘assume breach’ is the new security model,” assert Microsoft’s Susie Adams and TJ Banasik in an introduction to the report. Adams is chief technology officer for Microsoft Federal; Banasik is a highly credentialed security expert and senior program manager for Microsoft Azure End-to-End Customer Engineering.
The cornerstone of the report is “The 6 pillars of zero trust and where to start,” which captures key lessons Microsoft engineers have learned over the past decade in their internal quest to move from implicit trust, to assured trust, throughout Microsoft’s enterprise IT operation.
Those six pillars, which represent the foundational elements that make up today’s modern IT operation, include:
- Identities – including people, services and IOT components
- Devices – monitoring and enforcing device health and compliance
- Apps and APIs – ensuring they have appropriate permissions and secure configurations
- Data – giving it the necessary attributes and encryption to safeguard it out in the open
- Infrastructure – hardening against attacks on premises or in the cloud
- Networks – establishing controls to segment, monitor, analyze and encrypt end-to-end traffic
The report also provides a maturity model for each of those six pillars, providing recommendations on how agencies can move from a traditional cybersecurity approach to one that’s more advanced in using zero-trust principles, to one that is optimally designed around zero trust.
The report argues that agencies don’t need to tackle everything. Rather, it recommends the best approach is to “start now, by focusing on what matters most to your agency and what’s already high on your priority list. Then develop a plan to move up the zero trust maturity model for each pillar.”
In addition to providing a maturity model to guide agencies as they map out their journeys to zero trust, the report also offers recommendations on key areas to assess right now, and resources to help them. In particular, the report suggests agencies should take steps to assess and understand the gaps that may exist in their organizations in six areas:
- Strong authentication
- Policy-based adaptive access
- Intelligence and AI
- Data classification and protection
Additionally, the report also provides a preview of six instructional blogs from some of Microsoft’s leading Azure security engineers, including: TJ Banasik; Mark McIntyre, senior director, Cybersecurity Solutions Group; and Adam Dimopoulus, Senior Program Manager, Azure Global Customer Engineering.
Among other topics, the blogs are aimed at helping agencies fast-track their efforts to develop and monitor zero-trust security protections for workloads moving to and operating within Microsoft’s Azure cloud. There are also practical guides for dealing with issues like insider threats and supply chain risks.
The report also highlights one of Microsoft’s newest resources — the Azure blueprint for zero trust — that gives agencies the ability to easily create, deploy and update compliant IT operating environment within Azure.
Download and read the full report on “The 6 Pillars of Zero Trust.”
This article was produced by FedScoop and underwritten by Microsoft.