SAN FRANCISCO — One of the hardest parts of implementing zero trust at Microsoft had less to do with the technology, and more to do with employee comprehension and acceptance.
During an RSA Conference 2022 session Monday, Carmichael Patton, senior security architect at Microsoft, and Yulia Evgrafova, senior security service engineer at Microsoft, outlined lessons learned from the past three years of transitioning to a zero-trust framework. While collecting telemetry and enforcing multifactor authentication (MFA) were important steps, one of the most challenging aspects was gaining employee trust.
Patton attributed that to the inherent nature of zero trust.
“Zero trust is not a product. You can’t buy it as a product off the shelf. It’s also not a program,” he said during the conference. “It’s a strategy. It’s a cultural change.”
For Microsoft, the zero-trust strategy consisted of six pillars, including validating user identities; managing devices to ensure they’re healthy; enforcing identity checks through various services and resources; granting network access based on users’ roles and devices; implementing the principle of least privilege (POLP); and using pervasive telemetry to assess risk and detect potential threats.
But some of the pillars proved more difficult to implement and sell to Microsoft employees than others.
Even among Microsoft’s own security organization, which supports a bring-your-own-device workforce, Patton said there was a level of mistrust in what his team was trying to accomplish. For example, when Patton and Evgrafova asked security team members what zero trust means to them, they generated a word cloud with the responses.
However, some of the answers included “I don’t believe you,” and “untrusted.”
Even within their own organization, he said, there was still a level of mistrust about deploying a zero-trust framework and how it could negatively impact their user experience.
For example, POLP represented a major shift for Microsoft and its employees. “That honestly was a little bit of a struggle for us because we had generally provisioned broad access to everything,” he said.
Patton said even security team members questioned whether Microsoft wanted them to have access to company applications and services. As a result, implementing components such as MFA for account protection required user education and communication from the zero-trust steering committee.
“It’s not that we don’t think you’re valid, or your device is invalid,” Patton said. “We want to make sure you are who you say you are through MFA.”
Evgrafova emphasized that zero trust is about convenience for the user, as well as consistency, no matter the system or the device. To reinforce the benefits of zero trust, such as improving security visibility and reducing the risk of compromised users and endpoints, Evgrafova recommended awareness programs and trainings.
She said all Microsoft employees are educated on the simplest levels of zero trust.
Additionally, the pair suggested starting with simple policies for device health and to focus on the user experience because “without adoption, your program will not be a success.”
Other factors to consider
In addition to communication with employees, Patton said the most important step is collecting telemetry and evaluating risks. Other key considerations the pair highlighted were a password-less push, modernizing applications and network segmentation.
While phishing resistance remains a problem, Patton said Microsoft eliminated regular password resets completely because users were choosing such unique passwords, they felt comfortable there was no reuse.
During the earlier stages of the implementation, Patton said it was hard to determine how effective their zero-trust framework would be. Could it be simultaneously secure and productive, he asked? The pandemic proved it could. When Microsoft sent their users home for two years, Patton said “almost nothing happened” because they had already moved to the cloud.
More precisely, 97% of their traffic goes to the cloud, and they rely little on VPNs, which continue to be a target for threat actors. Another change implemented after the pandemic was more focused network segmentation.
Prior to the pandemic, all users on the Microsoft campus had access to the corporate network. However, Evgrafova said they have now changed the user experience completely by implementing network segmentation.
Now, when users are on campus, they use portals and devices only have access to what is necessary. If they choose to connect to the corporate Wi-Fi, they are now required to provide justification.
“This has never been done before,” Evgrafova said during the conference.
Overall, Patton and Evgrafova encouraged organizations moving to zero trust to collect telemetry data in order to make crucial strategy decisions, set the proper policies and accurately assess risks. They also encouraged organizations to start small with simple policy changes and pilot programs to gain adoption without hurting employee productivity and morale.