How to secure your hybrid work world
with a Zero Trust approach
By Vasu Jakkal, Microsoft VP, Security, Compliance and Identity
May 13, 2021
We are operating in the most complex cybersecurity landscape we’ve ever seen. Sophisticated and determined attackers are the norm. And we all are preparing for the next great disruption—hybrid work.
Security has never been more important, and as I shared in another Security blog today, it’s clearer than ever that a Zero Trust approach, which basically means you have to assume breach, will be critical to success. We’ve been listening and working closely with our customers around the world and rapidly innovating to help you to secure and protect your organizations. Today, I’d like to share some of our latest updates across security, compliance, identity, and management in response to that feedback to help you in your Zero Trust journey.
Strengthening your Zero Trust approach across your environment
The hybrid work environment, with some users working remotely and others in group office settings, introduces more digital attack surfaces, complexity, and risk as perimeters are now increasingly fluid. As such, a Zero Trust strategy will be top of mind for many organizations because its principles—verify explicitly, grant least privileged access, and assume breach—help maintain security amid the IT complexity that comes with hybrid work.
One of the most important first steps in a Zero Trust journey is to establish strong authentication. As Bret Arsenault, Microsoft’s CISO would say, “Hackers don’t break in. They log in.” Regardless of length or complexity, passwords alone won’t protect your account in the majority of attacks. Monitoring logins for suspicious activity and limiting or blocking access until additional proof of identity is presented drastically reduces the chances of a breach. Modern multifactor authentication (MFA) doesn’t have to be complicated for the user. We recently announced passwordless authentication and Temporary Access Pass in Azure Active Directory (Azure AD), our cloud identity solution, to help customers strengthen their access controls and simplify the user experience.
Verifying explicitly requires the ability to make real-time access decisions based on all available information for any user trying to access any resource. For us, Azure AD Conditional Access is this real-time access policy engine, which looks at all the data and signals related to the user gaining access, and today we’re announcing powerful new features that give admins more granular access controls while making it easier to control a growing list of policies. The GPS-based named locations and filters for devices enable a new set of scenarios, such as restricting access from specific countries or regions based on GPS location and securing the use of devices from Surface Hubs to privileged access workstations.
Additionally, to empower security for all, you need to be able to verify explicitly for all. We are expanding granular adaptive access controls to all users with the general availability of Azure AD Conditional Access and Identity Protection for business-to-consumer (B2C) apps and users. And we’ve made it easier to manage all your new policies with new search, sort, and filter capabilities, as well as enhanced audit logs to track recent policy changes. You can learn more on the Azure Active Directory Identity blog.
We also believe that for comprehensive protection through Zero Trust, we need to have end-to-end integration across device management and identity. New today, we are announcing the preview of filters for devices in Microsoft Endpoint Manager. These unique integrated capabilities between Microsoft Endpoint Manager (which brings together Configuration Manager and Intune) and Azure AD Conditional Access create even more granular controls. With device filters, administrators can target policies and applications to users on specific devices. For example, you can assign a filter so that a policy restriction is only applied to Surface Pro devices. You can learn more in today’s Tech Community blog.
Healthy devices and unified device management across platforms continue to be anchors of Zero trust, and to help protect data from potential leakage on mobile devices; we are introducing new conditional launch settings with App Protection Policies in Microsoft Endpoint Manager. These controls can block access or wipe data based on conditions such as maximum OS version, jailbroken or rooted devices, or require Android devices to pass SafetyNet attestation.
In addition, we are making it easier for you to manage your devices, regardless of the operating system. First, you can configure Android Enterprise-enrolled devices with Azure AD shared device mode in Microsoft Endpoint Manager. This new capability is now generally available and provides a simplified and more secure experience on devices shared across multiple users. With single sign-in, single sign-out, and data clearing across applications, shared device mode increases privacy between users and reduces the number of steps a frontline worker needs to take to access their work apps.
Then to make it easier to manage and secure your Apple devices, we recently released a Microsoft Endpoint Manager preview of the Setup Assistant for iOS, iPadOS, and macOS automated device enrollment. Based on customer feedback, you can now allow users to start using their iPadOS device immediately after enrollment without waiting for the Company Portal to install on a locked-down device. You can also configure a Conditional Access policy to require multifactor authentication either during enrollment in the Setup Assistant or upon authentication in the Company Portal. Learn more about the administrator and user experiences for shared devices and Setup Assistance in this Tech Community blog.
Finally, we continue to invest in BitLocker, which helps you to protect data at rest. BitLocker now has several enhancements, such as comprehensive modern management with Microsoft Endpoint Manager, role-based access controls for BitLocker recovery passwords, recovery password search, and recovery password auditing. Check out our BitLocker series that explains how to manage BitLocker in Microsoft Endpoint Manager, such as enabling silent encryption.
Grant least privileged access
As we have entered into new hybrid work environments, businesses need to think about how they will proactively protect their organizations from the influx of new or “bring your own” (BYO) connected devices—or even new apps that have helped people to work in new ways. This new normal has exposed the most challenging cybersecurity landscape we’ve ever encountered, and the least privileged access ensures that only what must be shared is.
To help, we recently added the ability to discover and secure unmanaged endpoints and network devices to Microsoft Defender for Endpoint. Once network devices are discovered, security administrators will receive the latest security recommendations and vulnerabilities on them. Discovered endpoints (such as workstations, servers, and mobile devices) can be onboarded to Microsoft Defender for Endpoints, allowing all its deep protection capabilities. You can learn more in the Microsoft Security blog, Secure unmanaged devices with Microsoft Defender for Endpoint now.
The early detection of vulnerabilities and misconfiguration is critical to an organization’s overall security posture, and to prevent those weaknesses from being exploited. With our commitment to support multi-platform, the threat and vulnerability management capabilities in Microsoft Defender for Endpoint now also support Linux OS, giving organizations the ability to view discovered vulnerabilities, assess the latest security recommendations, and issue remediation tasks for Linux devices. With the addition of Linux, threat and vulnerability management now covers all major platforms, including Windows and macOS.
Comprehensive security that is multi-platform and multi-cloud with simplification front and center is going to be important for the “assume breach” approach. With that in mind, today we are announcing the general availability of the converged portal for Microsoft 365 Defender, which unifies and simplifies XDR capabilities for endpoints, email, and collaboration. For Azure Sentinel, we are announcing solutions, which is a simplified means to deploy connectors, detections, playbooks, and workloads for both first and third-party integrations, all together as one package. To simplify team communications in the Security Operations Center, we now have built-in integration of Microsoft Teams into Azure Sentinel, so now you can create a Teams call directly from an incident.
With threats continuing to get more sophisticated, it is important to have the latest AI and machine learning capabilities at hand to separate important incidents from noise. Customers using Azure Sentinel consistently tell us how useful it is when incidents we raise are closed directly in the product. This quarter, more than 92 percent of incidents produced by Azure Sentinel’s AI were reported as useful by security professionals, which is dramatically higher than industry standards and enables you to focus on what’s important. Today we are adding new anomaly detections, including User and Entity Behavioral Analytics (UEBA) to Azure Sentinel that are powered by configurable machine learning. These anomalies can be used to provide additional context while hunting or fused with incidents. What’s powerful is that you can configure the variables for the machine learning driven anomalies with just a few clicks to customize for your specific environment.
Today’s hybrid work environment spans multiple platforms, multiple clouds, and on-premises. We recently extended the multi-cloud support in Azure Defender to include not just servers and SQL but also Kubernetes, all using Azure Arc. Azure Security Center remains the only security portal from a cloud vendor with multi-cloud support, including Azure, Amazon Web Services, and Google Cloud Platform. Today we are announcing that we are extending protection to the application level with the preview of the SAP threat monitoring solution for Azure Sentinel. This supports SAP running in any cloud or on-premises and includes continuous monitoring of SAP with built-in detections and can be customized to your specific SAP environment. You can learn more about this and the rest of Azure Sentinel’s announcements in the Tech Community blog post.
Enabling a secure way to access cloud apps while protecting your resources in this hybrid work environment is critical. New enhancements to Microsoft Cloud App Security will help protect against recent cloud-based attack types by detecting suspicious app activity and data exfiltration attempts from cloud services. Over the next few weeks, the general availability of the integration between Microsoft Information Protection and Cloud App Security will also be available. This integrated information protection policy management from the Cloud App Security portal enables greater visibility, control, and protection for your sensitive data in the cloud.
With over 90 percent of threats surfacing through email, it’s critical that organizations can configure security tools in a way that works for their environment. Over time, settings can age, new attack scenarios develop, and new security controls are available, necessitating regular review, upkeep, modifications, and even removal of old configurations. We’ve been on a journey to make it easier for customers to understand configuration gaps in their environment with recently launched features like preset security policies, Configuration Analyzer, and override alerts in Microsoft Defender for Office 365. Essentially, when Microsoft is confident that an email contains malicious content, we will not deliver the message to users, regardless of tenant configuration. We also recently announced our Secure by Default capabilities that eliminate the risks posed by legacy configurations. You can learn more in today’s Tech Community blog post.
But “assuming breach” isn’t just about external threats—you also have to be thoughtful about protecting your organization from the inside out. We released new capabilities today in our Insider Risk Management solution to help you to address insider risk in a holistic, collaborative way. Today’s Tech Community blog has more details.
For investigations, eDiscovery is critical. Today we’re announcing that eDiscovery support for Microsoft Graph connectors will be available in Summer 2021 as a developer preview. With Microsoft Graph connectors, investigators can query across more than 130 systems—directly from Microsoft 365 and our partners. Use the same eDiscovery tools in Microsoft 365 to search for content in third-party systems connected to Microsoft Search as used to search for content in Microsoft 365 apps and services. You can learn more in today’s Tech Community blog post.
Your Zero Trust journey
In a risk landscape as complex as today’s, your adoption of a Zero Trust approach won’t happen overnight. It’s important to value progress over perfection and to enlist help when you need it. Microsoft and its partners are committed to helping you on this journey. To chart out your path, or assess your progress, enable a remote workforce by embracing Zero Trust security.
Thank you for being part of our community and doing your part to build a safer world.