Professional Documents
Culture Documents
Threat protection
(A) Identify-Protect
(B) Detect-Respond-Recover
TYPICOS STAKEHOLDERS Information protection
• Identity Security Architects
• Identity Architects
• Identity Operations Teams Joint planning
• Collaboration/Productivity Lead
ZERO TRUST
DEFINITION & MODELS
1. IT Security is Complex
• Many Devices, Users, & Connections
Increase Remediate
Assurance Risk
Allow
Allow limited Block
full access Access access
Microsegmentation enhances existing network perimeter Dual Perimeter – Adds an identity perimeter where
Overall Effect by shrinking “trusted network” to each server / IP “inside” is defined by authentication and authorization.
address. Coexists with network perimeter
Common Components Evaluate trust signals for Devices & User Identities with per application policy
Microsoft’s Recommended Zero Trust Priorities
Do the most important stuff first
3. Refine network perimeter using microsegmentation (if required for residual risk)
Integrating Zero Trust with Strategic Initiatives
Closely related to other initiatives
SOC Modernization
Shift Tooling and Processes to Endpoint, Identity, and Application Layers
Secure Administration
Infrastructure/Datacenter access for admins
Network Transformation
• Internet-only clients / Firewalls for Datacenters onl
• Evaluate Microsegmentation
Resource Modernization
Enable ZT Access to Legacy Apps
Zero Trust Model
Trust Signal Full Access
Legend
Threat Intelligence Limited Access
Security Policy
Integrated Threat Intelligence Engine(s) Monitor & Restrict Access
Continuous Risk
Evaluation
Legacy Apps
Opportunity to Reduce Risk from full network access
Managed?
Compliant? Remediate
Infected with Malware? User and Device Risk Networking
…and more
Reduce risks using segmentation, threat protection, and encryption
User Threat/ Azure AD Initial Access Request Lower Access Office 365
Identity Protection Restricted session
Risk Signals Change in posture (AADIP signal) Dynamics 365
Leaked cred protection
Behavioral Analytics Azure Resource
Azure ATP Cloud Infrastructure
User risk
Manager
Organization
Policy Azure Portal Linux Login
Cloud App Security User/Session Risk
Modern Applications
Increase Trust by
requesting MFA Monitor &
Hello for Business Restrict Access
Multi-Factor Conditional SaaS Applications
Azure MFA Authentication Access Cloud App Security
Conditional Access App Control
Azure Active
Intelligent Security Graph (ISG)
6.5 Trillion Signals/Day
Directory (Azure AD)
IsCompliant
Azure AD B2B Azure AD App Proxy Legacy Apps (Secure VPN Replacement )
{LDAP}
Partner MDM Microsoft Intune
Device risk
Phishing Credential Theft Data Exfiltration Accelerate your credential theft defenses
Identity Systems
Today
1 2 3 4
Develop and Deploy Reduce user-visible Transition users to using Eliminate passwords
password-replacement password surface area strong authentication from identity directory
offerings instead of passwords
Actions:
• Allow
• Block
Source: IP Address/Port Signatures Allow List
Destination: IP Address/Port Analytics Authentication
User Device
High
Medium
Actions:
Role Health/Integrity Low • Allow
Group Client • Allow Restricted
Device Config • Require MFA
Config Last seen • Block
Location Conditional • Force Remediation
Last Sign-in access risk
Conditional Access Example
Office resource
User Device High
Medium
Your Pa$$word doesn't matter Unfamiliar sign-in location for this user
Identity and Access Management
Use Cases
I need my customers and partners Assign B2B users access
3 to access the apps they need from to any app or service your
organization owns
everywhere and collaborate seamlessly
Other
organizations
Azure AD B2B
Connect collaboration
SharePoint Online
& Office 365 apps
Add B2B users
Self-Service with accounts in
SSO to SaaS
capabilities other Azure AD
organizations Microsoft Azure
Remote Access Active Directory
Access
to on-premises
Panel/MyApps
apps
Conditional
Dynamic Groups
Access
Other Identity Google ID* Microsoft
Providers* Account
Customers Business
Social IDs Azure AD B2C Apps
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Reference
Additional Resources
Azure AD and ADFS best practices
https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-pra
ctices-defending-against-password-spray-attacks/
Microsoft Password Guidance
https://aka.ms/passwordguidance
Attacker Return:
Defender Return: Successful Monetization
Ruin Attacker ROI
Security Return on Deters opportunistic attacks
Investment (SROI) Slows or stops determined attacks Attacker Investment:
Increase Attack Friction & Cost
Defender Investment:
Security budget Prioritizing defense can rapidly raise
impact attacker cost & friction
Team time/attention