Two coworkers brainstorming in front of a computer screen

Microsoft’s transition to Zero Trust

Today’s cloud-based enterprise environments and always-on workforces require access to applications and resources that exist beyond the traditional boundaries of corporate networks, restrictive network firewalls and VPNs. Organizations are moving to modern, more holistic systems of verification to manage enterprise security and to combat threats differently.

Microsoft has adopted a modern approach to security called “Zero Trust,” which is based on the principle: never trust, always verify. This security approach protects our company and our customers by managing and granting access based on the continual verification of identities, devices and services. In this content suite, the Microsoft Core Services Engineering and Operations team shares their strategic approach, best practices, and hands-on learning from our enterprise-wide transition to Zero Trust architecture.


Roadmap to Zero Trust

Although transitioning to Zero Trust is a multifaceted journey that can span many years, the architecture powerfully addresses the security challenges that modern enterprises face. The CSEO team knew that implementing Zero Trust would result in a notable shift in the way users access the corporate environment at Microsoft, so they created a layered approach to securing both corporate and customer data.

CSEO’s multistep implementation strategy is centered on strong user identity, device health verification, and secure, least-privilege access to corporate resources and services, all backed by rich data insights that reduce the risk of unauthorized lateral movement across the corporate network.

Through these authentication and verification methods, CSEO ensures that users are only given access that is explicitly authorized. Learn more about how Microsoft structured a phased approach to our Zero Trust implementation.

Microsoft Security offers guidance about how to optimize your Zero Trust strategy with an optimization model and solutions.


Verifying identity

The majority of security breaches today involve credential theft, and lapses in cyber hygiene amplify the potential for risk to employees and to organizations at large. That’s why one of the primary components of a Zero Trust system is the ability to verify a user’s identity before access is granted to the corporate network.

The CSEO team started by implementing multifactor authentication through the modern experience of Azure Authenticator.

This allows Microsoft to grant access to the specific corporate resources explicitly approved for each individual user, in a mobile-friendly environment and across multiple devices. As we continue to move forward, our end goal is to completely eliminate passwords. Learn more about the verifying identity phase of Microsoft’s Zero Trust journey.


Verifying devices

Because unmanaged devices are an easy entry point for bad actors, ensuring that only healthy devices can access critical applications and data is vital for enterprise security. As a fundamental part of our Zero Trust implementation, the CSEO team worked to enroll all user devices in device management systems.

Enabling device health verification in this way is essential to managing the policies that govern access to Microsoft resources.

SEO uses either cloud management software like Microsoft Intune or classic on-premises management tools to ensure that every device is classified as healthy before allowing access to major productivity applications like Microsoft Exchange, SharePoint, and Teams. We also secure the millions of IoT devices in use with an integrated security controls strategy that incorporates comprehensive risk assessments and mitigation strategies at the intelligent edge. Learn more about the verifying device health phase of Microsoft’s Zero Trust journey.


Verifying access

Despite the focus on managing and maintaining device health throughout our enterprise environment, some scenarios—like vendor staffing, acquisitions, and guest projects—require users to work from unmanaged devices. With those situations in mind, the CSEO team defined a plan to minimize the means of access to corporate resources, and to require identity and device health verification for all access methods.

CSEO transitioned from a corporate network approach to internet-first access methods, with a final goal of internet-only access methods in sight. This strategy reduces users accessing the corporate network for most scenarios, and will enable CSEO’s plan to establish a set of managed virtualized services that make applications and full Windows desktop environments available to users with unmanaged devices. Learn more about the verifying access phase of Microsoft’s Zero Trust journey.


Rendered the global module