We are operating in the most complex cybersecurity landscape that we’ve ever seen. While our current ability to detect and respond to attacks has matured incredibly quickly in recent years, bad actors haven’t been standing still. Large-scale attacks like those pursued by Nobelium1 and Hafnium, alongside ransomware attacks on critical infrastructure indicate that attackers have become increasingly sophisticated and coordinated. It is abundantly clear that the work of cybersecurity and IT departments are critical to our national and global security.
Microsoft has a unique level of access to data on cyber threats and attacks globally, and we are committed to sharing this information and insights for the greater good. As illustrated by recent attacks, we collaborate across the public and private sectors, as well as with our industry peers and partners, to create a stronger, more intelligent cybersecurity community for the protection of all.
This collaborative relationship includes the United States government, and we celebrate the fast-approaching milestones of the US Cybersecurity Executive Order2 (EO). The EO specifies concrete actions to strengthen national cybersecurity and address increasingly sophisticated threats across federal agencies and the entire digital ecosystem. This order directs agencies and their suppliers to improve capabilities and coordination on information sharing, incident detection, incident response, software supply chain security, and IT modernization, which we support wholeheartedly.
With these national actions set in motion and a call for all businesses to enhance cybersecurity postures, Microsoft and our extensive partner ecosystem stand ready to help protect our world. The modern framework for protecting critical infrastructure, minimizing future incidents, and creating a safer world already exists: Zero Trust. We have helped many public and private organizations to establish and implement a Zero Trust approach, especially in the wake of the remote and hybrid work tidal wave of 2020-2021. And Microsoft remains committed to delivering comprehensive, integrated security solutions at scale and supporting customers on every step of their security journey, including detailed guidance for Zero Trust deployment.
Zero Trust’s critical role in helping secure our world
The evidence is clear—the old security paradigm of building an impenetrable fortress around your resources and data is simply not viable against today’s challenges. Remote and hybrid work realities mean people move fluidly between work and personal lives, across multiple devices, and with increased collaboration both inside and outside of organizational boundaries. Entry points for attacks—identities, devices, apps, networks, infrastructure, and data—live outside the protections of traditional perimeters. The modern digital estate is distributed, diverse, and complex.
This new reality requires a Zero Trust approach.
Section 3 of the EO calls for “decisive steps” for the federal government “to modernize its approach to cybersecurity” by accelerating the move to secure cloud services and Zero Trust implementation, including a mandate of multifactor authentication and end-to-end encryption of data. We applaud this recognition of the Zero Trust strategy as a cybersecurity best practice, as well as the White House encouragement of the private sector to take “ambitious measures” in the same direction as the EO guidelines.
Per Section 3, federal standards and guidance for Zero Trust are developed by the National Institute of Standards and Technology (NIST) of the US Department of Commerce, similar to other industry and scientific innovation measurements. NIST has defined Zero Trust in terms of several basic tenets:
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- Access to trust in the requester is evaluated before the access is granted. Access should also be granted with the least privileges needed to complete the task.
- Assets should always act as if an attacker is present on the enterprise network.
At Microsoft, we have distilled these Zero Trust tenets into three principles: verify explicitly, use least privileged access, and assume breach. We use these principles for our strategic guidance to customers, software development, and global security posture.
Organizations that operate with a Zero Trust mentality are more resilient, consistent, and responsive to new attacks. A true end-to-end Zero Trust strategy not only makes it harder for attackers to get into the network but also minimizes potential blast radius by preventing lateral movement.
While preventing bad actors from gaining access is critical, it’s only part of the Zero Trust equation. Being able to detect a sophisticated actor inside your environment is key to minimizing the impact of a breach. Sophisticated threat intelligence and analytics are critical for a rapid assessment of an attacker’s behavior, eviction, and remediation.
Resources for strengthening national security in the public and private sectors
We believe President Biden’s EO is a timely call-to-action, not only for government agencies but as a model for all businesses looking to become resilient in the face of cyber threats. The heightened focus on incident response, data handling, collaboration, and implementation of Zero Trust should be a call-to-action for every organization—public and private—in the mission to better secure our global supply chain, infrastructure resources, information, and progress towards a better future.
Microsoft is committed to supporting federal agencies in answering the nation’s call to strengthen inter- and intra-agency capabilities unlocking the government’s full cyber capabilities. Recommended next steps for federal agencies have been outlined by my colleague Jason Payne, Chief Technology Officer of Microsoft Federal. As part of this responsibility, we have provided Federal agencies with key Zero Trust Scenario Architectures mapped to NIST standards, as well as a Zero Trust Rapid Modernization Plan.
Microsoft is also committed to supporting customers in staying up to date with the latest security trends and developing the next generation of security professionals. We have developed a set of skilling resources to train teams on the capabilities identified in the EO and be ready to build a more secure, agile environment that supports every mission.
In addition to EO resources for federal government agencies, we are continuing to publish guidance, share learnings, develop resources, and invest in new capabilities to help organizations accelerate their Zero Trust adoption and meet their cybersecurity requirements.
Here are our top recommended Zero Trust resources:
- For details on how Microsoft defines Zero Trust and breaks down solutions across identities, endpoints, apps, networks, infrastructure, and data, download the Zero Trust Maturity Model.
- To assess your organization’s progress in the Zero Trust journey and receive suggestions for technical next steps, use our Zero Trust Assessment tool.
- For technical guidance on deployment, integration, and development, visit our Zero Trust Guidance Center for step-by-step guidance on implementing Zero Trust principles.
- If you’d like to learn from our own Zero Trust deployment journey at Microsoft, our Chief Information Security Officer Bret Arsenault and team share their stories at Microsoft Digital Inside Track.
Tackling sophisticated cyber threats together
The EO is an opportunity for all organizations to improve cybersecurity postures and act rapidly to implement Zero Trust, including multifactor authentication and end-to-end encryption. The White House has provided clear direction on what is required, and the Zero Trust framework can also be used as a model for private sector businesses, state and local governments, and organizations around the world.
We can only win as a team against these malicious attackers and significant challenges. Every step your organization takes in advancing a Zero Trust architecture not only secures your assets but also contributes to a safer world for all. We applaud organizations of every size for embracing Zero Trust, and we stand committed to partnering with you all on this journey.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1Nobelium Resource Center, Microsoft Security Response Center. 04 March 2021.