For most people, hybrid working means having employees split time between their home offices and their work offices.
That rings true at Microsoft, where most employees are predominantly working remotely in response to COVID-19. The company is currently exploring what the near future will look like, and it’s clear that when employees go back their offices, they will likely be brought back in a thoughtful and deliberate hybrid approach.
What does this mean?
The digital security team in Microsoft’s Core Services Engineering and Operations (CSEO) has thought through how a hybrid connectivity model would work for employees. They used Zero Trust principles to set up systems that ensure Microsoft employees have access to applications and resources from any location. Employees can be productive from anywhere, whether they’re at home or at the office.
“Microsoft’s successful shift to working from home in response to COVID-19 further shows that our decision to adopt a Zero Trust security model was the right decision,” says Mark Skorupa, a principal program manager on Microsoft’s digital security team.
“If we hadn’t started our Zero Trust journey three years ago and kept investing it, the work-from-home model would have been more challenging to implement,” Skorupa says. “Prior to Zero Trust, we would be completely reliant on VPN to provide the connectivity to corporate resources. Today, the majority of our resources are accessible over any internet connection.”
Microsoft is embracing Zero Trust by adopting an internet-first model. This approach allows employees to access corporate applications primarily using direct internet connections rather than requiring that an employee initiate a virtual private network (VPN) connection to the company’s private corporate network.
Internet-first is a reality due to the security protections that exist to verify an employee’s identity, strong authentication, and device health verification using Microsoft’s mobile device management program, Microsoft Intune.
[Find out how Microsoft enables its employees to work remotely using a Zero Trust strategy. Learn how Microsoft enables remote work. Check out how Microsoft implemented a Zero Trust strategy to secure the company’s network during remote work.]
Transitioning to an internet-first model in stages
At Microsoft, the ongoing transition to an internet-first model requires a phased approach to modernize applications and ensure that they are accessible through an internet gateway, whether it’s internet-direct or a Microsoft Azure Active Directory’s application proxy.
“There are different ways to carve the onion and figure out what you need to accomplish,” says Carmichael Patton, a senior program manager on Microsoft’s digital security team. “You can start by modernizing your authentication workflow to support access to legacy and traditional on-premises systems.”
We can’t just flip a switch because that would prevent employees from accessing apps that haven’t been modernized yet. We started by moving low-hanging fruit like document storage and collaboration tools to the internet, and other applications will follow suit.
– David Lef, a principal service engineer in Core Services Engineering and Operations
The digital security team started by ensuring Microsoft 365 applications had the right identity and device health checks in place so employees could securely access these applications using the internet. David Lef, a principal service engineer in CSEO, says the next phase of the ongoing transition to an internet-first model is applying modern authentication technology in stages to the rest of the company’s line-of-business applications and engineering applications, such as those used for customer support and employee services.
“We can’t just flip a switch because that would prevent employees from accessing apps that haven’t been modernized yet,” Lef says. “We started by moving low-hanging fruit like document storage and collaboration tools to the internet, and other applications will follow suit.”
Microsoft’s digital security team says moving to an internet-first model isn’t a one-size-fits-all approach. To support an internet-first model, Lef recommends using Microsoft Azure cloud services like Microsoft Azure Firewall and Microsoft Azure Sentinel because they can scale up and down based on the workload and offer broad geographic coverage.
“The last thing you want to do is invest in fixed capacity, because you make that investment whether you use it or not,” Lef says. “We prefer consumption-based services because they offer more flexibility.”
Ten years from now, we don’t know what the world will look like. We could be working from anywhere, and we need to be able to scale with flexibility and empower our employees, all while protecting them, our Microsoft assets, and our customers.
– Mark Skorupa, principal program manager on Microsoft’s digital security team
For other enterprises that are moving to an internet-first model, Lef recommends the following three-step approach, which was used at Microsoft:
- Take inventory of all the applications in your ecosystem
- Classify your applications, how they’re used, and how to authorize access
- Determine a potential architecture for the access model
“Ask yourself, ‘What do I have out there?’” Lef says. “It can take a long time, but it’s important to set a reliable set of data for application identification and classification.”
Moving to an internet-first model or a Zero Trust security model isn’t a monolithic effort. To break it down, Lef says, it’s important to start with quick wins that add value and track your progress.
“Track distinct objectives that are pertinent to your organization,” Lef says. “It’s okay to start small, integrate learnings into your approach, and accelerate as you gain experience and confidence.”
The future of work is hard to predict. From a security standpoint, Skorupa recommends using a Zero Trust security model to create a flexible and agile security framework—one that can adjust and scale to current needs.
“Ten years from now, we don’t know what the world will look like,” Skorupa says. “We could be working from anywhere, and we need to be able to scale with flexibility and empower our employees, all while protecting them, our Microsoft assets, and our customers.”