[MUSIC] Ricky Pullan: Hi, everyone, and welcome to this session of the Azure AD webinar series My name is Ricky Pullan, and I’m a Program Manager on the Azure AD Engineering team. Today, we’re going to talk a little bit about zero trust. So, let's jump right on in. So, today, we’re going to quickly get started on how we used to do IT. Then we’re going to jump into how that’s changed, how we do it today. We’re going to talk about what zero trust is, what kind of a security model it is, how to implement it, what are the components of zero trust, and then we’ll go over some resources that will be available to you to help you start on this journey. So, when we talk about how IT used to function, you can approach it as a walled garden sort of point of view that you had all these walls. You had one way into your network; you had one way out. There were a lot of benefits to this particular piece in that you had an extremely high level of control. It was perimeter based security. You were completely responsible for the network infrastructure as a whole. The admins essentially owned the entire stack. You owned the network. You owned the software. You owned the management behind all of that. And we also owned the firewalls and the VPNs as well, which made it a lot easier to monitor the traffic that was going in and out of your network. Essentially, the way we used to do IT was that the employee worked within this perimeter. Today though, that is completely different. Today, we have employees that are working from Ubers, who are working from airports. They’re working from coffee shops. They’re all over the place. So, IT administrators today have a much lower level of control than they used to. It is also often the case where the resources that these users are accessing never even traversed the corporate network. So, the data that they’re accessing exists with third party SaaS providers, for example. When we’re talking about this particular use case and how all of, 80%, of our workforces actually get their work done today, the traditional perimeter based security system just doesn’t really work here. This is why we needed a new security model and this is how the zero trust security model was born. Now, I do want to be very clear here in saying that this new model is in no way saying that we need to completely get rid of our perimeter based security. That is 100% not what we’re saying. That is still a massively important part of security today. This zero trust mindset is really a shift towards trust nothing, verify everything. The important part to keep in mind here is that this is built for cloud workloads. And as a lot of the workloads are moving towards third party SaaS vendors, it’s difficult to try and figure out how do we keep data secure? How do we keep our networks secure when a lot of the work that’s being done doesn’t happen on our networks? So, it extends the productivity of your users, but it also helps to ensure that we have maximized security here as well. The zero trust mindset is essentially built on three specific pillars. The first one is to never verify explicitly. This essentially means that don’t just assume that because something is on your network or seems like it might be good that you should just let it in. This means that there needs to be some sort of constant checking that happens. So, you should consistently be verifying traffic as resources are accessed. The next column that we’re going to cover and talk about is to use least privileged access. This is an idea that has been around forever to essentially just make sure that you are not giving more privilege than is necessary to different administrators within your organization. This also means as well that users should not just have standing administrative privileges in your environments. It should be just in time access, where possible. The last pillar is the assume breach pillar. And this is really addressing more of a mindset shift that we need to make today. And that’s essentially just saying that we move to a place where we just assume that there are malicious actors who are on our networks. While that may or may not be the case, it puts us in a place to where we’re better able to defend in these types of scenarios. Alright. This is a really busy slide. The entire point though is to just show you how massive the digital estate is today. There are signals coming from all over the place. There are a lot of different products out there that I’m sure you have plugged into this digital estate of yours that are providing signals to different systems that then can take that intelligence and do different types of actions based on that. Really, the important piece that I’m trying to call out here is just making sure that at the very basis of zero trust it is so important to make sure that the signal sharing that happens across the entire digital estate. So if we see in some sort of device management tool that there’s a device that is risky, whether that’s because it is jailbroken or we’re seeing some weird traffic on that particular device, that that intelligence is shared at perhaps the authentication level, that, hey, before this device can actually authenticate to this resource we should make sure that it’s good. We should at least maybe bump up the risk and do some sort of extra precautionary checks before that device is allowed access to this resource. So, the more connected and the more implemented that all of these systems are across your digital estate, the better your security posture will be because that intelligence and those signals are being shared across the board. Alright. So, we’ve talked a little bit about the importance of signal sharing and intelligence. So, let’s jump into what the actual individual components of zero trust are. It’s broken down into six pieces—devices, people, data, infrastructure, networking, and workloads. So, the first component that we’re going to jump into is identity. This is the basis of everything that happens today across all of the services, whether those services happen on-prem, whether those are third party SaaS vendors, everything is completely dependent upon a user’s particular identity. So, it’s really important that these identities are consolidated and uniform across the entire organization. Now, we fully recognize that there are lots of line of business applications, third party identity stores that may need to exist to be able to provide functionality for these older legacy apps. The important piece is is to just make sure that there’s a single source of truth somewhere within your organization that everything else is reliant upon. The next piece here is to make sure that we’re enabling single sign-on. Now, this may seem like more of kind of just a, oh, this is a cool feature for end users, but this is actually a pretty cool security feature as well. What this single sign-on feature allows us to do is not only does it provide an end user experience to where they hit any kind of Service Now or Workday or SharePoint, whatever it may be, and they just automatically gain access to that resource. This also gets the user out of the habit of typing a username and a password over and over and over again. The problem with doing that is if I’m a user and I’m used to seeing prompts for a username and password all the time, I’ll just type it in. I won’t think about it and it makes phishing a lot easier. So, let’s really quickly dive in here to a demo. And I’d just like to very briefly show you where you can configure some single sign-on stuff. Alright. So, we’re here in the Azure portal. You can get to this at portal.azure.com. And we will have you scroll down here a little bit in the left hand pane. And we’re going to go ahead and click this enterprise applications here. Alright. Now if you scroll through this list down here, this is going to be a list that shows you all of the applications that are currently set up for your particular organization. So, let’s say that I want to onboard Workday, for example. So, I’ll go up here and click here on new application. There’s this blue plus sign here. And I’m going to scroll down here in this right hand pane that just popped up. And you’ll see underneath this prompt that says add from gallery, there’s a little text box here that says enter a name. Now, this will search our inventory of applications that are ready made. They’re plugged into Azure and they’re ready to go. So, let’s pull up Workday. And I see here that I have the application, so I click here. And if you scroll down here on the right, you’ll see the defaults that that particular app is going to be set up with. So, we’ll see the publisher, we’ll see that the single sign-on mode that’s going to be used as SAML. We see the URL. There’s a default logo that’s used. You can certainly change that if you want. We’re going to go ahead and we’re just going to leave the defaults and we’re going to click the blue add button down here. Alright. Now, that is how this works for a gallery app. If you come across a particular application that isn’t in our gallery and you would like to have added to the gallery, in the resources, there’s a link that will take you to a specific site where you can go to request that a particular app get added to the gallery. So here on the left hand side, there’s a single sign-on option. We’ll go ahead and click into here. And across all of the applications in your organization, this is the method and the place that you’d go to configure that single sign-on work. So, you can see here that we can choose SAML. We’ll go ahead and select that. And then all of our settings here are then available for you to customize according to whatever your needs may be. So, you can change the basic SAML configuration. There’s some user and attribute claims that you can change and then the signing certificate as well. Steps 4 and 5 and any others that may come after that will be specific to whatever application you’re trying to set up. So, you’ll see definitely some changes there depending upon what kind of app you’re using. After enable single sign-on, the next piece that we’re going to talk about is making sure that we’re creating an access policy for corporate resources. This one can get a little bit complicated because it has to involve a few different folks from around your organization. It could be that you maybe need to pull in your identity access management folks. It could require some security folks to get involved, but it will definitely require that different individuals from around the business get involved. This process requires that all of these groups talk together and determine what resources need to be available for employees to be able to remain productive. Security then will have to come in and talk about what kinds of protections need to be put into place around those particular resources. And then usually the identity access management team or perhaps someone else from IT will be called upon to actually implement those changes. Something that I usually recommend is that for each of these access policies, try and bucketize your resources. Figure out a way to group similar apps that have similar policy requirements together and that will greatly reduce the number of policies that have to be implemented themselves. The last thing here is to make sure that you’re monitoring individual user behavior. This can be done through an intelligence means, so using machine learning. And we’ll actually talk about that later. But this also means that you’re just periodically as an administrator going in and making sure that user behavior looks normal. Codify what normal looks like for your particular organization and then pay attention to if anything falls outside of that. Alright. The next component that we’re going to talk about is devices. Devices are extremely important because after identity, devices are something that you as an administrator have quite a bit of control over or can have quite a bit of control over. The very first thing to make sure that we’re taking care of with devices is making sure that we are consistently checking that a device is known, that it’s healthy, and that it’s compliant. So, this is part of that consistently verifying pillar that we talked about earlier. Make sure that this device is one that you know about. Make sure that it looks good before they’re able to gain access to a particular resource. Let’s really quickly jump into the Intune portal and I’m just going to give you a brief overview of what to look for there. Okay. So, here we are back in the Azure portal. And if you go up to this top search bar, let’s time in Intune. Alright. And we’ll click that. And this is where all of your device management happens. So, the Intune portal is used to be able to set device compliance requirements and other types of settings for all of the devices in your organization. So, you can use Intune and in some cases you can use SCCM as well to be able to manage on-prem resources like servers or hybrid join devices, but you can also use this to take care of your Macs, your mobile devices, as well as your Azure AD joined devices. Let’s jump into some compliance settings that are available to you, just to give you a taste of what’s available. So here on the left, let’s click device compliance. And you can see here that with this compliance report, it’ll show you all of your devices. It’ll show you what their compliance state is. You can look at what devices are evaluated or perhaps not compliant. But how do we actually define what that compliance means? That’s actually done through policies. So, let’s go in and actually create a compliance policy. So here on the left, we have policies selected. We have a blue plus sign here up at the top, and we’ll click create policy. And let’s give it a name. And let’s say that this particular policy is going to be for our Android devices, so let’s name this Android compliance. And this is our corporate Android compliance policy. And then we’ll go ahead and select our platform. And we are going to target this at Android Enterprise. And then we are going to aim this at the device owner. So, you’ll see here that you have three different blade options that are available to you. So if we go ahead and we click settings, we’ll see that we have a bunch of device health settings that are available. So, we can check to see if Google Play Protect is enabled. Do we want to enable the safety net or any kind of device attestation? Under device properties, we have different OS version requirements that we can put in place. We have Max OS versions that we can put in place, but oftentimes the most important one that we’ll see enterprises set is the security patch level to where you’ll basically say, hey, for this device to be compliant, they have to be on the lowest end this specific patch version. Once you’ve set those there, we’ll click OK. And then we can also set any system security requirements here. So, there are options available here to what type of password is required. What kind of inactivity timeout is required. And you can then push those policies to the corporate devices that you’re trying to manage. If we go over here to actions for non-compliance, this particular blade is to be able to define, okay, if a device does not fit the criteria that you just defined previously, what actions need to be taken? Should it be quarantined? Does it need to just be marked as non-compliant? And then lastly under the scoping tags, these tags can then be added to these different policies to help roll up into larger policies that may be applied to any particular device. So, we’ve talked a little bit about and the importance of ensuring device health and how we can use Intune to do that. Another piece that’s really important is to make sure that all of the devices in the enterprise have some sort of endpoint threat detection or anti-malware software deployed on those as well. This is a pretty straightforward requirement, but it is equally as important. Lastly is ensuring that we are checking device health and determining risk before we’re allowing access to resources. So, the really important piece here, again, goes back to that verify pillar that we talked about in earlier slides and just making sure that every single time a resource is accessed by a user or by a device, that risk is checked and we’re making sure that this is good, making sure that this user is who they say they are and that this a device that we trust. The next component that we’re going to talk about is applications and workloads. Zero trust is trying to move away from the need for VPNs. So, we’re trying to replace VPNs with proxies and with different VDI solutions to ensure that you’re not having to route traffic back on-prem. Another piece that’s really important here is that oftentimes those VPNs are put into place so that users can gain access to legacy applications. These could be applications that maybe don’t support modern authentication or applications where they need to reside on-prem and a SaaS provider isn’t necessarily trusted with that information. In that case, being able to proxy those solutions out or VDI those solutions out mean that traffic is never having to be brought into your internal network unless absolutely necessary. Again here, it’s really important to make sure that we’ve configured single sign-on for cloud applications for the same reasons that we talked about earlier, making sure that you’re providing the best sign-on experience for your users but also getting them out of the habit of typing that username and password in without questioning. The last thing is making sure that in session monitoring and governance is happening. This means that you are actively looking at traffic on your network, you’re seeing what kinds of applications are being used and taking action on that. If they’re applications that you trust, great, let the traffic through. But if it’s something that looks odd or maybe a session that looks risky, making sure that that session is killed. Lastly is looking at shadow IT. This is something that exists in every organization on planet earth. It seems that users always figure out some sort of way to get around a policy that they don’t like or some sort of website or application that they don’t like using and substituting it with one of their own. Discovering shadow IT is another massive piece of securing your environment because what this allows you to do is this allows you to discover what is being used on your network and either blocking it or bringing it under the umbrella of IT so that it can at least be managed. Whether you’re blocking it or managing those solutions, it greatly increases your security posture because it allows you to know what your users are doing on your network, what kinds of applications they’re using, and what kinds of protections you need to put around those workloads. Microsoft Cloud App Security and Microsoft Cloud App Discovery are awesome tools that can be used to do both this in session monitoring piece and this discovery piece. And more information about those tools are available in the resources at the end of this deck. Alright. The next piece that we’re going to dive into is data. Now, all of the protections that we’ve talked about up to this point and that we’ll talk to in a few slides as well is really identity and network and device driven to ensure that data doesn’t ever egress or doesn’t ever make it outside of places it shouldn’t be. The important piece that we’re talking about here though is making sure that should that happen, if data does end up on a flash drive or on a SharePoint site or somewhere that it should be, that necessary protections are included along with that particular set of data to make sure that it’s still secure regardless of where it ends up. This is the importance of data driven protection. So, this means that essentially that the data is protected and that those protections travel with that data. This requires that some sort of classification or labeling system is deployed. And the best way to do this on a broad scale is to make sure that machine learning is integrated somehow. What this means essentially is that if a particular piece of data exists on the network that machine learning can look at it and realize, hey, this looks like this is a social security number or this looks like this is a credit card. We should apply this particular set of classification or labels to this and protect it so that it’s only available to this specific subset of users. It’s also important that your users are also able to do this on your own, but for this to scale, it needs to be an automatic thing so that users don’t have to think about it, it just automatically is classified, labeled, and protections are put into place. Once again, verifying that this access is secure, it’s also really important to make sure that we are dynamically determining access to this data. So, every time that data is accessed, every time a file is opened, any time that a file is opened, anytime that a file is shared, we’re making sure that whoever is accessing these files, that they should in fact be able to do so. So, the next component that we’re going to talk about is infrastructure. And this is talking about the importance of perimeter security. It is still important and zero trust is not replacing that. Infrastructure is a massive piece and is what allows users to be productive and to actually carry out their work. So, making sure that your infrastructure is up to date is a hugely important piece of the zero trust model. It’s also really important to assess the configuration of each piece of your infrastructure. So, if we take a switch, for example, is the firmware up to date? Has it been left in the default configuration? Is the username and password as it is when it came from the shop? It’s really important to make sure that all of these changes are made and that each of these devices are secured. It’s also equally important to make sure that just in time access is set up for these devices. Make sure that only a particular subset of admins have access to these devices and maybe even lock it down to a specific point of time that they should be able to access these devices that maybe map to a particular change window that maybe happening. The last thing to pay attention to for your infrastructure all up is to make sure that you have telemetry and that you’re monitoring any kind of anomalies that may be happening across your infrastructure in real-time to make sure that you're able to detect attacks and that if you see something that looks a little bit funky, that you can take action and do something about it. So, the next component that we’re going to jump into is networking and this is also just as important to the zero trust model. As part of the assume breach mentality, it’s really important then that you do not just inherently trust your internal network, just because it’s a network that is owned by your organization and is managed by your organization does not mean that it’s necessarily safe. It definitely has a higher likelihood of being more safe than the open internet but as part of assume breach, it’s important to make sure that you’re trading the components on your internal network as if they were on the open internet. So, this means that you are encrypting all of your sessions, making sure that you are following network best practices and workload best practices and making sure that you’re isolating each of those based on different tiers of data, for example. Just make sure that you’re following your corporate best practices around isolation. The last piece is also making sure that you are limiting access to different networks and different workloads through policy. So, these policies can be business defined and your security organization may also help define these policies. Whatever these policies may be, just make sure that they are uniform and carried out across the entire enterprise. So, we’ve talked about all of these individual components. We’ve talked about what you need to do, but it can be a little overwhelming. And when I go around and I talk to different customers about how to actually build towards that, they usually respond with something like, hey, this is great stuff, but where on earth do we get started? So, how do you actually build towards this zero trust model? The biggest and most important piece of this entire journey is at the very beginning, making sure that you’re doing your prioritization based on risk. So, this slide here is just to give you an overview of how do you define risk in your particular organization? Now, most organizations today have their own way of calculating risk exposure, but let’s just dive into high level how you could do that for your organization today if maybe you need to review or maybe you’re at the very beginnings of this journey. So, the very first thing that you need to do is make sure that you’re paying attention to the different assets that exist within your organization. What runs your business? What is crucial to the profitability of your particular organization? And then what threats could impact those particular assets? And that impact is then the first piece of this overall risk exposure equation. The next piece is to look at what particular vulnerabilities exist within that asset? What mitigations then are in place to kind of hold back those vulnerabilities or protect against those vulnerabilities? And from those two particular pieces is how we can then define the probability that something could happen to that particular resource. So, risk exposure then is a calculation of taking your impact and multiplying it against your probability and the higher that number, the higher the risk exposure. And that means that the higher priority it should be. Okay. So, this particular slide here is just a very rough grid to help you get started. This is by no means enterprise ready but can certainly be used to help you figure out your own risk assessment. If you look at the left side of this diagram, you’ll see that I have impact listed and then I have numbers 1 through 5. So, this is basically to help you take a particular resource and look at it and ask yourself, okay, if this resource goes down, is it a negligible impact on my business? Or will it have a catastrophic impact on my business? So, for example, something in the negligible rating could be a SharePoint site that informs users of a particular party that’s happening throughout the given week. It probably doesn’t have a massive business impact. Your employees might beg to differ, but as far as your bottom line is concerned and for profitability of your company, probably not a huge deal. If, however, though you have a CRM tool that is crucial to your business, that may potentially have a catastrophic impact on your business and so would probably have a higher impact rating around 4 or 5. If you look at the bottom of the grid, you’ll see that this is where we’re talking about probability. And, again, we have a measurement on a scale of 1 to 5. I have it labeled improbable all the way up to frequent, so this can look at something like what is the probability that this can go down? Or how frequently does this go down? So, if a particular resource rarely goes down or it’s improbable that it goes down, you’re going to be much more in the 1 or 2 range. However, if the app has frequent outages or has quite a few vulnerabilities that you’re worried about, the probability of that happening may be up in the 4 or 5 range. So if we go back to the two examples that we talked about earlier, if we’re talking about that SharePoint site, let’s say that we have it at an impact negligible rating, so that’s a 1. Even if it frequently goes down, we’re still at a 5, which is relatively low. If, however, we go to that CRM application that we talked about earlier and we have the impact rating at a 5 and it either frequently goes down or maybe has quite a few vulnerabilities, that bumps it up into that 4 or 5 probability area, we’ll see that that bumps our overall risk up to a 20 or 25, which means that that should probably have a much higher priority at being looked at and having some policies built around than that SharePoint site should. Again, this is completely up to your business. Most businesses have their own way of determining risk. The important piece here is just making sure that the higher risk items are tackled first. So, let’s talk about what you can go do right now. The easiest thing and probably the biggest win that will make you an IT hero is to go and determine strong credentials. You’ll notice that lately Microsoft has been talking a lot about going passwordless and this is what we made reference to a little bit earlier, as we really want users to get out of the habit of just getting to a site, typing in their username and password, and then hitting go. That makes phishing a lot easier. So, if you’re able to go in and turn MFA on, you will greatly increase your security posture because right then and there, you are making sure that you are increasing the authentication and authorization piece for your users. Something else that you can go take a look at is the FIDO2 stuff that we’ve just come out with. And this is a new way that we’ve thought about hardware tokens. This is a new standard that we’ve helped develop with a lot of other organizations out there that essentially allows your users to log into devices and to Azure AD resources, for example, without every typing a username or password. They answered the security token and they’re just in. There are a lot of other strong credentials that are available out there for you to go look at, but the most important piece is to just make sure that you have actually gone and deployed something other than just username and password. Another quick, easy win is going in and actually deploying Azure AD Privileged Identity Management. You’ll also hear this referred to as PIM, I’m sure by a lot of Microsoft folks and probably folks in various portions of your organization as well. This helps to ensure that your admins are gaining just in time access to resources or able to elevate their privilege to carry out different administrative processes only when they need to. So, this is a key piece in making sure that your administrators only have administrative privileges within your tenant and within your organization only when they need those privileges and that those privileges are then removed when they don’t need to carry out any kind of administrative actions. This is a huge effort that we are trying to push with our customers to ensure that standing admin access is greatly diminished and taken away from admins when they don’t need that privilege to exist. This ensures that if an admin account becomes compromised that even if it’s compromised, they don’t necessarily have the ability to go in and make Exchange changes, for example. The third point that I’d like to talk about that is also a quicker win is to go and turn off legacy authentication externally. So because we’re Microsoft, we have an incredible ability to be able to see what kinds of attacks are out there across all of the different tenants that exist. And 90% of the attacks that we see happen against these legacy authentication endpoints. So, when we talk about legacy endpoints, this is something like your iMap and your SMTP endpoints. There is actually software that’s available out there that malicious actors can go and purchase off the shelf that will just hammer away at these different endpoints until they are able to successfully get a login. And once they’re able to successfully login, they then know that, hey, this username and this password works. Once they’ve got those, then it’s free game. They’re able to start trying to gain access and elevate privilege. And the first two controls that we talked about help combat those. If you turn off legacy authentication externally, it prevents the ability for them to be able to hammer away at those endpoints in the first place. So, we realize that there are legacy authentication flows that probably still exist internally, especially for those line of business legacy applications that exist. And we realize that turning it off internally can be a much larger effort, but usually taking care of it externally isn’t as big of an effort and has a massive return on investment. Another piece that’s important is to just make sure that you’re automating your threat response. So, look at what kinds of responses you have in place today. If a security event takes place, how do you find out about it is the first piece. And then the second piece is, what actions do you take and can those be automated in any way? Just going through a discovery phase for that is a massive win and being able to determine ways to automate some type of threat response is also a massive win. Another piece that’s important here is to make sure that you’re increasing your awareness around this entire process. So, making sure that you’ve automated those threat responses are an important piece, but it’s also important to make sure that you, a human being, are going in and actually looking at your different audit logs, look at the reporting that exists. Codify normal in your own mind for what looks normal for your organization so that if you come in one day and you look at an audit report or perhaps a security report that you’ll know if something looks out of place and you can kind of kick off your own investigation if needs be. Something that I always encourage my customers to do is to actually go in and maybe carve some time out on your calendar on a Thursday or a Friday or a day that is usually less busy, and I know that in the life of an IT admin that can kind of be laughable, but just get in the habit of weekly going and just kind of perusing these logs and looking at what looks normal so that if something does look odd, you can further investigate. The last one that I’m going to recommend is making sure that you’ve turned on SSPR, which stands for self-service password reset and SSGM, which is self-service group management. Again, this is taking the workload off of your help desk. This could also be taking workload off of your IT administrators as well and allowing users to actually go and reset their passwords and be able to also manage their group membership in a self-service fashion. All of these and more steps can be found at aka.ms/securitysteps and I would greatly recommend that you go check those out. Another resource that I’d like to call out is that we at Microsoft have also been on our own zero trust journey. And we have also been very, very aware that is in fact a journey and that it takes time. The IT Showcase that we’ve rolled out for all of you shows you how we have started on this journey and how we’ve broken it down. How are we tackling this problem? What does this journey look like for us? And all that information can be found at the link here below, aka.ms/zerotrustatms. As promised, here is a list of resources that we have made available to you. So, on top of that IT Showcase site, there’s also a whole bunch of these resources that are available to help you on this journey as well. One that I would really specifically like to call out is this very top one, the Microsoft Zero Trust Maturity Model. At this particular link, we have some documentation here to help you go through kind of a self-service evaluation to look at how your organization is doing, what kinds of steps can be taken and really to help you determine what next steps are. The second link that’s listed here is our zero trust web page that talks about zero trust all up. and then the third link that’s here is the Microsoft Security blog post. And I would also greatly encourage you to go and look at this one as well because this is where we post all of our latest and greatest news, new features that are coming, and the greatest recommendations for you as well. And that does it for this session on zero trust. I hope that you found it useful and I really would encourage you to go and take a look at those resources. I’m sure you’ll find them really, really helpful. Again, thank you so much. [MUSIC]
