The rapid shift to remote work is testing the agility of organizations’ network architectures. Those enterprises that rely on an internal network as a trust boundary are realizing that a shift to zero trust is almost imperative to keep operations running securely.
In a new CyberScoop podcast, Steve Faehl, U.S. Security CTO for Microsoft, discusses how one of the world’s largest organizations took on the task of moving to a zero-trust security model internally – and what they learned as an organization in the process.
For Microsoft, “zero trust became a strategy as a result of numerous cyberattacks that demonstrated the fallacy of assuming that entities on your internal network are more trustworthy,” Faehl shares.
Microsoft’s embrace of a zero-trust security approach began in 2002, prompted by Bill Gates’ trustworthy computing initiative memo. It led Microsoft developers to question their assumptions of implicit trust, according to Faehl, and reshaped their approach to developing security safeguards as well as their design assumptions within their internal network.
Faehl shares those and other details about Microsoft’s zero-trust journey, including how enterprise leaders can develop more effective long-term security strategies, in this podcast, produced by CyberScoop and underwritten by Microsoft:
Microsoft has a culture that values privacy, security and reliability, says Faehl, which served as the foundation necessary to refocus the company’s entire approach to security when it became apparent that a particular product or technology couldn’t mitigate security risks on its own. That led Microsoft’s developers to begin taking a layered approach.
“A layered security approach offers more protection and better flexibility than trying to rely on a single silver bullet,” Faehl explains.
He outlines how changes were made incrementally over the years, starting with stakeholder input, and then developing a phased approach to implement zero-trust measures. Over time, as Microsoft built out and tested its approach to zero trust, Faehl says they learned the six essential pillars to an effective zero-trust strategy:
Each of those pillars require disciplines around assurance, monitoring and controls, but all of them need to be addressed as part of a larger, cohesive strategy, he says. Focusing on them piecemeal, or sequentially, won’t get the job done.
“The almost overnight shift to remote work has really tested the agility of organizations’ Information System architectures and it’s made zero trust an imperative,” Faehl says.
“We’ve had many customers ask for simplified and more prescriptive onboarding guidance. So, we’ve started creating specific end-to-end guidance to enable the most common customer scenarios. We’re not only helping address remote work needs quickly, we’re also helping them move the needle for their broader zero-trust implementation, which will benefit the organization for years to come.”
“If a phishing email open by a single employee allows an attacker to completely bypass your firewall, and then move freely inside of your network, then it’s definitely time for a change,” Faehl stresses.
“This [zero-trust] journey starts with understanding the need for the change. It’s not that internal trust was ideal and zero trust is some kind of consolation prize. Instead by moving to zero trust, we’re moving trust closer to the resource and tightening the scope while significantly increasing the level of assurance.”
Steve Faehl has played a number of leading roles at Microsoft, developing security strategy for organizations in the U.S. Public Sector, in health care and the financial services industry. He so spent a number of years earlier on as cloud architect at Microsoft.
Listen to the podcast for the full conversation on what Microsoft learned implementing zero trust. You can hear more coverage of “IT Security Modernization” on our CyberScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by CyberScoop and underwritten by Microsoft.