Microsoft helps employees work securely from home using a Zero Trust strategy

 |   Brian Fielder, General Manager, Information Security, Microsoft

Brian Fielder, General Manager Mi

When COVID-19 began its spread across the globe, Microsoft moved quickly to ensure our employees were able to work securely from home. Fortunately, we had a business continuity crisis plan in place that we used to guide our response.

Our ability to respond to the crisis was greatly enhanced by how prepared Microsoft was to have its employees work from home. Having an entire company suddenly shift to remote working comes with its own challenges—it’s a lot more complex than making sure an employee’s laptop and home Wi-Fi are secure.

Jared Spataro, corporate vice president for Microsoft 365, and Nathalie D’Hers, general manager of End User Services Engineering, shared nine things that our larger IT team, Core Services Engineering and Operations, is doing to enable remote work at Microsoft. What I found most interesting about their conversation is how many of those nine things tie back to our Zero Trust initiative.

Specifically, our Zero Trust strategy calls for strong identity authentication everywhere by confirming that all our users are validated using multifactor authentication (MFA). It requires that all devices employees use for work are managed and healthy. It accomplishes this by using Microsoft Intune for device management. It also relies on pervasive telemetry to monitor the performance and health of all services, applications, and networks.

Another way to think of Zero Trust is as a requirement for constant verification. Throughout the process, Microsoft continuously monitors all access to corporate services, applications, and network connections.

Our security strategy has been focused on Zero Trust security principles for a while now. The strategy helps us navigate supporting the vast majority of our employees as they work from home. Our ability to ensure that all of our employees are using MFA and continuously verifying that all devices on our network are managed and healthy has allowed us to accelerate our adoption of our Zero Trust strategy and to move away from a perimeter based security model.

For most of our users, we’ve been able to move away from using virtual private network (VPN) to access our line of business applications. We have moved most of our line of business (LOB) applications to Microsoft Azure, where they are internet accessible. Applications that we are not able to move to Microsoft Azure are being published with an internet proxy. Finally, we use virtualization via Windows Virtual Desktop to provide our employees, vendors, and guests with the ability to access Microsoft applications in a more constrained environment that restricts movement to other Microsoft resources and network resources.

The result is that our employees can remotely access most of our LOB applications without needing to use VPN. This meant Microsoft was very well positioned when it came time to ask our employees to work from home.

We haven’t finished deploying our Zero Trust vision, but our framework is in place, and that’s helping us successfully support our remote-working employees.

If your company is transitioning its workforce to remote working and you don’t already have these same elements in place, it’s probably overwhelming to think about where to begin. We suggest you start by implementing MFA. If you don’t have the necessary hardware to leverage biometrics, you can start with an app like Microsoft Authenticator. This step is the single best thing you can do to secure your environment.

One of the benefits of our approach to Zero Trust is that it gives each company the ability to align security strategy with the cloud-first strategy that we are seeing in the industry. If you want to know more about our approach, read Using a Zero Trust strategy to secure Microsoft’s network during remote work. You’ll find more content about our Zero Trust strategy by visiting this Transitioning to modern access architecture with Zero Trust content suite and by reading this Implementing a Zero Trust security Model at Microsoft article.