Steve Faehl is Microsoft’s U.S. security chief technology officer, responsible for helping organizations develop strategies to reduce risk by improving their cyber defenses.
One of the greatest challenges we often hear from federal agency CIOs, when it comes to achieving a Zero Trust IT operating environment, is the question of how to tackle such a massive undertaking — and where and how to begin.
If there was one lesson we learned at Microsoft as we sought to establish Zero Trust security principles internally — and we learned many lessons — it was the importance of starting with a fundamental premise: To build out assurances in places where we traditionally relied on implicit trust.
That premise began at Microsoft with one of Bill Gates’ famous internal strategy memos on “trustworthy computing.” While the term Zero Trust hadn’t yet been coined, the concept and principles are essentially the same. They assume from the start that every network or entity can be compromised; and therefore, cannot be trusted implicitly.
When we began the trustworthy computing initiative we changed the direction of software development by questioning the assumption that application code and user input could be trusted since we found that implicit trust in these scenarios created vulnerabilities. For us, the next step towards Zero Trust was to question the idea that our internal network could be trusted. In this scenario, implicit trust of entities and assets simply based upon their point of connectivity created conditions that allowed adversaries to freely maintain and expand their access once they found their way into a network.
These realizations sparked a systematic reassessment of virtually every layer of the stack within Microsoft to determine how end-to-end access and usage were being designed and tested in order to reduce risk. In turn, that led to the development of new tools and policies to verify and assure the trustworthiness of access across six foundational elements:
- Identities – including people, services and IOT components
- Devices – monitoring and enforcing device health and compliance
- Apps and APIs – ensuring they have appropriate permissions and secure configurations
- Data – giving it the necessary attributes and encryption to safeguard it out in the open
- Infrastructure – hardening against attacks on premises or in the cloud
- Networks – establishing controls to segment, monitor, analyze and encrypt end-to-end traffic
One of the important upshots of what we learned from the phased approach at Microsoft is that you don’t have to boil the ocean to start adopting of Zero Trust principles.
But you do have start somewhere, beginning with the understanding that your approach to security needs to change — by moving trust closer to the resource and increasing the level of assurance for each interaction.
While a complete Zero Trust architecture requires attention not on just one or two foundational pillars, agencies can make significant headway quickly by prioritizing one or two pillars, based on what’s already in the pipeline, the types of IT and data services your agency has to support, and determining which elements represent the greatest sources of risk.
For example, say your agency maintains a lot of legacy applications on premises — and now has to support a big increase in remote workers using a VPN. You’re thinking, “There’s no way we’re going to be able to modernize this legacy app and there’s no way that our VPN can reliably support all of the traffic coming into it. How are we going to move forward?”
One of the best ways to address the need is to take assurances from the identity element and assurances from the device and, using an internet-first access approach, establish those two assurances out in front before the request to the application. The approach of increasing identity assurances for remote users allowed the U.S. Defense Department to rapidly adopt Microsoft Teams. Microsoft established a Government Community Cloud tenant for DoD that currently hosts the largest number of users in the world. That has helped the DoD bring all their active and reserve component military members, DOD civilians and department contractors onto one platform.
As another example, perhaps your agency couldn’t get enough government-issued devices out to your employees who need to work from home, so they had to resort to using their personal laptops. Alternatively, an employee might take a government-issue laptop home and the family’s 15-year old uses the device and downloads an out-of-date application for science class, thereby introducing vulnerabilities on the device.
If you have a real-time picture of the health and configuration of users’ devices even when they’re off network — and understand the sensitivity of data that employees are trying to access — then you can address the scenarios to reduce risk through explicit validation while controlling more precisely what resources can be accessed. You’re effectively pivoting each request to the appropriate level of assurance.
Think of these examples as opportunities for an easy on-ramp to the road to Zero Trust. The point is to get started on the opportunities that are most relevant to you based on your current risk scenarios.
One other benefit of a Zero Trust strategy is that it can reduce the risk of insider threats. As you build up assurances around identities, devices, well as the network and your resources, more signals are available for both access control and analytics. In Microsoft’s production environments, thanks to our Zero Trust implementation of privileged identity management, we maintain environments with zero standing admin access where access is only granted by exception, governed by a lockbox process and requires approvals.
Finally, the road to Zero Trust needs to run in both directions. If we’re not bringing the end user in for the smooth ride and ensuring that they have a great experience — reducing friction at every opportunity possible — then we will fail to achieve the true value of the strategy.
When we started out implementing controls, for instance, we deployed most assurance measures in “monitor mode,” taking stock and analyzing our telemetry to adjust our approach before taking further action that would impact user experience.
A Zero Trust approach has also been shown to increase IT agility especially when it’s based on cloud capabilities. For example, Microsoft recently accelerated a planned deployment from six months to just two days, providing 32,000 Windows Virtual Desktops to employees to enable secure remote work from personal devices. The need to apply Zero Trust strategies comprehensively will only increase as secure remote work emerges as a core need for so many customers. We believe every enterprise needs to start their own journey towards reducing implicit trust to zero and we’re happy to share what we’ve learned along the way — never trust, always verify.
We believe every enterprise needs to start their own journey towards reducing implicit trust to zero and we’re happy to share what we’ve learned along the way – never trust, always verify.
Learn more about assessing your Zero Trust maturity and how Microsoft can help your agency protect your people, devices, apps and data wherever they’re located.