Implementing a zero trust model

Brian Fielder, General Manager

Darshana Pandya, Senior Program Manager
Carmichael Patton, Senior Program Manager

Microsoft Digital Security and Risk Engineering

BRK2240
The zero trust team at Microsoft

Brian Fielder Darshana Pandya Carmichael Patton

General Manager, Senior Program Manager, Senior Program Manager,
Digital Security & Risk Digital Security & Risk Digital Security & Risk
Engineering (DSRE) Engineering (DSRE) Engineering (DSRE)
 Zero trust
“Strong identity + device health + least
privilege user access verified with telemetry” ACCESS
USAGE
TELEMETRY
 Assets are moved from the internal
network to the internet… except for the
most critical assets
 Enhanced user experience with Internet
First IDENTITY DEVICE

 Reduced attack surface of the

environment
 Comprehensive telemetry, artificial SERVICES
intelligence for anomaly detection, service
health verification
Core Scenarios

As an employee, I can enroll my device into management to get access to

Scenario 1 company resources.

As an employee or a business guest, I have a method to access corporate

Scenario 2 resources when not using a managed device.

As an employee, I have user interface options (portal, desktop apps) that

Scenario 3 provides the ability to discover and launch applications and resources that I
need.

As an application or security stakeholder, my application validates the

Scenario 4 health of devices prior to allowing them to connect.
Our implementation approach
• Eliminate passwords and migrate to Windows Hello
• Set Multifactor Authentication as the default
IDENTITY

• Require all devices to be Modern Managed.

• Ensure all devices meet health requirements
DEVICE

• Move devices and users to respective network segments

• Grant bare minimum access and permissions
ACCESS

• All the applications and services apply Zero Trust principles

• Require applications and services to provide their health certificate
SERVICES
 Major phases of zero trust
Pre-Zero Trust Verify Identity
Verify Device
 Device Verify Access
management
not required Verify Services
 All user accounts
 Device health required
 Single factor set up for strong
identity for SharePoint,
authenticatio Exchange, Teams on  Internet Only for
n to enforcement
iOS, Android, Mac, users  Grow coverage in
resources and Windows
 Strong identity Device health
 Establish solutions requirement
 Capability to enforced for O365
 Usage data for for unmanaged
enforce Application & Services devices
 Least privilege  Service health
strong
user rights concept and POC
identity exists  Device Management  Least privilege (Distant Future)

required to tiered access model

 Eliminate
passwords – network access
 Device health
biometric based
required for
model
wired/wireless
corporate network
User and Access Telemetry
How are we managing zero trust implementation
• Scenarios-> Requirements->Workstreams owned by various sub-
organizations
• Resulted in 15 sub programs reporting under ZT
• Yes, Zero Trust is a Super Epic 
Alternate
Identity is Device is Removal User Access is Service is
Access Operations VNext
Verified healthy of corpnet Experience Verified Verified
Options
Modern
Access
Communicati
(Access from Internet Only
ons
healthy
device)
Application
Modern Least
Strong Management Applications discovery &
Privilege Service health Focusing on
Identity & Services on Virtualization launch Telemetry
(Autopilot, AADJ access validation future of ZT
Everywhere Internet through
devices) modelling
Internet

3rd party
Applications Network
product
enforcing CA Security
evaluations

Future scoped
Zero Trust Access Model
Azure
Office
SharePoin
Microsoft Exchange
Cloud

Rich
Healthy Require experience
Service MFA
Web
experience
Virtualized Microsoft
Healthy Limited experience 3rd Party
Employee & Internet Cloud App
Device access SaaS apps
Partner users connectivity Security

Conditions

On-premises
& web apps
 Zero Trust Networking – Network Segmentation
Unmanaged Guests require employee
Internet
Internet sponsorship
Only
• Sponsored Access Employees can self-sponsor
• Event Access
• BYOD
Guest Access

Managed Internet Access to User MFA and device is AD or

Employee Internet
• Managed Devices Corp AAD managed + Device
• Authenticated Devices services health
Employee Corpnet

Managed CORP   User MFA and device is AD or

• Managed Devices
Direct AAD managed + device
• Special purpose only
to health
Corpnet
Asset/Device registration

Specialized Segments
• Administration (Infra)
• Dev/Research Scenarios
• Game Studios
• IoT/Security (Facilities)
Controlled
Device is pre-registered for access
Access to Pre-Authentication Process to specialized segments
Corp

Admin Dev Games Facilities

Network Network Network Network 9
Major phases of Zero Trust - Progress

Verify Identity
Verify Device
Verify Access

 SAW enforcement Verify Services

for admin access  100% of iOS , Android
scenarios & MAC devices are  Managed Internet
under management available in all MSFT
 Migration from on- and enforcement office locations  Critical assets identified-
prem AD to AAD  Windows enforcement  Corpnet dependent next in scope for device
identities through in progress telemetry created health enforcement
O365 Migration.  Autopilot in progress,  Network segmentation
with all new devices infrastructure creation
 2FA enforced for defaulting to AADJ
O365 access  Opt-ins for
unmanaged devices
 98% of user accounts and AADJ
enforcing 2FA management

User and Access Telemetry

Key Considerations in getting started

1. Collect telemetry and evaluate risks, and then set goals.

2. Get to modern identity and MFA - Onboard to AAD.

3. For CA enforcement, focus on top used applications to ensure

maximum coverage.

4. Start with simple policies for device health enforcement such as

device lock or password complexity.

5. Determine your network connectivity strategy

Panel Questions
Question

How is Microsoft’s Zero Trust

framework different from
Forrester, Gartner and
Beyondcorp?
Question

How did you arrive at the

Zero Trust framework for
Microsoft?
Question

Should Zero Trust be a security or

productivity driven initiative?
Question

Is Zero Trust equal to

Conditional Access?
Question

How much of the Zero Trust

implementation is Technical vs
Cultural?
Question

What are the biggest challenges you

are encountering with Zero Trust
Implementation?
We want to hear from YOU!
 Read about how we are
Implementing a Zero Trust Model at Microsoft

at aka.ms/ZT

 Stay connected with us and send feedback to

MSZT@Microsoft.com
Microsoft’s own security
experts are here at Ignite

You can catch an overview of

all their sessions here:
aka.ms/DSREatIgnite
Stop by our booth to meet the
experts who build, deploy, and
operate the systems that run
Microsoft

Look for:
How Microsoft transforms IT
in the Microsoft Showcase
(right next to the Security VR Escape room)
Attend our sessions and learn
proven practices from your
IT pro peers at Microsoft

We’ll share the inside view of how

Microsoft builds, deploys, and operates
the systems that run Microsoft.

aka.ms/CSEOatIgnite2019
Learn how Core Services Engineering
and Operations (CSEO) is leading the
internal transformation of Microsoft by
rethinking traditional IT

Read the new white paper by

Chief Digital Officer, Kurt DelBene
aka.ms/MicrosoftInternalDT
Please evaluate this session
Your feedback is important to us!

Please evaluate this session through

MyEvaluations on the mobile app
or website.
Download the app:
https://aka.ms/ignite.mobileapp
Go to the website:
https://myignite.techcommunity.microsoft.com/evaluations
 Find this session Visit aka.ms/MicrosoftIgnite2019/BRK2240

in Microsoft Tech  Download slides and resources

Community
 Access session recordings in 48 hours
 Ask questions & continue the conversation
© Copyright Microsoft Corporation. All rights reserved.