Sick Gaming
Microsoft - Securing remote employees with an internet-first model and Zero Trust - Printable Version

+- Sick Gaming (https://www.sickgaming.net)
+-- Forum: Computers (https://www.sickgaming.net/forum-86.html)
+--- Forum: Windows (https://www.sickgaming.net/forum-89.html)
+--- Thread: Microsoft - Securing remote employees with an internet-first model and Zero Trust (/thread-98228.html)



Microsoft - Securing remote employees with an internet-first model and Zero Trust - xSicKxBot - 11-12-2020

Securing remote employees with an internet-first model and Zero Trust

<div style="margin: 5px 5% 10px 5%;"><img src="https://www.sickgaming.net/blog/wp-content/uploads/2020/11/securing-remote-employees-with-an-internet-first-model-and-zero-trust.jpg" width="2560" height="1920" title="" alt="" /></div><div><div><img src="https://www.sickgaming.net/blog/wp-content/uploads/2020/11/securing-remote-employees-with-an-internet-first-model-and-zero-trust.jpg" class="ff-og-image-inserted"></div>
<p><span data-contrast="auto">Like many this year, our Microsoft workforce had to quickly transition to a work from the home model in response to COVID-19. While nobody could have predicted the world’s current state, it has provided a very real-world test of the investments we have made implementing a Zero Trust security model internally. We had about 97 percent of our workforce at the peak successfully working from home, either on a Microsoft issued or personal device.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<p><span data-contrast="auto">Much of the credit for this success goes to the&nbsp;</span><a href="https://www.microsoft.com/en-us/itshowcase/microsofts-cloud-centric-architecture-transformation?elevate-lv"><span data-contrast="none">Zero Trust journey</span></a><span data-contrast="auto">&nbsp;we started over three years ago. Zero Trust has been critical in making this transition to a work-from-home model relatively friction-free. One of the major components to our Zero Trust implementation is ensuring our employees have access to applications and resources regardless of their location. We enable employees to be productive from anywhere, whether they’re at home, a coffee shop, or at the office.&nbsp;</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<p><span data-contrast="auto">To make this happen, we needed to make sure most of our resources were accessible over any internet connection. The preferred method to achieve this is through modernizing applications and services using the cloud and modern authentication systems. For legacy applications or services unable to migrate to the cloud, we use an application proxy service which serves as a broker to connect to the on-premise environment while still enforcing strong authentication principles.&nbsp;</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<p><span data-contrast="auto">Strong authentication and adaptive access policies are critical components in the validation process. A big part of this validation process included enrolling devices in our device management system to ensure only known and healthy devices&nbsp;</span><span data-contrast="auto">are directly accessing our resources.&nbsp;</span><span data-contrast="auto">For users on devices that are not enrolled in our management system, we have developed virtualization options that allow them to access resources on an </span><span data-contrast="auto">unmanaged</span><span data-contrast="auto">&nbsp;device. One of the early impacts of COVID-19 was device shortages and the inability to procure new hardware. Our virtualization implementation also helped provide secure access for new employees while they waited for their device’s arrival.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<p><span data-contrast="auto">The output of these efforts,&nbsp;</span><span data-contrast="auto">combined with a VPN configuration that enables split tunneling for access to the few remaining on-premises applications, has made it possible for Microsoft employees to work anywhere in a time when it is most critical.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:360,&quot;335559740&quot;:240}">&nbsp;</span></p>
<h2>Implementing an internet-first model for your applications</h2>
<p><span data-contrast="auto">In this blog,&nbsp;</span><span data-contrast="auto">I will&nbsp;</span><span data-contrast="auto">share&nbsp;</span><span data-contrast="auto">some&nbsp;</span><span data-contrast="auto">recommendations on implementing an internet-first approach plus a few of the things we learned in our efforts here at Microsoft</span><span data-contrast="auto">.</span><span data-contrast="auto">&nbsp;</span><span data-contrast="auto">Because every company has its own unique culture, environments, infrastructure, and threshold for change, there is no one-size-fits-all approach</span><span data-contrast="auto">. Hopefully</span><span data-contrast="auto">,</span><span data-contrast="auto">&nbsp;you will find some of this information useful, even if only to validate you are already on the right path.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<p><span data-contrast="auto">Before I jump in, I just want to mention that this blog will assume you’ve completed some of the foundational elements needed for a Zero Trust security model</span><span data-contrast="auto">. These include modernizing your identity system, verifying sign-ins with</span><span data-contrast="auto">&nbsp;</span><span data-contrast="auto">multi-factor authentication (MFA), registering&nbsp;</span><span data-contrast="auto">devices,</span><span data-contrast="auto">&nbsp;and ensuring compliance with IT security policies</span><span data-contrast="auto">, etc</span><span data-contrast="auto">. Without these protections in place, moving to an internet</span><span data-contrast="auto">-first</span><span data-contrast="auto">&nbsp;posture is not possible.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<p><span data-contrast="auto">As previously mentioned, your apps will need to be modernized by migrating them to the cloud and implementing modern authentication services. This is the optimal path to internet accessibility.</span><span data-contrast="auto">&nbsp;</span><span data-contrast="auto">For apps that can’t be modernized or moved to the cloud (think legacy on-premises apps), you can leverage an app proxy to allow the connection over the internet and still maintain the strong authentication principles.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<h2>Secure access via adaptive access policies</h2>
<p><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span><span data-contrast="auto">Once your apps are accessible via the public internet,&nbsp;</span><span data-contrast="auto">you will</span><span data-contrast="auto">&nbsp;want to control access based on conditions you select to enforce. At Microsoft, we use&nbsp;</span><a href="https://www.microsoft.com/en-us/security/business/identity/conditional-access"><span data-contrast="none">Conditional Access policies</span></a><span data-contrast="auto">&nbsp;to enforce granular access control, such as requiring multi-factor authentication, based upon user context, device, location, and session risk information. We also enforce device management and health policies to ensure the employee&nbsp;</span><span data-contrast="auto">comes</span><span data-contrast="auto">&nbsp;from a known and healthy device once they have successfully achieved strong authentication.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<p><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span><span data-contrast="auto">Depending on your organization’s size, you might want to start slow by implementing multi-factor authentication and device enrollment first, then ramping up to biometric authentication and full device health enforcement</span><span data-contrast="auto">. Check out our Zero Trust guidance for&nbsp;</span><a href="https://www.microsoft.com/security/blog/2020/04/30/zero-trust-deployment-guide-azure-active-directory/"><span data-contrast="none">identities</span></a><span data-contrast="auto">&nbsp;and&nbsp;</span><a href="https://www.microsoft.com/security/blog/2020/05/26/zero-trust-deployment-guide-for-devices/"><span data-contrast="none">devices</span></a><span data-contrast="auto">&nbsp;that we follow internally for some additional recommendations.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<p><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span><span data-contrast="auto">When we rolled out our device enrollment policy, we learned that using data to measure the policy’s impact allowed us to tailor our messaging and deployment schedule. We enabled “logging mode”, which let us enable the policies and collect data on who would be impacted when we moved to enforcement. Using this data, we first targeted users who were already using compliant devices. For users that we knew were going to be impacted, we crafted targeted messaging alerting them of the upcoming changes and how they would be impacted. This slower, more measured deployment approach allowed us to monitor and respond to issues more quickly. Using this data to shape our rollout helped us minimize the impact of significant policy implementation.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<h2>Start with a hero&nbsp;application</h2>
<p><span data-contrast="auto">Picking your first application to move out to the public internet can be done in a few&nbsp;</span><span data-contrast="auto">different ways</span><span data-contrast="auto">.&nbsp;</span><span data-contrast="auto">Do you</span><span data-contrast="auto">&nbsp;want to start with something small and non-critical? Or&nbsp;</span><span data-contrast="auto">perhaps you</span><span data-contrast="auto">&nbsp;want to “flip the switch” to cover everything at once? We decided to start with a hero application that proved it works at scale. Office 365 was the&nbsp;</span><span data-contrast="auto">obvious choice</span><span data-contrast="auto">&nbsp;because it&nbsp;</span><span data-contrast="auto">provided</span><span data-contrast="auto">&nbsp;the broadest coverage&nbsp;</span><span data-contrast="auto">since most employees use it&nbsp;</span><span data-contrast="auto">daily</span><span data-contrast="auto">, regardless of what role they are&nbsp;</span><span data-contrast="auto">in.&nbsp;</span><span data-contrast="auto">We were confident if we could implement Office 365 successfully,&nbsp;</span><span data-contrast="auto">we</span><span data-contrast="auto">&nbsp;could be successful with&nbsp;</span><span data-contrast="auto">most of</span><span data-contrast="auto">&nbsp;our portfolio.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<p><span data-contrast="auto">Ultimately, it</span><span data-contrast="auto">&nbsp;will boil down to your environment, threshold for support engagements, and company culture. Choose the path that works best for you and push forward. All paths will help&nbsp;</span><span data-contrast="auto">provide</span><span data-contrast="auto">&nbsp;valuable data and experience that will help later</span><span data-contrast="auto">.&nbsp;</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<h2>Prioritize your remaining apps and&nbsp;services</h2>
<p><span data-contrast="auto">Prioritizing the&nbsp;</span><a href="https://www.microsoft.com/en-us/security/business/identity/secure-application-access"><span data-contrast="none">apps and services</span></a><span data-contrast="auto">&nbsp;you modernize next can be challenging, especially without&nbsp;</span><span data-contrast="auto">granular</span><span data-contrast="auto">&nbsp;visibility into what employees are accessing in your environment. When we began our journey, we had theories&nbsp;</span><span data-contrast="auto">about</span><span data-contrast="auto">&nbsp;what people were accessing but no data to back it up.&nbsp;</span><span data-contrast="auto">We built a dashboard that reported actual traffic volumes to applications and services still routing to on-prem</span><span data-contrast="auto">ises</span><span data-contrast="auto">&nbsp;applications and services to&nbsp;</span><span data-contrast="auto">provide</span><span data-contrast="auto">&nbsp;the visibility we lacked</span><span data-contrast="auto">. This gave us much-needed</span><span data-contrast="auto">&nbsp;information to help prioritize apps and services based on impact, complexity, risk, and more.&nbsp;</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<p><span data-contrast="auto">We also used this dashboard to&nbsp;</span><span data-contrast="auto">identify</span><span data-contrast="auto">&nbsp;which application or service owners we needed to coordinate with to modernize their resources. To coordinate with these owners, we created work items in our task tracking system and assigned the owner a deadline to&nbsp;</span><span data-contrast="auto">provide</span><span data-contrast="auto">&nbsp;a plan to either modernize or implement a proxy front end solution. We also created a tracking dashboard for&nbsp;</span><span data-contrast="auto">all</span><span data-contrast="auto">&nbsp;these tasks and their&nbsp;</span><span data-contrast="auto">status</span><span data-contrast="auto">&nbsp;to make reporting easier.&nbsp;</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<p><span data-contrast="auto">We then worked closely with owners to provide guidance and best practices to drive their success. We conduct weekly office hours where application and service owners can ask questions. The partnership between these application and service owners and the teams working on Zero Trust helps us all drive towards the same common goals—frictionless access for our employees.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<p><span data-contrast="auto">A quick note on what we learned through the dashboard—the on-premises applications and services people were still accessing were not what we were expecting. The dashboard surfaced several items we were unaware people were still using. Fortunately, the dashboard helped remove a layer of fog we were unaware even existed and has been invaluable in driving our prioritization efforts.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<p><span data-contrast="auto">As I mentioned at the beginning of this blog, every company is unique</span><span data-contrast="auto">. As such, how you think about Zero Trust and your investments might be different than the company across the street.</span><span data-contrast="auto">&nbsp;I hope some of the insight provided above was helpful, even if it is just to get you thinking about how you would approach solving some of these challenges inside your own organization</span><span data-contrast="auto">.&nbsp;</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
<p><span data-contrast="auto">&nbsp;</span><span data-contrast="auto">To learn more about how Microsoft IT (Information Technology), check out&nbsp;</span><a href="https://www.microsoft.com/en-us/itshowcase"><span data-contrast="none">IT Showcase</span></a><span data-contrast="auto">.&nbsp;</span><span data-contrast="auto">To</span><span data-contrast="auto">&nbsp;learn more about Microsoft Security Solutions</span><span data-contrast="none"> </span><a href="https://www.microsoft.com/en-us/security/business/solutions"><span data-contrast="none">visit our website</span></a><span data-contrast="none">.&nbsp;</span><span data-contrast="auto">Bookmark the</span><span data-contrast="none"> </span><a href="https://www.microsoft.com/security/blog/"><span data-contrast="none">Security blog</span></a><span data-contrast="none"> </span><span data-contrast="auto">to keep up with our expert coverage on security matters. Also, follow us at</span><span data-contrast="none"> </span><a href="https://twitter.com/@MSFTSecurity"><span data-contrast="none">@MSFTSecurity</span></a><span data-contrast="none"> </span><span data-contrast="auto">for the latest news on cybersecurity.</span><span data-contrast="none">&nbsp;</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:120,&quot;335559740&quot;:240}">&nbsp;</span></p>
</div>


https://www.sickgaming.net/blog/2020/11/11/securing-remote-employees-with-an-internet-first-model-and-zero-trust/