How Microsoft does Zero Trust

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
MARK SIMOS: Hi, my name is Mark Simos. Welcome to the Microsoft 365 Network Connectivity Series. My role is to be lead cybersecurity architect, building guidance and reference architectures, reference strategies, etc, for our customers as they're working to adopt security. And so our first topic in this series will be zero trust. And Les, would you like to introduce yourself? LESLEY KIPLING: Thanks, Mark. Hi, everybody. My name is Lesley, and I'm a chief security advisor for Microsoft and, in fact a long-time forensic investigator, as well. During this session, Mark and I will really be trying to explain the concepts of zero trust, what it is and what that means, but equally focus on some of the architectures today that we feel are not fit for purpose. And to do that, we're going to start with a story. Along came COVID-19 and lockdowns, and unfortunately that had a huge amount of impact and potential destruction to the industry because essentially we had everybody suddenly working from home. That meant we faced diminished network and VPN capacity, degraded user experience, and in fact reduced audio and video quality. So I do know that there was an awful lot of people out there who were very unhappy about working from home. Fast-forward a few months, and essentially we believe now that remote working is going to be the new norm. The good news about that is that it unlocks business benefits like reduced cost, it increases efficiencies, and it allows for more flexible hiring. Of course, we found that collaboration and communication tools, as I'm showing you on the screen at the moment which is the uptake for Teams, right about the March time frame when lockdown came in, we realized that they were obviously required for productivity, but equally so is modern network architectures- so much so that in fact, slow is the new broken. And what do I mean by slow is the new broken? Well, traditionally, many IT organizations really have both segmentation and containment strategies primarily using firewalls that filter the IP traffic by protocol and port walls. These designs typically include a production intranet; an extranet, or otherwise known as the "DMZ," or "demilitarized zone"; and sometimes, additional network segmentation within the production network. The key focus though is to ensure that all remote traffic is routed over the corporate network generally due to security requirements about being able to capture that network traffic at multiple layers. An example would be a full packet capture or specifically using SSL decryption to be able to decrypt the traffic, to be able to see what traffic is going over the network. The counter-approach to this would be to tend to push this inspection into the client layer, therefore adding more agents in a best-of-breed world. And the net result is that most of these is a failed strategy that is difficult to implement, costly to the organization, and yet is repeatedly proven easily evaded by attackers. So if you remember, port 80, which is the firewall bypass port, VPNs are frequently leveraged by attackers as a means to attain access into the organization's network. Also, on top of that, latency drives users away and incentivizes shadow IT. So essentially on this slide what we're trying to get across is really the connectivity principles that are required for thinking about using modern applications and specifically software-as-a-service applications, in fact, like M365. So there's more detail there on that link. I'd encourage you to go and have a look at those. But essentially, we want to take a different approach to security controls and avoid duplication because it bottlenecks the traffic and adds latency without necessarily adding security. Where we're going to be focusing today are with the rest of the conversation is really on point number 4, which is modernizing security for those SaaS applications. So now I'm going to hand you back to Mark to be able to talk about maybe the traditional approaches to zero trust, why zero trust is born, talking about the landscape and maybe then how we start to think about modernizing zero trust and network architectures going forward. Back to you, Mark. MARK SIMOS: Thanks, Les. So, one of the interesting things about zero trust is, it's kind of a newer buzz word, as people like to say, but it's also got very, very deep roots that go back decades. So it really helps to understand what zero trust is, to understand where security started and what we've tried in the past, because ultimately, the goal of security is, you want to keep safe your assets- important things like your data and your critical applications that you need to run your business or your nonprofit or government agency or whatever- you got to keep those valuable assets away from the attackers. That's really the goal at the end of the day. And there's a lot to it because IT got pretty complex pretty fast, with lots of different users and roles, etc., and different devices and you name it. And so the first attempt to sort of address the security question was, Hey, why don't we . . . we own these wires, we own the building, we own the physical facilities, let's go ahead and say this new network that we have, let's put a border around it, put a firewall there so that these attackers can't get in because that was kind of how the first one started. And this sort of gave birth to the trusted network security strategy- that we're network based; it seems simple, economical; and, hey, we'll get to the security and we'll do some more stuff within the network because it seems like an important thing, but we really never got to it, to be honest. So then, what happened over time is, we really started to see that the assets themselves didn't quite fit this assumption or this paradigm that all the things we care about are on the network. First part being the network assets, bring your own devices, work from home, mobile, everybody's working from home at this moment in time, and were really happening, and so a lot of these assets were on the network or are now. We're also seeing that to adapt to the cloud and to just hyper-scale just millions of cores and all sorts of services and all that kind of stuff, the protocols had to be really adapted and tuned in particular ways for how end-user devices connect to Office 365, for example. And these aren't the same POP3 and IMAP services of times past. These are really much more sophisticated, advanced, specialized things. And so, this is really outpacing the tools and the expertise that's out there in the marketplace to do kind of that network-oriented security. And then, we also saw the attackers themselves shift, and we'll talk quite a bit more in the next slide, but we're seeing them moved to phishing and credential theft. And if you try to do all of those kinds of newer attacks with the network or try to detect them and investigate them and respond to them or mediate them, it gets very, very difficult because those aren't really tuned for, and you always end up with way too many events that might have something to do with it, and it just really overwhelms your SOC analysts and your security analyst that are investigating them. So let's take a look at the attack environment because that history kind of helps frame why we needed to kind of do something different than the classic model. Well, let's take a look at what we have today because this really helps kind of illustrate what zero trust is really meant to solve. These are fairly current prices of what it costs an attacker to actually buy a piece of an attack on the dark web, kind of the much more obscure and out-of-the-public-eye version of the internet. And so this is where they go and they buy things like a compromised account; they can buy ransomware toolkits; they can buy zero-days, which are very expensive. And you'll notice that these things tend to be fairly cheap- a compromised PC, anywhere from 3 cents to $1.80. Those that the identity attack kind of raw material, the compromised accounts are very cheap. So if I'm an attacker and I want to try and get into a company, I don't feel like paying the $10,000 fee for somebody else to do it for me in the bottom left there, the compromised accounts for $150 US, I can buy 400 million. And on average, for reference, it's about a 1% hit rate in any different company that a user name and password pair match a user in an enterprise organization. And so for $150, I can get effectively 4 million chances with that 1% rate to get into that company. Why would I bother scanning and exploiting and doing all this old-school stuff when I could do that or I could just send a phishing email? And so the attackers are really adapted to that world. And so we have to make sure that the things that we're thinking about for security under the zero trust umbrella are really focused on that problem as it is. So now onto the definition of "zero trust." And this is something that it's a little bit confusing to folks because it's new. So new things are always a little hard to get your mind around because it's kind of a new model, a new paradigm. Typical fashion, there's a lot of different vendors and folks with different stakes that are trying to define it. The thing that we've come to realize at Microsoft and our work with The Open Group and NIST and a number of other organizations, as well, is that zero trust is actually an overarching strategy. It's an overall formal strategy for security- some would argue the first one we've ever had as a security industry. But it is a formal strategy. And so a strategy is not something you rack and stack into a 19-inch rack and screw it in and bolt it in. A strategy is something that affects all the things that you do and kind of realigns us. Some of the changes are big, some are small, some are just perception-how you look at things. But it's a strategy to focus on protecting those important business data and apps, very much aligned to the business and the mission, on a public or untrusted network, kind of acknowledging that reality of that kind of hostile network that we're on because we don't have that safe firewall boundary around us anymore. We can't consider it safe inside of it. And this leads to then the second layer. So this is another thing that confuses people. It's not only new, but it's multilayered. So the strategy is going to result in a couple of different initiatives in most organizations, the first of which is productivity security- so, things like I am logged in to my laptop and I am doing work on a regular basis [from home, nowadays], and kind of, how do we do security for that? And this is the area where, quite frankly, the technology is most mature, and zero trust and its value proposition is clear. It essentially led to some confusion because some people thought zero trust is identity security, it is productivity and productivity security is zero trust. Zero trust is actually more than that. We've realized that the same sort of hard outer shell of the network thing doesn't work, also leads us to SOC modernization, where we have to do detection, response, remediation outside of our network. And we know that it's also going to affect data center access and kind of how we do isolation segmentation within it. We know it's going to affect and touch IoT and OT, as well. So zero trust is a very big-picture thing, where we're focusing most on the productivity security today, but we wanted to make sure that folks are understanding that this was a broader piece. The cool thing about it, and my personal favorite part about zero trust is it's not and or, right? It's not IT versus security. It's not business versus security like things have gone in the past. It actually benefits everyone, everyone wins in it. It sounds a little silly, it sounds a little over the top, but the truth is, zero trust actually helps both security and productivity. And the core for this and the reason for this is because we're no longer trying to create a safe space in the network, and then pull the assets and the users and everything into it. We're actually taking the security things that we've learned and going to where the users and the business assets are, and we're actually securing them where they are. And so this creates massive benefits because it takes a lot of the friction out of trying to force people onto a network they don't necessarily want to be on at that moment in time. And it also increases security because you have high fidelity right there with the asset, where the action is happening types of insights. So security gets better. So you get that lower risk of those compromised users and endpoints, you get much better visibility into what's going on. You don't have these weird kind of blind spots. A nice centralized view of risk through the access control mechanism, like conditional access. And then, it also increases productivity because users can work wherever they want. And those are normal users, IT users; the SOC, we're finding, is working from home and they're really loving the same kind of flexibility when the SOC folks actually modernize. And everybody can choose their own device, and based on the trust level, we're going to give you access to it. So it's a much better system overall. SSO, your access denied is not just a hard block, it actually tells you, Hey, you need MFA. Punch it in. OK, I went to my phone, good. And of course, passwordless benefits all. So that's one of the things I really, really like about zero trust. So anyway, I've rambled on enough about how much I'm passionate about zero trust. So, Les, any thoughts here? LESLEY KIPLING: And you know, Mark, that's actually a really interesting point because we have a concept of data gravity, maybe especially if we're talking about security operation centers, which is essentially to be able to keep their analytics where the data is. So instead of moving the data all around the place and expecting analytics to be able to find that data and be able to run analysis across that, essentially now what we're doing with this is basically saying, we want to put security closest to the user, as well. So instead of that overhead of trying to move the user to where the controls are, thinking about keeping the controls around the user. And I think that's a very powerful point. And one of the other points to mention there, Mark, is that you said that trust is earned, not given from a zero trust perspective, and that changes a little bit the dynamics and the language that we had at Microsoft, which, if you remember, was essentially something along the lines of "trust but verify." These days, what we're saying is essentially "don't trust anyone." So I want to say that the vector of evolution for zero trust is really for everything and not just networking. And there's an empirical relationship between attainable trust and the overhead of trying to apply those security controls and, of course, performance, as well, which I think is a very key point just to rehighlight. So if I go back to what we are doing at Microsoft now, and here I'm going to talk about the first step that we had, which essentially is a typically flat network, which is something that we see a lot of our organizations use out there. And really this is a way to be able to showcase the Microsoft journey, thinking again moving about away from the legacy network security controls and towards something that I think is really more around the modern capability using zero trust. And the reason for doing this is, zero trust, like anything, like any journey, has a maturity model that goes along with it. So you think about the pre-zero trust days, you're basically talking about device management is not necessarily required; you get single-factor authentication to resources; and you have the capability of enforcing strong identity, but in many cases this is not being used. So the first four, if you like, maturity steps in that model is verifying identity and doing that with a strong identity enforcement capability. Verifying the device because the device health is key to thinking about how we do this stuff. Verifying the access, and then moving on to verifying services. And those are different concepts that hopefully with the boards that we're doing right now and the slides that we're showing you, this kind of elaborates what we're trying to get to here. But that's that network was the then, if you like. This is the now. And essentially the way that we do it is by being able to determine what data is that we are trying to protect. So you really do have to understand your assets and your business-critical data so that you ensure that you're putting on that business-critical data the adequate controls for security controls and not just adding the same level of security controls across different data sets, which again makes it expensive and potentially impacts productivity. So here what we've done is being able to say, well, as a user if you want to be able to access cloud data- and we're going to start talking about strongly verified and verifiable and trusted applications- there's no necessity for you to go down a VPN, alright. But those people who require VPN access or access into business-critical segments of the Microsoft network essentially have to do extra identity proof to be able to say I am who I said I am. And again, similarly to that four-step journey that we have from our maturity model perspective in terms of zero trust, we also talk about the four identities at Microsoft, identity as me as a user, identity as the device that we're talking about, then the applications and the data. And essentially the new face for that may be something like workloads or services, and we're going to talk about that, as well. So I'm going to pass you back to Mark just so that he can fill in the detail on the left-hand side of this graph. Mark, over to you. MARK SIMOS: Thanks, Les. Yeah, one of the super-important parts about this when you look at this sort of left right divide, where you have your traditional macro-segmentation or big picture segmentation on the right, and then on the left you've got those user access devices, and this is really where the much more sort of revolutionary parts of zero trust start to emerge because the reality is is we very much moved those client devices off of the corp net. Now, they're still there. They've got the VPN as a backup, right, and I VPN in maybe once every month or two. There's a few services left that I still use that require VPN, but just about everything else is published out on the internet and runs through all the zero trust goodness in terms of checking my device, checking my user account, and making sure everything is security healthy before it gives me access. And so ultimately, I can be working anywhere, and I work from home primarily now, but I could be working from anywhere and have those very elevated levels of security assurance that are, quite frankly- and we'll talk about this in another slide or two- much better with the native controls, much better fidelity, much more clarity. And one thing that is distinguished on this slide, so I do want to explain it is unmanaged internet is pretty much good enough for just about most things, but we have found that there are some reasons to have a sort of common network. This is a little bit stuff from our corp net, where there's like peer to peer, so that like for optimizing download of software updates and Windows updates and a few other kind of peer-to-peer tasks and Teams meetings and whatnot, there is good reason to have sort of a common network that isn't the raw internet. So we do actually qualify people into that after the health check for sort of some of those things in addition to requiring health for that but also requiring health for things like Office 365 and all of the different SaaS universe as well as all those on-premises applications that have been published through Azure AD App Proxy. And so very much a kind of two-part strategy, with one, the traditional sort of macro-segmentation locking things off, and then this sort of new based on the trust of the device, the trust of the user, and then what app they're trying to access doing the right level security checks and that policy-driven piece. So very adaptive, so static policy, dynamic threat intelligence signals. And so now Les is going to take us through a little bit more of what this really looks like in more detail as well as the native controls that really kind of enable it and bring that higher-level safety and security from that zero trust approach to security. Les? LESLEY KIPLING: Mark, and the future is exciting. As I say, it may not be here right now, but it's certainly something that's on its way, and we expect it imminently. From the point of view, you mentioned passwords a couple of slides ago, that's certainly something inside Microsoft we've been trying to get rid of. We don't like passwords. Password-less authentication using biometrics, such as Windows Hello, is the way forward. Equally, one of the key things that we're trying to get rid of eventually, and I'm not saying this is going to be an easy thing to do, but essentially is to move away from VPNs completely. So at the moment, what we have is split-tunneling VPN, or selected VPN, if you will, which essentially is to say if you're connecting through to that trusted and the sanctioned application, then you can do that directly. So essentially, again going back to the concept of the controls need to be where the user is. So instead of trying to route all of that traffic back down into the VPN because of the ability to be able to look at that from a security perspective, because it's a sanctioned, verifiable app, then it should be something that goes directly through to the internet. And that is something that we do inside Microsoft. So as to say, we have that selective VPN. Next steps, of course, would be to be able to get rid of VPN completely. That may take a little bit longer. Certainly, it's something where we can say that services- an example would be if it's a Microsoft application or line-of-business application and that's published to the internet- certainly thinking about VPNs, they are a mechanism for us to be able to work hard if there's something that hasn't yet published to the internet and maybe something we want to be facing and doing as quickly as possible. So essentially, VPNs, I hope, are going to be off the table sometime soon. It's been something that attackers have used as a mechanism into our customers' environments for many years. So I'm certainly excited, as I said, to get rid of VPNs when possible. Thank you. Back to you, Mark. MARK SIMOS: Yeah, Les, that really reminds me of one of my favorite adages of, Why would I bother breaking in when I can just log in? Referring to the VPNs. So all this is great context, but now, of course, what do I do about it? How do I get started is the next most important question. And so that's why we built this RaMP, or "Rapid Modernization Plan," to really help folks do the most important stuff first. And the first step on this is actually pretty nontechnical: aligning teams and strategy. One of the things that we've seen through a lot of things, including sort of the segmentation strategy, is that the technical teams in most organizations tend to not be aligned tightly. They tend to be fairly disjointed. So if you ask the networking team, OK, how do you divide up the enterprise assets? And they'll tell you about subnets and server rooms and all that kind of stuff. You go talk to identity folks, and they'll give you how they thought about the OU model and how they thought about the groups and all that, which doesn't really line up very well to what the networking folks have done. And then you go talk to the apps teams, it's like we don't really use any of those. We kind of do our own thing. So we tend to find that how do we approach segmenting up the business assets and grouping them and protecting them is very, very bottom up; very organic; and very much not aligned. So that is just a symptom of many other things where the organization isn't talking. As we sort of switch to this cloud generation and we go through this zero trust piece where we need to update everything and rethink it, teams really need to kind of sit down and work together and figure out, OK, we need to have an enterprise segmentation strategy that the business tells us these things are important, these things not, and we tell them here's the high risk ones we need to isolate- work it all together, one strategy, and then everybody lines up to that. So very important to get all the teams on the same page. We found that really gets in the way of moving forward with zero trust. The next piece is really where the technology starts. And so that's really building that modern identity-based perimeter. So a lot of folks think of it in a perimeter mindset. You can either say this is perimeter-less or it's a new perimeter. We tend to say it's much more of two perimeters, a dual-perimeter strategy, because that tends to offer more clarity, we found, than the perimeter-less terminology. But the idea here is that you're starting to build up those other controls beyond the network. So those user validations, the password-less MFA is the very first step we recommend. And then, those device assurances. As soon as you got sort of the users measured and assurances are good, you want to go ahead and get the devices measured and good and integrated into those decision processes. And the thing that-one quick tip here that we've learned- is that rolling this out to admins first tends to be good because they're technical users, they're very targeted by attackers, so very likely to be attacked. It's a bad day if you lose control of a user account, but it's really bad if you lose control of an IT admin because they have privileges to a lot of different assets. So for those user and device things, we do recommend rolling those out first. And then, kind of wrapping up that kind of identity-oriented perimeter, those sort of new sets of controls beyond the network, really kind of modernizing the apps obviously as you can. Everybody's got a pretty big backlog of legacy apps. As much as you can modernize them. But also, and this is very much referencing what our IT organization does, is updating sort of the publishing of those. By publishing to the internet, you can hook into all those good user device validations instead of sort of the legacy VPN validation so that when you're authenticating to and accessing that application, you get all these modern controls retrofitted onto your applications as you publish them. So you actually get more security as you give more accessibility to a user. So we found that's a real big win-win. And then, of course, the data. You do need to make sure you understand where it is, what's important. Can you devalue and take some of that sensitive stuff out of your databases? Great! The ones that you can't, the ones that are still important and have to be important, make sure you're putting those extra sets of monitoring information protection kind of encryption phone-home-type of approaches. And then, of course, as with everything else, there's always legacy in every area, and so you will have legacy identity protocols that you've been using, typically on ActiveSync or some on-premises ones like WAN, LAN, NTLM, etc., and so you want to start retiring those as your way of sort of making sure that these solid modern games really don't have a backdoor in them. The next and the last piece here is the network perimeter does require a little bit of focus. Like as we mentioned, we do segmentation at Microsoft. That's something we do recommend for our customers, so that macro-segmentation. So you want to for those most important assets that really need to be there, the ones that have life safety and operational impact on the physical world, you definitely want to have an extra set of controls around those, especially because some of them are messy and can't be patched, and so they're kind of sitting there vulnerable. You want to have network controls for that. They are very well suited for that case. And micro-segmentation is a great thing to be exploring. It's tricky because the technology isn't quite as mature as we'd like it to be- not nearly as mature as the productivity stuff in blue. And of course, there is always those legacy that I mentioned, such as the unpatchable assets, where you really want to apply those controls. We've talked a lot about technology. Now let's talk a little bit about people. And so if you step back for a moment, it's a pretty big transformational change. There's a lot of incremental progress, very straightforward technology updates, but there's also a larger, bigger picture of transformation of how I do my job. If I'm an IT pro or a security pro, a practitioner doing my job, I'm having to learn lots of new things. I'm having to do unfamiliar things. I'm being asked to give security opinions and risk assessments on things I don't necessarily understand. The people are affected as much as the technologies and the processes are, and we have to make sure we keep that in mind because security itself, what we're trying to do in security outcomes-the principles and methods- has not changed. We've gotten a little bit clearer picture on what that is and what it should be, but security itself and that protect against bad guys messing with it or bad gals- there could be female attackers, too, and there are- that hasn't changed like the discipline of security. But the environment that we're protecting as security people has changed. The way that development is happening with DevOps, the continuous engagement of architecture rather than here's my document, throw it over the wall- automation, integration, asset-specific controls like we've been talking about, like getting into the device, getting into the user and not just the network layer- there's a lot of change mixed in in how we actually achieve this mission. So the "what" really hasn't changed, the "how" has changed quite a bit, and it's changing and continuing to. So we've learned that it's very important to work with people, to educate people, and engage and inspire them, training and learning, encourage them to do a self-service, make sure that folks are getting the training, the funding, and the mentoring that they need to really learn and understand this because if you ask a security person, hey, you're responsible for giving me a security opinion on this, right? Or assessing it or whatever the case may be, and you don't know a thing about it because all you've learned was IP addresses and networks, but I'm asking you to give me an assessment of an application or this or that that you're not familiar with at all, they're not going to feel that comfortable, and they're going to feel kind of defensive. And so it's very important that we recognize how important, how much of a human change this is, as well, and that we work with those folks, and say, hey, do you know how this works? Let me show you how this works. And these are the controls that we're looking at. Did you want to put this in the next pen test, penetration test? And really engage and make sure that we're remembering that we're all humans with a common mission of helping the organization succeed and protecting it at the same time. We've also learned as much as possible to bring in diverse perspectives and fresh perspectives and have people that are coming in from different backgrounds, from applications, different walks of life, etc., and that really helps people see things through a different lens and helps kind of get a better picture on it so that people aren't kind of stuck in their old habits of the way things are done. So we found that this people change is just as important as the technology aspects of it. So, Les, did you want to wrap us up? LESLEY KIPLING: Thank you, Mark. It's an interesting concept thinking about the people side of this. So we're very prone to talking about the technology. So hopefully today during this journey, we've given you some food for thought and thinking about how you move your security needle, maybe thinking about some of the steps to take to increase your maturity from a zero trust perspective. We do have some key takeaways. Obviously, they're on the slide there. For example, you can use some of the recommended actions that we talked about inside our Rapid Modernization Plan. As part of this also, we will be giving you access to more resource information in terms of things like the maturity model that I mentioned and also a zero trust framework for you to be able to start that journey and be able to think of that. So on behalf of Mark and myself, I hope that was useful. Thank you so much for listening. And goodbye for now. MARK SIMOS: So thank you all very much for listening. We really appreciate it. And hopefully this helps you make our world a little bit safer. Thanks.
Info
Channel: Microsoft 365
Views: 11,084
Rating: 4.9567566 out of 5
Keywords: Microsoft, Office, Office 365, productivity, software, Network connectivity, network connection, network connectivity principles, M365, Microsoft 365, Microsoft 365 network, Microsoft 365 connection, M365 connection, M365 network, zero trust, security, network security, enterprise network, internet, Microsoft network, secure network, SaaS security, network design, network configuration, internet connection, Microsoft connection, network speed, network safety, microsoft zero trust
Id: bZCH4nkNP34
Channel Id: undefined
Length: 30min 51sec (1851 seconds)
Published: Fri Sep 04 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.