So far in this blog series, my colleagues Carmichael Patton and Justin Giammona have shared the story of how we’re securing our cloud-connected employees and devices at Microsoft and the set of challenges our team has experienced as we move away from storing data on-premises to securing intelligent data in the cloud.
Digital transformation compelled us to rethink our traditional security approach because we realized that securing the network was evolving into a service provider model where security controls are orchestrated along with the connected employee’s needs, wants, and demands. We needed to get more creative and explore innovative enterprise protection strategies to help us drive security improvements while, at the same time, allowing our employees to enjoy the agile flexibility and higher productivity the modern workplace has to offer.
For the past two years, my team and I have been working on a set of solutions to help protect the enterprise network in the cloud. This defensive strategy centers around securing network boundaries— rather than the network itself—and focuses on key software-defined security service areas, including: network segmentation, orchestration and management, abstraction of software from hardware, deployment automation, reporting, monitoring, analysis, and prediction.
The first step to securing the Microsoft network was to document requirements and dependencies for each of these service areas and build a roadmap. What would these services areas look like in the future? What would it take to get there?
Network segmentation was first in line for execution as it helps distribute security controls per business functional area and moves us away from centralized firewalls that limit visibility against clever attackers. With the help of Azure Network Security Groups (NSG) we were able to create a logical separation of devices, ensuring protection, and isolation between different business units and customers by segmenting resources.
We then implemented a macro-segmentation approach to separate business and service functions while establishing controls for each segmentation layer. This helped us improve our incident response and mitigation time as well malware detection. We then worked on a more granular isolation model (micro-segmentation), where clients, hosts, servers, and IoT devices are put into contained environments for better control, prevention, and breach recovery.
Configuration and centralized asset management implementation followed.
“Ensuring that our employee’s devices are healthy consists of keeping endpoints current,” noted our Chief Information Security Officer, Bret Arsenault, during his Securing our enterprise interview series.
At Microsoft, device health is a key pillar for enterprise security. One aspect of our security requirement is that Microsoft-provisioned devices are registered in an asset management database for client and server health monitoring. Personal devices are subject to conditional access, based on health check and policy enforcement. Establishing a centralized asset management service ensures that the connected devices producing or requesting data are also protected.
Deployment automation, analysis and prediction are the next steps in security services optimization. We want to leverage AI as we approach the next frontier: fog networking or fogging (which refers to network connections between edge devices and the cloud). Microsoft is one of the founding members of the OpenFog Consortium, which aims to develop reference architectures for fog and edge computing deployments. Our participation in the consortium means that our team is ready to adopt these modern technologies that will enable even more productivity and security to our enterprise.
Our journey to securing the network while enabling a modern workplace experience has just begun. We continue to learn and grow our capacities as our connected employees continue to curiously explore the ever-evolving modern landscape. The forecast on our way to the cloud is “foggy” and we couldn’t be more excited to learn and implement these new technologies.