Lessons Microsoft learned from applying Zero Trust during COVID-19

Sep 30, 2020   |  

The world, and ways employees work, have been forever changed by COVID-19. Thanks to Microsoft cloud technologies like Microsoft Teams, Azure Active Directory, and Microsoft’s modern security approach, Zero Trust, employees no longer need to physically be in the office to be productive.

The power of the cloud already opened the doors for us to move away from on-premises corporate network models. When COVID-19 hit, we didn’t skip a beat.

– Mark Skorupa, principal program manager on the digital security team at Microsoft

Microsoft’s global workforce continues to successfully work from home using Microsoft-issued devices, personal devices they’ve enrolled in Microsoft’s device management solution, or remote desktops through Windows Virtual Desktop.

“As the corporate world changed over the past year, so has the way we access corporate resources,” says Mark Skorupa, a principal program manager on Microsoft’s digital security team. “The power of the cloud already opened the doors for us to move away from on-premises corporate network models. When COVID-19 hit, we didn’t skip a beat.”

Carmichael Patton, a senior program manager and architect on the digital security team who works with Skorupa on Zero Trust, agrees.

“Following a Zero Trust philosophy these past few years set us up to be ready for a moment like this,” Patton says. “It has helped us modernize how we manage and verify our employees’ identities and devices. We’ve also restructured our network infrastructure so that employees can be secure and productive no matter where they are.”


Watch the Microsoft Ignite session about the company’s Zero Trust security model.

Recently, employees on Microsoft’s Zero Trust team virtually sat down at Microsoft Ignite 2020 to share their biggest takeaways from applying Zero Trust in an age of remote work.

You don’t have to choose between being secure or productive

For Microsoft, Zero Trust starts with two simple components—employee’s identities and devices. These are both verified before employees are granted access to corporate resources or applications. If they check out, they gain access from anywhere.

A flowchart of the Zero Trust security, which reads, “Identity + Devices + Verification = Access.” A sentence at the bottom reads, “Zero Trust: Microsoft doesn't assume identities and devices are secure—we continually verify them.”
Microsoft uses a Zero Trust security model that hinges on verifying employee identity and device health before granting access.

“Our network infrastructure ensures each application enforces its own security management,” Patton says. “This means employees can only use an app after verifying the health of their device.”

Because Microsoft’s strong identity and device management policies leverage services like Microsoft Azure Active Directory and Microsoft Intune Device Management to enforce security policies, the company has seen the following results since COVID-19 began:

  • Over 97 percent of Microsoft’s workforce successfully worked from home either on a Microsoft issued or personal device at the peak of COVID-19.
  • Over 170,000 employees have enrolled their personal (Android or iOS) devices in Microsoft Intune, the company’s device management service.
  • In a recent internal survey, over 34 percent of US-based Microsoft software engineers and program managers said their productivity has increased.

Split-tunneling took pressure off Microsoft’s virtual private network, improving employee efficiency

While most employees could directly access apps and services over the internet when they started working remotely in March 2020, some situations still require the use of the company’s virtual private network (VPN) to access corporate resources while outside of the office.

With its Zero Trust components in place, the team uses a split-tunneled VPN configuration allowing the majority of Microsoft’s traffic to automatically go through the internet. This further improved employee efficiency and freed up the VPN’s bandwidth, particularly during patch and release cycles.

If an employee does not want to enroll a personal device to be managed, that’s perfectly fine. Virtualization gives employees another way to access corporate resources from any device, anywhere.

– Carmichael Patton, senior program manager and architect on the digital security team at Microsoft

Windows Virtual Desktop became a life raft

Employees have been using Windows Virtual Desktop (WVD), a comprehensive desktop and application virtualization service, to connect to corporate resources and apps without being directly on the corporate network with any device.

“If an employee does not want to enroll a personal device to be managed, that’s perfectly fine,” Patton says. “Virtualization gives employees another way to access corporate resources from any device, anywhere. Employees simply download the app using their corporate credentials and are authenticated that way.”

Microsoft is leaning heavily on Windows Virtual Desktop for agility during COVID-19. A few months into the crisis, Divya Rawat, an intern in Microsoft India, worried her internship would be canceled. The country enforced ‘stay at home’ quarantine restrictions, which meant the interns couldn’t pick up a device from an office.

How could she participate in an internship without a PC?

Thankfully, by using WVD, Microsoft’s India team was able to create 600 virtual machines based on Zero Trust policies that applied policies and specifications so interns like Rawat could securely access source code and have successful internships.

Showing ‘digital empathy’ for your employees

Understanding how people work on different devices and being able to explain in layman’s terms why a security policy is important is critical for Microsoft’s Zero Trust approach to work. For example, when the company first deployed multifactor authentication (MFA), there was resistance initially. The digital security team took a different approach by flipping the script to focus on how MFA tools would make employees’ lives easier instead.

“Rather than telling employees it was mandatory to use MFA, we made it real for them by focusing on our mission to get rid of passwords,” Patton says. “We encouraged employees to embrace tools like Windows Hello for Business, which would help us get rid of passwords faster. That got them on board.”

Not only was this good from a security and employee productivity standpoint, but it also helped Microsoft’s Help Desk staff. When employees embraced Windows Hello for Business to sign in with their face or fingerprint, password reset help desk tickets went down by 40 percent.

For Microsoft, the biggest lesson in these challenging times was to shift the mindset to empowerment.

“Having a stronger security foundation with Zero Trust isn’t meant to ‘take things away’ from employees,” Skorupa says. “It’s the opposite. Our cloud technologies and tools not only help keep our customers and our company secure, but in most cases they actually provide an added productivity boost – which is a win-win for everyone.”

Read this article about how Microsoft is adopting a Zero Trust security model to secure corporate and customer data.

Learn how Microsoft uses a Zero Trust strategy to secure Microsoft’s network during remote work.

Read Brian Fielder’s story on how Microsoft helps employees work securely from home using a Zero Trust security.

Tags: , , , , , , , ,