Protecting Microsoft’s applications and services using a Zero Trust security model

Jul 15, 2020   |  

The most basic way to secure your home is to lock your front door and windows.

But do you remember to lock all your doors and windows?

If you don’t lock the door that connects your garage to your house, you’re still vulnerable to intrusion. You can draw the same parallel between physical security at home and ensuring that applications and services are secure online.

Carmichael Patton looks at the camera and smiles, and his laptop is in front of him.
Carmichael Patton is a senior program manager in Microsoft’s internal digital security team.

“To be safe, you need to lock all your doors, even the ones that aren’t immediately obvious,” says Carmichael Patton, a senior program manager in Microsoft’s internal digital security team

Microsoft’s digital security team proactively protects Microsoft from cyberattacks, including entry points that could easily be overlooked. Bad actors use a wide variety of tactics when trying to attack the company’s data, including phishing and deploying malicious code on applications and services.

With most of Microsoft’s employees now working remotely during the COVID-19 crisis, the company is investing even more in developing and rolling out solutions that support an ecosystem of internal applications. This aligns with Microsoft’s Zero Trust strategy.

“With so many employees accessing applications and services on the internet, it’s necessary to evaluate and verify application health when employees access them,” says Darshana Pandya, a senior program manager in Microsoft’s internal digital security team, who’s leading the effort. “Service health is foundational in our organization, and we always ensure that Zero Trust controls are in place so our applications and services are accessed by the right people.”

[Learn how Microsoft implemented a Zero Trust security model. Read about how Microsoft transitioned to a modern access architecture with Zero Trust. Find out how Microsoft uses a Zero Trust security model to ensure that employees can securely work remotely.]

Proactively verifying security for applications and services

Before a Microsoft application is deployed internally, every application must follow the standard security development lifecycle to meet security and compliance requirements. This process includes automated evaluations of the code and infrastructure to identify malware, vulnerabilities, and open-source components. However, these security controls require consistent work to ensure the health of the application stays current over time to prevent vulnerabilities. Microsoft’s digital security team uses a variety of tools to identify threats, to prevent phishing and assess the health of its cloud apps.

Despite these existing controls and checks, the internal security team identified an opportunity to develop an application verification system that aligns with Microsoft’s Zero Trust security model. Pandya and Patton are actively exploring the concept of building a system that calculates a health score for every application that employees access. The application score is calculated on the security state of its code, configuration, infrastructure, and compliance with Microsoft’s internal security requirements.

The team is always exploring how the company can further enhance its efforts to ensure the health of line-of-business applications as part of Microsoft’s Zero Trust security model. Currently, Microsoft’s internal systems and applications require that strong identity and device health are verified as part of user authentication. This method is referred to as conditional access. The security team is exploring using this same conditional access system and extending it beyond device and identity verification to application health verification. Pandya and Patton are exploring how to calculate a health score for every application accessed by employees. The idea is that the conditional access system, based on Microsoft Azure Active Directory, can query application health score as another validation method as part of authentication requests. The application score could be calculated on the security state of its code, configuration, infrastructure, and compliance with Microsoft’s internal compliance requirements. For example, an unregistered shadow IT application that is running on client device could be blocked.

“Verifying service health protects our employees from unintentionally accessing malicious applications or content,” Pandya says. “This can be done on any set of applications, but we plan to start with a proof of concept for our line-of-business applications like HR or finance applications.”

Pandya believes that this system and the health score will support the security and productivity of Microsoft employees.

“We want employees to create applications and automate tasks that help people be more productive and efficient, but we need to make sure they’re compliant and meet security requirements,” Pandya says. This approach would result in applications being verified to meet a minimum set of security criteria prior to access being permitted, which provides an additional level of protection for employees.

Building an application and service health verification system is an iterative process, but Pandya and Patton believe the additional evaluations are a step in the right direction.

“Nearly everything we build as part of our Zero Trust efforts internally transitions into our products,” Patton says. “We meet regularly with product teams to discuss and refine Microsoft’s internal security requirements, which also helps our enterprise customers.”

Learn how Microsoft implemented a Zero Trust security model.

Read about how Microsoft transitioned to a modern access architecture with Zero Trust.

Find out how Microsoft uses a Zero Trust security model to ensure that employees can securely work remotely.