MARK SIMOS: Hi, my name is Mark Simos. Welcome to the Microsoft 365
Network Connectivity Series. My role is to be lead
cybersecurity architect, building guidance and
reference architectures, reference strategies, etc, for our customers as they're
working to adopt security. And so our first topic in this
series will be zero trust. And Les, would you like
to introduce yourself? LESLEY KIPLING: Thanks, Mark. Hi, everybody. My name is Lesley, and I'm a chief security
advisor for Microsoft and, in fact a long-time
forensic investigator, as well. During this session, Mark
and I will really be trying to explain the concepts of zero trust, what it is and what that means, but equally focus on some
of the architectures today that we feel are not fit for purpose. And to do that, we're going
to start with a story. Along came COVID-19 and lockdowns, and unfortunately that had
a huge amount of impact and potential destruction to the industry because essentially we had everybody suddenly working from home. That meant we faced diminished
network and VPN capacity, degraded user experience, and in fact reduced
audio and video quality. So I do know that there was an
awful lot of people out there who were very unhappy
about working from home. Fast-forward a few months, and essentially we believe now that remote working is
going to be the new norm. The good news about that is that it unlocks business
benefits like reduced cost, it increases efficiencies, and it allows for more flexible hiring. Of course, we found that collaboration and communication tools, as I'm showing you on
the screen at the moment which is the uptake for Teams, right about the March time
frame when lockdown came in, we realized that they were obviously required for productivity, but equally so is modern
network architectures- so much so that in fact,
slow is the new broken. And what do I mean by
slow is the new broken? Well, traditionally, many IT organizations really have both segmentation
and containment strategies primarily using firewalls
that filter the IP traffic by protocol and port walls. These designs typically
include a production intranet; an extranet, or otherwise known as the "DMZ," or "demilitarized zone"; and sometimes, additional
network segmentation within the production network. The key focus though is to
ensure that all remote traffic is routed over the corporate network generally due to security requirements about being able to capture that network traffic at multiple layers. An example would be a full packet capture or specifically using SSL decryption to be able to decrypt the traffic, to be able to see what traffic
is going over the network. The counter-approach to this would be to tend to push this inspection into the client layer, therefore adding more agents
in a best-of-breed world. And the net result is that most of these is a failed strategy that
is difficult to implement, costly to the organization,
and yet is repeatedly proven easily evaded by attackers. So if you remember, port 80, which is the
firewall bypass port, VPNs are frequently leveraged by attackers as a means to attain access
into the organization's network. Also, on top of that,
latency drives users away and incentivizes shadow IT. So essentially on this slide
what we're trying to get across is really the connectivity principles that are required for thinking about using modern applications and specifically software-as-a-service
applications, in fact, like M365. So there's more detail there on that link. I'd encourage you to go
and have a look at those. But essentially, we want to take a different approach to security controls and avoid duplication because
it bottlenecks the traffic and adds latency without
necessarily adding security. Where we're going to be focusing today are with the rest of the conversation is really on point number 4, which is modernizing security
for those SaaS applications. So now I'm going to hand you back to Mark to be able to talk about maybe the traditional
approaches to zero trust, why zero trust is born, talking about the landscape and maybe then how we start to think about modernizing zero trust and network architectures going forward. Back to you, Mark. MARK SIMOS: Thanks, Les. So, one of the interesting
things about zero trust is, it's kind of a newer buzz
word, as people like to say, but it's also got very, very deep roots that go back decades. So it really helps to
understand what zero trust is, to understand where security started and what we've tried in the past, because ultimately, the goal of security is, you want to keep safe your assets- important things like your data and your critical applications that you need to run your business or your nonprofit or
government agency or whatever- you got to keep those valuable assets away from the attackers. That's really the goal
at the end of the day. And there's a lot to it because IT got pretty complex pretty fast, with lots of different
users and roles, etc., and different devices and you name it. And so the first attempt to sort of address the security question was, Hey, why don't we .
. . we own these wires, we own the building, we own
the physical facilities, let's go ahead and say this
new network that we have, let's put a border around it, put a firewall there so that
these attackers can't get in because that was kind of
how the first one started. And this sort of gave birth to the trusted network security strategy- that we're network based;
it seems simple, economical; and, hey, we'll get to the security and we'll do some more
stuff within the network because it seems like an important thing, but we really never got
to it, to be honest. So then, what happened over time is, we really started to see
that the assets themselves didn't quite fit this
assumption or this paradigm that all the things we care
about are on the network. First part being the network assets, bring your own devices,
work from home, mobile, everybody's working from
home at this moment in time, and were really happening, and so a lot of these assets
were on the network or are now. We're also seeing that
to adapt to the cloud and to just hyper-scale
just millions of cores and all sorts of services
and all that kind of stuff, the protocols had to be
really adapted and tuned in particular ways for
how end-user devices connect to Office 365, for example. And these aren't the same POP3 and IMAP services of times past. These are really much more sophisticated, advanced, specialized things. And so, this is really outpacing
the tools and the expertise that's out there in the marketplace to do kind of that
network-oriented security. And then, we also saw the
attackers themselves shift, and we'll talk quite a bit
more in the next slide, but we're seeing them moved to phishing and credential theft. And if you try to do all of those kinds of newer attacks with the network or try to detect them and investigate them and respond to them or mediate them, it gets very, very difficult because those aren't really tuned for, and you always end up
with way too many events that might have something to do with it, and it just really
overwhelms your SOC analysts and your security analyst
that are investigating them. So let's take a look at
the attack environment because that history kind
of helps frame why we needed to kind of do something
different than the classic model. Well, let's take a look
at what we have today because this really
helps kind of illustrate what zero trust is really meant to solve. These are fairly current
prices of what it costs an attacker to actually buy a piece of an attack on the dark web, kind of the much more obscure and out-of-the-public-eye
version of the internet. And so this is where they go and they buy things like
a compromised account; they can buy ransomware toolkits; they can buy zero-days,
which are very expensive. And you'll notice that these
things tend to be fairly cheap- a compromised PC, anywhere
from 3 cents to $1.80. Those that the identity
attack kind of raw material, the compromised accounts are very cheap. So if I'm an attacker and I want to try and get into a company, I don't feel like paying the $10,000 fee for somebody else to do it for
me in the bottom left there, the compromised accounts for $150 US, I can buy 400 million. And on average, for reference, it's about a 1% hit rate
in any different company that a user name and
password pair match a user in an enterprise organization. And so for $150, I can get
effectively 4 million chances with that 1% rate to
get into that company. Why would I bother scanning and exploiting and doing all this old-school
stuff when I could do that or I could just send a phishing email? And so the attackers are
really adapted to that world. And so we have to make
sure that the things that we're thinking about for security under the zero trust umbrella are really focused on
that problem as it is. So now onto the definition
of "zero trust." And this is something that it's a little bit confusing
to folks because it's new. So new things are always a little hard to get your mind around because it's kind of a
new model, a new paradigm. Typical fashion, there's
a lot of different vendors and folks with different stakes that are trying to define it. The thing that we've come
to realize at Microsoft and our work with The Open Group and NIST and a number of other
organizations, as well, is that zero trust is actually
an overarching strategy. It's an overall formal
strategy for security- some would argue the
first one we've ever had as a security industry. But it is a formal strategy. And so a strategy is not something you rack and stack into a 19-inch rack and screw it in and bolt it in. A strategy is something that affects all the things that you do
and kind of realigns us. Some of the changes are
big, some are small, some are just perception-how
you look at things. But it's a strategy to focus on protecting those important business data and apps, very much aligned to the
business and the mission, on a public or untrusted network, kind of acknowledging that reality of that kind of hostile
network that we're on because we don't have that safe firewall boundary around us anymore. We can't consider it safe inside of it. And this leads to then the second layer. So this is another thing
that confuses people. It's not only new, but it's multilayered. So the strategy is going to result in a couple of different
initiatives in most organizations, the first of which is
productivity security- so, things like I am
logged in to my laptop and I am doing work on a regular basis [from home, nowadays], and kind of, how do we
do security for that? And this is the area where, quite frankly, the technology is most mature, and zero trust and its value
proposition is clear. It essentially led to some confusion because some people thought zero trust is identity security, it is productivity and productivity
security is zero trust. Zero trust is actually more than that. We've realized that the same sort of hard outer shell of the
network thing doesn't work, also leads us to SOC modernization, where we have to do detection,
response, remediation outside of our network. And we know that it's also going to affect data center access and kind of how we do isolation
segmentation within it. We know it's going to affect
and touch IoT and OT, as well. So zero trust is a very big-picture thing, where we're focusing most on the productivity security today, but we wanted to make sure
that folks are understanding that this was a broader piece. The cool thing about it, and my personal favorite
part about zero trust is it's not and or, right? It's not IT versus security. It's not business versus security like things have gone in the past. It actually benefits
everyone, everyone wins in it. It sounds a little silly, it
sounds a little over the top, but the truth is, zero
trust actually helps both security and productivity. And the core for this
and the reason for this is because we're no
longer trying to create a safe space in the network, and then pull the assets and the users and everything into it. We're actually taking the
security things that we've learned and going to where the users
and the business assets are, and we're actually securing
them where they are. And so this creates massive benefits because it takes a lot of the friction out of trying to force
people onto a network they don't necessarily want to
be on at that moment in time. And it also increases security because you have high fidelity
right there with the asset, where the action is
happening types of insights. So security gets better. So you get that lower risk of those compromised
users and endpoints, you get much better visibility
into what's going on. You don't have these
weird kind of blind spots. A nice centralized view of risk through the access control mechanism, like conditional access. And then, it also increases productivity because users can work wherever they want. And those are normal users, IT users; the SOC, we're finding,
is working from home and they're really loving
the same kind of flexibility when the SOC folks actually modernize. And everybody can choose their own device, and based on the trust level, we're going to give you access to it. So it's a much better system overall. SSO, your access denied
is not just a hard block, it actually tells you, Hey,
you need MFA. Punch it in. OK, I went to my phone, good. And of course, passwordless benefits all. So that's one of the things I really, really like about zero trust. So anyway, I've rambled on enough about how much I'm
passionate about zero trust. So, Les, any thoughts here? LESLEY KIPLING: And you
know, Mark, that's actually a really interesting point because we have a concept of data gravity, maybe especially if we're talking about security operation centers, which is essentially to be able to keep their analytics where the data is. So instead of moving the
data all around the place and expecting analytics to
be able to find that data and be able to run analysis across that, essentially now what we're doing with this is basically saying,
we want to put security closest to the user, as well. So instead of that overhead of trying to move the user
to where the controls are, thinking about keeping the
controls around the user. And I think that's a very powerful point. And one of the other points
to mention there, Mark, is that you said that
trust is earned, not given from a zero trust perspective, and that changes a little bit the dynamics and the language that we had at Microsoft, which, if you remember, was essentially something along the lines of "trust but verify." These days, what we're saying is essentially "don't trust anyone." So I want to say that the vector
of evolution for zero trust is really for everything
and not just networking. And there's an empirical relationship between attainable trust and the overhead of trying to apply those security controls and, of course, performance, as well, which I think is a very key
point just to rehighlight. So if I go back to what we
are doing at Microsoft now, and here I'm going to talk about
the first step that we had, which essentially is a
typically flat network, which is something that we see a lot of our organizations use out there. And really this is a way to be able to showcase the Microsoft journey, thinking again moving about away from the legacy
network security controls and towards something that
I think is really more around the modern
capability using zero trust. And the reason for doing
this is, zero trust, like anything, like any journey, has a maturity model
that goes along with it. So you think about the
pre-zero trust days, you're basically talking about device management is not
necessarily required; you get single-factor
authentication to resources; and you have the capability
of enforcing strong identity, but in many cases this is not being used. So the first four, if you like,
maturity steps in that model is verifying identity and doing that with a strong identity
enforcement capability. Verifying the device because
the device health is key to thinking about how we do this stuff. Verifying the access, and then moving on to verifying services. And those are different
concepts that hopefully with the boards that we're doing right now and the slides that we're showing you, this kind of elaborates what
we're trying to get to here. But that's that network
was the then, if you like. This is the now. And essentially the way that we do it is by being able to determine what data is that we are trying to protect. So you really do have to
understand your assets and your business-critical data so that you ensure that you're putting on that business-critical data the adequate controls
for security controls and not just adding the same
level of security controls across different data sets,
which again makes it expensive and potentially impacts productivity. So here what we've done
is being able to say, well, as a user if you want to
be able to access cloud data- and we're going to start
talking about strongly verified and verifiable and trusted applications- there's no necessity for you
to go down a VPN, alright. But those people who require VPN access or access into business-critical segments of the Microsoft network
essentially have to do extra identity proof to be able
to say I am who I said I am. And again, similarly to that
four-step journey that we have from our maturity model
perspective in terms of zero trust, we also talk about the four
identities at Microsoft, identity as me as a user, identity as the device
that we're talking about, then the applications and the data. And essentially the new face for that may be something like
workloads or services, and we're going to talk
about that, as well. So I'm going to pass you back to Mark just so that he can fill in the detail on the left-hand side of this graph. Mark, over to you. MARK SIMOS: Thanks, Les. Yeah, one of the
super-important parts about this when you look at this
sort of left right divide, where you have your
traditional macro-segmentation or big picture segmentation on the right, and then on the left you've
got those user access devices, and this is really where the much more sort of revolutionary parts
of zero trust start to emerge because the reality is
is we very much moved those client devices off of the corp net. Now, they're still there. They've got the VPN as a backup, right, and I VPN in maybe once
every month or two. There's a few services left that I still use that require VPN, but just about everything else is published out on the internet and runs through all
the zero trust goodness in terms of checking my device,
checking my user account, and making sure everything
is security healthy before it gives me access. And so ultimately, I
can be working anywhere, and I work from home primarily now, but I could be working from anywhere and have those very elevated levels of security assurance
that are, quite frankly- and we'll talk about this
in another slide or two- much better with the native controls, much better fidelity, much more clarity. And one thing that is
distinguished on this slide, so I do want to explain
it is unmanaged internet is pretty much good enough
for just about most things, but we have found that
there are some reasons to have a sort of common network. This is a little bit
stuff from our corp net, where there's like peer to peer, so that like for optimizing download of software updates and Windows updates and a few other kind of peer-to-peer tasks and Teams meetings and whatnot, there is good reason to have
sort of a common network that isn't the raw internet. So we do actually qualify people into that after the health check for
sort of some of those things in addition to requiring health for that but also requiring health
for things like Office 365 and all of the different SaaS universe as well as all those
on-premises applications that have been published
through Azure AD App Proxy. And so very much a kind
of two-part strategy, with one, the traditional
sort of macro-segmentation locking things off, and then this sort of new based on the trust of the
device, the trust of the user, and then what app they're trying to access doing the right level security checks and that policy-driven piece. So very adaptive, so static policy, dynamic threat intelligence signals. And so now Les is going to take
us through a little bit more of what this really
looks like in more detail as well as the native controls
that really kind of enable it and bring that higher-level
safety and security from that zero trust approach to security. Les? LESLEY KIPLING: Mark, and
the future is exciting. As I say, it may not be here right now, but it's certainly
something that's on its way, and we expect it imminently. From the point of view, you mentioned passwords
a couple of slides ago, that's certainly
something inside Microsoft we've been trying to get rid of. We don't like passwords. Password-less authentication
using biometrics, such as Windows Hello, is the way forward. Equally, one of the key things that we're trying to
get rid of eventually, and I'm not saying this is
going to be an easy thing to do, but essentially is to move
away from VPNs completely. So at the moment, what we
have is split-tunneling VPN, or selected VPN, if you will, which essentially is to say if you're connecting
through to that trusted and the sanctioned application, then you can do that directly. So essentially, again going
back to the concept of the controls need to be where the user is. So instead of trying to
route all of that traffic back down into the VPN
because of the ability to be able to look at that
from a security perspective, because it's a sanctioned, verifiable app, then it should be something that goes directly through to the internet. And that is something that
we do inside Microsoft. So as to say, we have that selective VPN. Next steps, of course, would be to be able to get rid of VPN completely. That may take a little bit longer. Certainly, it's something
where we can say that services- an example would be if it's
a Microsoft application or line-of-business application and that's published to the internet- certainly thinking about VPNs, they are a mechanism for us to be able to work hard if there's something that hasn't yet published to the internet and maybe something we want to be facing and doing as quickly as possible. So essentially, VPNs, I hope, are going to be off the
table sometime soon. It's been something that
attackers have used as a mechanism into our customers'
environments for many years. So I'm certainly excited, as I said, to get rid of VPNs when possible. Thank you. Back to you, Mark. MARK SIMOS: Yeah, Les,
that really reminds me of one of my favorite adages of, Why would I bother breaking
in when I can just log in? Referring to the VPNs. So all this is great context, but now, of course, what do I do about it? How do I get started is the
next most important question. And so that's why we built this RaMP, or "Rapid Modernization Plan," to really help folks do the
most important stuff first. And the first step on this is
actually pretty nontechnical: aligning teams and strategy. One of the things that we've
seen through a lot of things, including sort of the
segmentation strategy, is that the technical
teams in most organizations tend to not be aligned tightly. They tend to be fairly disjointed. So if you ask the networking team, OK, how do you divide up
the enterprise assets? And they'll tell you about subnets and server rooms and
all that kind of stuff. You go talk to identity folks, and they'll give you how they
thought about the OU model and how they thought about
the groups and all that, which doesn't really line up very well to what the networking folks have done. And then you go talk to the apps teams, it's like we don't
really use any of those. We kind of do our own thing. So we tend to find that how do we approach segmenting up the business assets and grouping them and protecting them is very, very bottom up; very organic; and very much not aligned. So that is just a symptom
of many other things where the organization isn't talking. As we sort of switch to
this cloud generation and we go through this zero trust piece where we need to update
everything and rethink it, teams really need to kind of
sit down and work together and figure out, OK, we need to have an enterprise segmentation strategy that the business tells us these things are important,
these things not, and we tell them here's the high risk ones we need to isolate- work it all together, one strategy, and then everybody lines up to that. So very important to get all
the teams on the same page. We found that really gets in the way of moving forward with zero trust. The next piece is really
where the technology starts. And so that's really building that modern identity-based perimeter. So a lot of folks think of
it in a perimeter mindset. You can either say this is perimeter-less or it's a new perimeter. We tend to say it's much
more of two perimeters, a dual-perimeter strategy,
because that tends to offer more clarity, we found, than
the perimeter-less terminology. But the idea here is that
you're starting to build up those other controls beyond the network. So those user validations,
the password-less MFA is the very first step we recommend. And then, those device assurances. As soon as you got sort
of the users measured and assurances are good, you want to go ahead and get
the devices measured and good and integrated into
those decision processes. And the thing that-one quick
tip here that we've learned- is that rolling this out to admins first tends to be good because
they're technical users, they're very targeted by attackers, so very likely to be attacked. It's a bad day if you lose
control of a user account, but it's really bad if you
lose control of an IT admin because they have privileges
to a lot of different assets. So for those user and device things, we do recommend rolling those out first. And then, kind of wrapping up that kind of identity-oriented perimeter, those sort of new sets of
controls beyond the network, really kind of modernizing
the apps obviously as you can. Everybody's got a pretty
big backlog of legacy apps. As much as you can modernize them. But also, and this is
very much referencing what our IT organization does, is updating sort of the
publishing of those. By publishing to the internet, you can hook into all those
good user device validations instead of sort of the
legacy VPN validation so that when you're authenticating to and accessing that application, you get all these modern controls retrofitted onto your
applications as you publish them. So you actually get more security as you give more accessibility to a user. So we found that's a real big win-win. And then, of course, the data. You do need to make sure you understand where it is, what's important. Can you devalue and take some of that sensitive stuff out of your databases? Great! The ones that you can't, the ones that are still important and have to be important, make sure you're putting those extra sets of monitoring
information protection kind of encryption
phone-home-type of approaches. And then, of course, as
with everything else, there's always legacy in every area, and so you will have
legacy identity protocols that you've been using,
typically on ActiveSync or some on-premises ones
like WAN, LAN, NTLM, etc., and so you want to start retiring those as your way of sort of making sure that these solid modern games really don't have a backdoor in them. The next and the last piece
here is the network perimeter does require a little bit of focus. Like as we mentioned, we do
segmentation at Microsoft. That's something we do
recommend for our customers, so that macro-segmentation. So you want to for those
most important assets that really need to be there, the ones that have life
safety and operational impact on the physical world, you definitely want to have an extra set of controls around those, especially because some of them are messy and can't be patched, and so they're kind of
sitting there vulnerable. You want to have network
controls for that. They are very well suited for that case. And micro-segmentation is a
great thing to be exploring. It's tricky because the technology isn't quite as mature
as we'd like it to be- not nearly as mature as the productivity stuff in blue. And of course, there
is always those legacy that I mentioned, such as
the unpatchable assets, where you really want
to apply those controls. We've talked a lot about technology. Now let's talk a little bit about people. And so if you step back for a moment, it's a pretty big transformational change. There's a lot of incremental progress, very straightforward technology updates, but there's also a larger, bigger picture of transformation of how I do my job. If I'm an IT pro or a security pro, a practitioner doing my job, I'm having to learn lots of new things. I'm having to do unfamiliar things. I'm being asked to give security opinions and risk assessments on things I don't necessarily understand. The people are affected as much as the technologies and the processes are, and we have to make sure
we keep that in mind because security itself,
what we're trying to do in security outcomes-the
principles and methods- has not changed. We've gotten a little bit clearer picture on what that is and what it should be, but security itself and that protect against bad guys
messing with it or bad gals- there could be female
attackers, too, and there are- that hasn't changed like
the discipline of security. But the environment that we're protecting as security people has changed. The way that development
is happening with DevOps, the continuous engagement of architecture rather than here's my document,
throw it over the wall- automation, integration,
asset-specific controls like we've been talking about,
like getting into the device, getting into the user and
not just the network layer- there's a lot of change mixed in in how we actually achieve this mission. So the "what" really hasn't changed, the "how" has changed quite a bit, and it's changing and continuing to. So we've learned that it's very important to work with people, to educate people, and engage and inspire
them, training and learning, encourage them to do a self-service, make sure that folks are
getting the training, the funding, and the
mentoring that they need to really learn and understand this because if you ask a security person, hey, you're responsible for giving me a security opinion on this, right? Or assessing it or
whatever the case may be, and you don't know a thing about it because all you've learned
was IP addresses and networks, but I'm asking you to give me an assessment of an
application or this or that that you're not familiar with at all, they're not going to
feel that comfortable, and they're going to
feel kind of defensive. And so it's very important that
we recognize how important, how much of a human
change this is, as well, and that we work with those folks, and say, hey, do you know how this works? Let me show you how this works. And these are the controls
that we're looking at. Did you want to put this in the next pen test, penetration test? And really engage and make
sure that we're remembering that we're all humans
with a common mission of helping the organization succeed and protecting it at the same time. We've also learned as much
as possible to bring in diverse perspectives
and fresh perspectives and have people that are coming in from different backgrounds,
from applications, different walks of life, etc., and that really helps people see things through a different lens and helps kind of get
a better picture on it so that people aren't kind
of stuck in their old habits of the way things are done. So we found that this people change is just as important as the
technology aspects of it. So, Les, did you want to wrap us up? LESLEY KIPLING: Thank you, Mark. It's an interesting concept thinking about the people side of this. So we're very prone to
talking about the technology. So hopefully today during this journey, we've given you some food for thought and thinking about how you
move your security needle, maybe thinking about
some of the steps to take to increase your maturity
from a zero trust perspective. We do have some key takeaways. Obviously, they're on the slide there. For example, you can use some
of the recommended actions that we talked about inside
our Rapid Modernization Plan. As part of this also, we
will be giving you access to more resource information in terms of things like the
maturity model that I mentioned and also a zero trust framework for you to be able to start that journey and be able to think of that. So on behalf of Mark and myself, I hope that was useful. Thank you so much for listening. And goodbye for now. MARK SIMOS: So thank you
all very much for listening. We really appreciate it. And hopefully this
helps you make our world a little bit safer. Thanks.
